This article also appeared on Tripwire
With individuals, businesses, and critical infrastructure increasingly becoming the target of cyber-attacks, cybersecurity today is a multifaceted challenge. As the saying goes, “There’s more than one way to skin a cat”, and if the cat equates to preventing, detecting, or discovering disruptive data breaches and determining the root cause, the vendor community has certainly come up with a plethora of options for enterprises as well as consumers - virus and malware detection, firewalls, penetration testing, vulnerability management, a long list of acronym-labeled tools like IDS, IDP, CASB, UEBA, SIEM, and DLP…with more on the way. Some of these have proven effective, others less so, in protecting network infrastructure and digital assets. For example, most cyber security practitioners would admit that while SIEM tools have solved some problems, they have also introduced other unexpected challenges like false positives and alert fatigue.
Over the past few decades, cybersecurity seems to have evolved into a highly esoteric endeavor, shrouded in mystery, its practitioners functioning in a rarified atmosphere. It is true that developing cybersecurity tools and solutions is a very technical task that requires specialized knowledge. And it is without a doubt complex in nature. Yet, rather than masking this complexity, vendors have allowed it to spill over into the buyer-side.
To de-mystify cybersecurity, the first question we should ask is, “What exactly is it?” The simplest answer is that cybersecurity consists of “measures taken to protect a computer or a networked computer system (i.e., on the Internet) against unauthorized access or attack.” But from that point, cybersecurity does appear to be very complicated. Let us count the ways.
The challenges of running an information security program in an enterprise can be overwhelming, with so many areas to address -- from encryption, to application security, to disaster recovery. There is the complication of regulatory compliance requirements such as HIPAA, PCI-DSS and GDPR, to name a few. There are security frameworks to follow that have been created to define policies and procedures. Examples include the NIST SP-800 (National Institute of Standards - Special Publication 800 series), COBIT (Control Objectives for Information and Related Technology). New cybersecurity assessment tools have been recently introduced. The Federal Financial Institutions Examination Council (FFIEC) has developed an assessment tool to help financial organizations identify their risks and determine their cybersecurity preparedness.
The rise of the Internet of Things (IoT), in which nearly every “thing” (electrical outlet, light bulb, refrigerator, thermostat, garage door, automobile, electrical outlet, etc.) has an IP address has introduced immense complexity and technical challenges for data privacy and protection. Then there’s risk modeling, penetration testing, incident response planning, and cybersecurity insurance to consider. No wonder most people consider cybersecurity to be an extremely complex undertaking!
But Is a thick coating of over-complexity masking some simple and elusive truths? Perhaps if we approach cybersecurity from a fresh perspective and examine the heart of the matter, we can distill it down to its essence.
Let’s go back, for a moment, to the days before the advent of what’s been called the “information highway” and recall how pre-digital society protected physical assets and property. In earlier times when transportation infrastructure like roads was extremely limited or non-existent, many people lived in relative isolation. Their major concern was keeping any dangerous wild animals at bay. Beyond that, there were no security concerns for even the wealthiest as travel was difficult to impossible.
As society evolved, more people congregated in settlements, and roads were built to interconnect these communities which eventually became the towns and cities we know today. More roads meant more traffic. Security become a concern as formerly-isolated dwellings were more easily accessible. The wealthy who lived in great houses and castles had guards to protect them and their belongings, control who passed through their gate, and keep an eye on the road outside. With protection for their property and the valuables in their homes, they suffered fewer problems from bandits, or “highwaymen”, who hid out near busy road crossings to plunder goods from unwary travelers.
With the advance of technologies in the recent century, surveillance and security cameras were invented to replace human guards and watch-dogs and monitor and record human activity without interruption, 24 x 7. Nowadays security video cameras are installed on roadways, shopping malls, offices, and homes to protect physical assets and aid incident investigation. Video surveillance has become a widely adopted and highly successful technology, primarily because of its deterrent effect on human behavior.
So why not apply a similar approach to the protection of digital assets in a networked environment? Instead of guards at each gate protecting physical assets, we have firewalls and other devices to protect digital assets. Rather than travelers on a busy highway, we have packets traversing widespread networks where “traffic” at intersections is managed by switches. With digital transformation, the volume as well as the monetary value of assets is accelerating at a break-neck pace. For most businesses today, these far exceed the value of their physical assets.
But when it comes to protecting physical or digital assets, there is no difference between the two. When more roads are built and there is more vehicular traffic, your physical assets are at greater risk. Likewise, in a networked environment your digital assets are more accessible, and when network traffic increases, your digital assets are at higher risk. However, there is a subtle yet important distinction between physical and digital assets. When a physical object is stolen, it is relatively easy to detect because it’s tangible, and once it’s stolen…it’s gone. But when a digital asset is stolen, it’s a completely different story. Unlike physical assets which can only be stolen once, digital assets can be stolen repeatedly and replicated endlessly. And theft of digital assets can sometimes be extremely difficult to detect, especially in real-time.
The malicious actors stealing valuable digital assets today are like the highwaymen who once plundered goods. Instead of hiding in the shadows by the roadside, they lurk undetected in the interconnected links of a digital communications network. The castles and estates of yesteryear with their silver, gold and jewels are today’s business enterprises containing a treasure trove of intellectual property, trade secrets and sensitive data. Having a surveillance camera that can work in the information super-highway like a surveillance camera in the physical world would be the most effective approach to protecting assets in the digital world. But why is such a camera still unavailable? Because creating a “cybersecurity camera” that can “see” who’s moving digital assets through a network represents an extraordinary challenge.
In a physical surveillance system, the camera is simply the window used by the DVR (digital video recorder) to see. The DVR is responsible for compression, conversion, storage and streaming of all the video that comes from each camera; It’s the intelligence behind every camera and is responsible for all the motion detection and alerts. When an incident occurs, and you receive an alert, you can simply hit replay to review what happened and respond accordingly.
But digital business creates a complex, evolving security environment. So, a cybersecurity camera needs the cybersecurity equivalent to the DVR, which provides the intelligence to analyze the bits and bytes flying through the network, convert that into information that’s meaningful to a human being, and build the intelligence to generate alerts when digital activity that represents a real risk is “observed”.
While digital business has created a complex, evolving security environment, the key to protecting sensitive data and digital assets is really no mystery. Now, just as it was long ago before the advent of the information age, you must guard the gate and watch the road using the best visibility tools available. It’s really that simple.
As organizations increase spending on cyber security and hire more information security specialists, hackers continue to seek the most vulnerable targets for financial gain. One of the foundational precepts of contemporary security analysis is that as greater technical barriers are enacted to secure computer networks against external hacks, human users have become the weakest link in cybersecurity.
Surveys uniformly confirm that critical breaches by outsiders are achieved through the compromised insider credentials of an organization’s employees. In a Black Hat 2017 attendee survey, nearly one-third (32%) of respondents said accessing privileged accounts was the number one choice for the easiest and fastest way to get at sensitive data, followed closely by 27% indicating access to user email accounts was the easiest path to capturing critical data.
The goal of an attacker is to steal the victim’s valid credentials and look like a legitimate employee going about his normal business, for as long as possible. In achieving success this way, the outsider is immediately transformed into what we refer to as a shadow insider – an outsider who has become a malicious insider through the use of malware, compromised user credentials, and compromised devices. When you consider that average dwell times are currently in excess of 200 days, the undetected existence of a shadow insider threat can have devastating consequences for a business.
A recent insider threat study commissioned by Cybersecurity Insiders, an online community of information security professionals, shows that the main enabling risk factors include too many users with excessive access privileges (cited by 37 percent of respondents), an increasing number of devices with access to sensitive data (36 percent), and the increasing complexity of IT (35 percent). A large majority of organizations - some 90 percent - are vulnerable to insider security threats, and about half experienced an insider attack in the last 12 months.
Not all human threats to cybersecurity involve unwitting victims. The cases of massive data dumps involving Edward Snowden and others are reminders that malicious insiders also pose a significant security risk. Insider threats are often more damaging than attacks from malicious outsiders or malware because they are launched by ostensibly trusted insiders - malicious insiders and negligent insiders with privileged access to sensitive data and applications. The Black Hat survey also identified security professionals’ greatest concerns, 50% of respondents citing phishing, social network exploits, or other forms of social engineering focused on the insider as their #1 concern (up from 46% in 2016), closely followed by 45% naming sophisticated, targeted attacks such as APTs as their #2 concern.
Figure: A survey of 580 top-level cybersecurity professionals who attended the 2017 Black Hat USA conference indicates that the most-feared cyber attacker is an insider.
Today, if an attacker with resources wants to access your network, it’s likely that he or she will be successful. Because of this, stopping attacks from external sources is not enough. CISOs also need to monitor their networks for anomalous behavior and advanced persistent threats (APTs) that may have already infiltrated the network. An APT is a perfect example of an outsider threat that was successfully converted into a shadow insider threat.
In advanced threats, the attacker will spend a large amount of time researching a list of potential targets, gathering information about the organization's structure, clients etc. Social media activity of the people in the target company will be monitored to extract information about the systems and forums favored by the user and any technology vulnerabilities assessed. Once a weakness is found the next step the attacker will take is to breach the cyber security perimeter or send emails containing malicious software like ransomware and attempt to gain access, which, for most attackers, is easily done. The former outsider is now a shadow insider.
However, most enterprise information security spending to date has focused on prevention in a misguided attempt to prevent all attacks. This is a futile effort. When it comes to dealing with advanced targeted attacks, prevention-centric strategies are obsolete. The Cybersecurity Insiders survey found that organizations are shifting their focus on detection of insider threats (64%), followed by deterrence methods (58%) and analysis and post breach forensics (49%). The use of user behavior monitoring is accelerating; 94% of organizations deploy some method of monitoring users and 93% monitor access to sensitive data. Traditional approaches which focus on outsider threats to protect networks and user devices are ineffective, because they do nothing to protect from advanced targeted attacks that gain credentialed access. An attacker who has gained credentialed access is transformed into a shadow insider and now represents an insidious and invisible threat.
So, which represents the greater danger to the security of the enterprise… outsider or insider? Clearly, the edge now goes to the insider.
Securing enterprises today against insider threats requires a shift to data-centric security strategies that support rapid detection and response capabilities. Better detection requires detailed, pervasive and context-aware monitoring to identify these threats combined with security analytics driven by AI and machine learning. However, for context-awareness to be effective and provide meaningful and actionable information, it must be built on a model that can address multiple, inter-related elements within a dynamic, networked environment.
Whenever an incident occurs, IT security teams want to be able to instantly and accurately answer four critical questions: What data has been compromised, by whom, using what device, and from where? The most important context of all is the inter-relationship among four security vectors: users, devices, applications, and data.
Why is the inter-relationship among these vectors critical? Because it’s the only way a user’s behavior can be precisely profiled, and an anomaly can be detected with minimal false-positives. By understanding what devices a user normally uses, what kinds of sensitive data the user accesses, and typically from which servers/applications, we draw a much more comprehensive and accurate profile of the user. This rich detail enables us to detect his/her deviation from the normal work pattern, regardless of whether this user is a shadow insider or not.
For example, a user who has typically downloaded customer contact info (PII) from server #1 in the past is suddenly observed downloading volumes of source code from server #2. By correlating this user with the types of data typically accessed (PII) and the services/applications typically accessed (in server #1), OnFire can immediately detect the shift in the behavioral pattern. Obviously, without this depth of inter-relationship visibility, such subtle changes in behavior won’t be easily detected by any non-relationship-based methods.
OnFire from HoloNet Security deploys a patent-pending Network Hologram technology to immediately link a user with his/her devices, applications, and data accessed to create comprehensive, precise, individual user behavioral profiles. OnFire functions like an intelligent digital video camera in cyberspace by monitoring and recording the movements of every piece of sensitive data, linking it to its actual user in real-time, and using AI to detect any anomalous user or device activities. In the inevitable event of a breach, like a traditional surveillance camera, the OnFire cybercamera can instantly identify suspects to jump-start the investigative response.
What is GDPR?
At its core, GDPR is a new set of rules designed to give citizens more control over their data. It aims to simplify the regulatory environment for business so both citizens and businesses can fully benefit from the digital economy.
The reforms are designed to reflect the world we're living in now, and brings laws and obligations across Europe up to speed for the internet-connected age.
Fundamentally, almost every aspect of our lives revolves around data. From social media companies, to banks, retailers, and governments -- almost every service we use involves the collection and analysis of our personal data. Your name, address, credit card number and more all collected, analyzed and, perhaps most importantly, stored.
Commencing May 15, 2018, the European Union General Data Protections Regulation (EU GDPR) will affect every organization that processes the personal information of EU residents, regardless of where that organization is located. If your company is based in the U.S., for example, but sells to EU customers, you will still have to comply with the regulation.
The 261 pages of the GDPR contains a volume of detail. Hidden within are 5 key things you need to be aware of:
72-Hour Data Breach Notification
In the event of a personal data breach, data controllers must notify the supervisory authority. Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay.
There may be an exception if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons,” a phrase that will no doubt offer data protection officers and their outside counsel opportunities to debate the necessity of notification. A notification to the authority must “at least”: (1) describe the nature of the personal data breach, including the number and categories of data subjects and personal data records affected; (2) provide the data protection officer’s contact information; (3) “describe the likely consequences of the personal data breach”; and (4) describe how the controller proposes to address the breach, including any mitigation efforts. If all of the information is not available at once, it may be provided in phases.
Organizations Need Better Breach Detection Solutions
Despite GDPR being very clear that organizations need to notify victims of a data breach within 72 hours, many businesses lack a proper plan for notification, and some still lack the appropriate tools necessary to detect a breach in the first place.
The binding time that previous regulations lacked is the most significant challenge organizations will face, as 72 hours is not a tremendous amount of time to perform what amounts to an entire crisis management response. In a smaller business, the key stakeholders may all be in the same building, but in a larger business there may be resources throughout the globe, all on different time zones.
Now that you know you have less than 3 days from discovery of the breach to notify the proper authorities, further complicating the process is the likelihood that you won’t have the full story. The scope of a breach increases over time; organizations learn more about incidents as investigations widen, but with only 72 hours, the time for this incident discovery is limited.
Failure to comply with the 72-hour breach notification requirement can result in significant fines. Dwell time that extends beyond 72 hours will also result in major penalties. How much you ask? The maximim fine is 4% of global revenue, which could translate into billions of dollars for multi-national corporations. Never has any legislated data protection regulation been this strict nor the fine this significant.
Achieving Faster and More Accurate Incident Response
Legacy data protection technologies like SIEM systems utilize third-party data, and it may take up to a week to detect and identify a data breach. At Holonet, we have developed our own organic data collector which does not rely on third-party log data input, thus enabling us to provide near real-time data anomaly detection.
Another issue that will keep Data Protection Officers up at night is likely to be “Did we miss anything?” Without knowing the full scope, it stands to reason that the extent of containment is also an unknown. It could be possible that attack window is still open and data is still escaping the business.
Most GDPR experts advise their clients to conduct data discovery and classification on their PII data. Clients could have spent millions discovering and classifying all the PII data they could think of. Until you know the full details of the incident, one cannot say that the threat has been eliminated. It is possible that the attacker, whether internal or external, has multiple methods to gain access and extract data, and could still be leveraging these alternate channels.
Holonet OnFire Can Help
OnFire automatically and actively scans and tracks PII sensitive data in motion 24 x 7 x 365. When sensitive PII data in motion is detected, alerts are immediately sent out to the security team. OnFire doesn’t not need to know where the data resides. Whenever anomalous / abnormal data movement occurs, OnFire will detect it and provide instant notification. In both cases, OnFire will be able to immediately identify “suspects” with our patent-pending Network Hologram technology, which functions like a digital camera in cyberspace.
HoloNet Security automatically uncovers the hidden relationship among four security vectors – users, devices, applications, and data, and reconstructs the relationship in such a way that every piece of sensitive data is linked to its actual user in real-time. Instead of going through weeks or months of manual procedures, security teams can simply “replay” and instantly see what has happened for any security incident investigation.
Whenever a security incident occurs, security operations teams want to be able to instantly and accurately answer four critical questions: What data is compromised, by whom, using what device, and from where? The team at HoloNet Security has made answering these questions as simple as replaying a captured video, by ingeniously converting bits and bytes into a visual format that is meaningful to the human mind. This stunning technological innovation may sound like a simple task, but it is definitely not. Let us explain why…
Until now, in order to identify who has moved a digital asset, multiple, disparate products and highly-trained security experts were required to manually correlate data movement with the actual users, their applications and devices using a complicated process. Mapping out the data movement in this way is a time-consuming, expensive, and reactive exercise with obvious inherent limitations.
Visually recording activities in the physical world is straightforward – the camera just records what the human can see. But cyberspace is filled with bits and bytes, which humans cannot visibly perceive. Simply recording all the packets traversing your network wouldn’t work. Not only would it not be understandable to humans, it would consume massive amounts of data storage.
To function as a cybersecurity camera, we needed to (1) re-assemble the packets into their original file formats (e.g. Excel), and (2) link each file to the actual user, the device involved, and the application where the data is uploaded to or downloaded from… none of which are obviously visible. To accomplish this remarkable task, we amalgamated multiple technologies into a single platform.
Firstly, to identify real digital assets like sensitive and valuable business data, we needed deep content inspection technology (a core function of DLP) to scan the contents of each file as it flies through the network. Secondly, since digital assets reside anywhere – such as internal servers or in cloud services like Google Drive or Salesforce – we needed to embed CASB technology into the platform. Lastly, to detect “abnormal” movement or behavior the same way a surveillance camera does, we brought UEBA technology into the platform.
By combining CASB, UEBA, and DLP technologies into a powerful unified solution, we can provide you with an unmatched multi-dimensional, holistic view of the movements of your digital assets across your network and accurately identify anomalies automatically, in real time, without any manual effort by technical experts.
There are multiple benefits associated with HoloNet’s unique approach for security operations teams…
Operational Simplicity - Security teams don’t need to hire a highly-paid expert to use a surveillance camera to protect physical assets. The same is true with HoloNet’s cyberspace surveillance camera – it’s simple and straightforward to use with its consumer-grade UI. You can go back to any given time to see what had happened – what data was touched, by whom, using what device, and from where. At the touch of a finger, you can immediately view the “suspects”, just like instant replay with a physical surveillance camera.
Empowerment to Do More with Less - HoloNet integrates the best of UEBA, CASB and DLP technologies into a single, comprehensive Data-Centric Audit and Protection (DCAP) platform. Through our patent-pending Network Hologram technology, we offer a powerful solution that closes the gap between the real-time-based network world and offline-based analytics world for the first time. We liberate your highly skilled experts from tedious manual work, and empower your IT and security teams to do more with less.
Better Results, Cost Savings - By eliminating complicated manual processes and automatically correlating moving data with the actual users in real-time, OnFire not only shortens the lengthy post-incident investigation time, but does away with the need for costly technical specialists. Our relationship-based profiling offers much more precise anomaly detection than standalone UEBA or network event-based products. As a result, HoloNet virtually eliminates the usual avalanche of false positives that waste your valuable time and resources.
Just as you can continuously monitor and secure your physical assets with a surveillance camera, the HoloNet OnFire™ “cybersecurity camera” uniquely provides you with unmatched holographic visibility of your valuable digital assets moving across your entire network, along with continuous anomaly detection.
Today’s blog begins with a discussion of the relatively low-tech video surveillance or security camera. Why, you may be asking, and what does this have to do with cybersecurity? Let the story unfold…
As you know, security cameras are video cameras that are used to observe an area, like a parking lot, a traffic zone, or an office work space. The cameras are connected to a recording device or IP network, and may be watched by a security guard or law enforcement officer. Security cameras are even becoming ubiquitous in the home. Not only can you check on your home directly from your smartphone or connected computer, you can also view a gallery of your captured images if something or someone in your home goes awry while you’re away.
One of the first questions law enforcement is likely to ask you if your home or business has been targeted is, “Do you have a security camera system?” When I am out of the house, my home security cameras are continuously recording, and alert me if they detect any movement that might indicate an unwanted intruder. Fortunately, it’s usually just a cat dashing across the room. A false positive!
In the workplace, security cameras are used extensively to capture human activity and protect physical assets. These are a bit more sophisticated than home security systems. The cameras are simply the window used by the DVR (digital video recorder) to see. The DVR is responsible for compression, conversion, storage and streaming of all the video that comes from each camera. The DVR is the intelligence behind the cameras and is responsible for all the motion detection and alerts. When an incident occurs and you receive an alert, you can simply hit replay to review what happened and respond accordingly.
The video security camera seems like a straight-forward approach to providing protection for important physical assets, like your home or office. But the rapid advent of the internet and digitalization has resulted in the creation of vast amounts of digital assets, which for most businesses far exceed the value of their physical assets.
Digital assets include intellectual property, trade secrets, presentations, spreadsheets, word documents, electronic mails, and a multitude of other digital formats and their respective metadata. Even hard currency, as exemplified by the bitcoin, has become a digital asset. While businesses have a self-interest in protecting digital assets for which they claim ownership, some extremely sensitive digital records such as patient health information (PHI) and personally identifiable information (PII) are also protected by legislative mandates.
Despite the increasing amount of digital assets, in cyberspace there is no cybersecurity equivalent to the video security camera. That’s because a traditional video camera to secure physical items by monitoring and recording their images is easy to make, but creating a “camera” that can “see” digital assets moving across cyberspace represents an extraordinary challenge. But there’s more…a cyber security camera needs the cybersecurity equivalent to the DVR, which provides the intelligence to analyze what the camera sees, convert that into meaningful information, and provide alerts when digital activity that represents a risk is observed.
Whenever a security incident occurs, security operations teams want to be able to instantly and accurately answer four critical questions: What data is compromised, by whom, using what device, and from where? Our goal at HoloNet Security is to make answering these questions as simple as replaying a captured video, by ingeniously converting bits and bytes into a visual format that is meaningful to the human mind. In our next blog, we will share the challenges that HoloNet Security is addressing to make the intelligent security camera and DVR for cyberspace a reality.
Ninety Percent of Organizations Are Vulnerable to Insider Threats According to New Cybersecurity Report
A new Insider Threat Report shows that the vast majority of companies and government agencies are vulnerable to insider threats; about half experienced an insider attack in the last twelve months.
Commissioned by Cybersecurity Insiders, this new insider threat study is based on a comprehensive online survey of 472 cybersecurity professionals, providing deep insights into the current state of insider threats and how organizations are responding to protect themselves.
“Insider threats are often more damaging than attacks from malicious outsiders or malware,” said Holger Schulze, CEO and Founder of Cybersecurity Insiders. “That’s because they are launched by trusted insiders – both malicious insiders and negligent insiders with privileged access to sensitive data and applications.”
Download the full Insider Threat Report here.
As a data security company, it is our practice to review the growing numbers of cyber-breach reports and post-mortems. A recent one in particular caught our attention. It appears that the agency that insures our bank accounts is not only failing to insure our Personally Identifiable Information (PII), but also lacks proper incident response according to a government report.
An audit by the Office of the Inspector General (OIG) determined that the Federal Deposit Insurance Corporation's (FDIC) protocols for responding to a data breach aren't being followed, even while the agency has faced dozens of security incidents in the past two years. The OIG’s full report was released in September. The audit stemmed from a series of data breaches at the FDIC from January 2015 to December 2016. The agency believes that it was compromised 54 times within that period. The Office of Inspector General selected 18 of those breaches to evaluate for the audit.
Although the FDIC has taken steps to better comply with the Federal Information Security Management Act by instituting a breach response plan, auditors found that the organization often failed to implement key components of this plan for most of the security incidents reviewed.
For example, although they were supposed to notify individuals or businesses who had their sensitive information compromised within 10 business days of completing an incident analysis, FDIC officials waited an average 288 days (9+ months) after a breach was discovered before notifying affected individuals.
While the breach response plan did delineate who would be responsible for such procedures, those positions were either unfilled for long periods of time or staffed by employees who were not properly trained, leading to long delays in the process. Auditors also found instances of incomplete paperwork related to risk analysis that may have led to inconsistencies in the FDIC's response to each incident.
As a result, the sensitive and personally identifiable information (PII) of hundreds of thousands of people and organizations was left further exposed and those affected were unaware. According to the report, the PII includes “…names, telephone numbers, home addresses, social security numbers, driver’s license numbers, dates and places of birth, credit reports, education and employment histories, and the results of background checks."
The FDIC has a history of high-profile and embarrassing cybersecurity failures dating back to at least 2010. An annual report by the regulator said there were 159 incidents of unauthorized computer access during fiscal year 2015, according to a redacted copy obtained by Reuters under a Freedom of Information Act request. Rather than major breaches by hackers, these incidents included security lapses such as employees copying sensitive data to flash drives and then physically removing the data.
Employees engaged in fraudulent activities for personal gain or disgruntled workers sabotaging the business are hard to detect. These employees often have access rights to sensitive information, and privileges to move data inside and outside your network. But the current situation at the FDIC doesn’t have to be the norm.
We believe it’s accurate to state that deployment of OnFire, HoloNet’s game-changing Data-Centric Audit and Protection (DCAP) solution could have enabled the FDIC to detect and respond to data breaches within minutes, instead of weeks and months. OnFire provides an automated framework for analyzing how sensitive data travels across your network, who moves it and where they move it...in real time.
HoloNet OnFire can uncover negligent or malicious insider activities by detecting subtle but significant changes in user behavior and correlating them to data transfers by type and volume. OnFire focuses on how each user is accessing sensitive data by linking moving data, and its source and destination, with users. OnFire can detect when users load sensitive documents to personal storage devices or cloud-based storage and productivity applications such as Box and Slack in violation of company policy, putting sensitive data and IP at risk.
By providing constant 24/7/365 visibility into all sensitive data movements and real-time alerts when anomalous activities are detected, HoloNet’s superior profiling provides the accurate information needed for security operations teams to either take preventative measures, or immediately respond to a breach in progress. Dwell time is reduced to near-zero, narrowing the window of risk and accelerating the remediation process.
Isn’t that the kind of responsible and timely approach that you would like organizations with possession of your PII to take?
If you've ever developed a new product or formulated a new business idea, you've most likely grappled with the question of whether you should to protect it legally in some way. After working hard to develop intellectual property (IP), businesses usually want to protect it from others benefiting from it without permission. Typical methods for protection include patent filing and copyright registration, for example.
Although certain IP rights are automatic, you need to take steps to protect it: No one else is going to look for patent and design infringements or copyright and trademark violations on your behalf. Which returns us to the ongoing litigation between Waymo and Uber over thousands of IP documents.
Waymo, the self-driving car subsidiary of Google’s parent company, Alphabet, has accused one of its former engineers of stealing thousands of confidential documents before joining Uber’s self-driving team. Uber maintains it was unaware that the former Waymo employee, Anthony Levandowski, had allegedly downloaded 14,000 documents from Google's autonomous vehicle unit before leaving to launch his own start up, Otto, which Uber later acquired.
Waymo and Uber are racing to develop the first network of self-driving cars, to create what would be a potentially huge (and profitable) transportation service in the future. The crucial Intellectual Property (IP) that was allegedly stolen involves ‘LiDAR’, a new type of laser system that allows the cars to see roads and obstacles around them.
Waymo is suing Uber, claiming that on his way out the door, Levandowski took with him several gigabits worth of confidential documents related to Google’s proprietary LiDAR design, which they believe were later used in the creation of Uber’s own custom autonomous driving technology. At least some of this information likely qualifies for trade secret protection.
The most contentious arguments leading up to the trial have been around whether or not Levandowski downloaded the files before leaving Waymo, who he might have shared them with, and what Uber knew about the alleged theft and when. Uber refutes this, naturally, with both companies headed to trial in October. And Levandowski has since been dismissed.
For high risk employees such as Levandowski, who produce or have access to commercially sensitive IP, stringent controls, applied using advanced user behavior and data loss protection technology, are necessary. Information security and digital forensics checks have a critical role to play in ensuring that access to corporate IT systems is closely monitored, and that analysis of high-risk employee activities is performed regularly to identify suspect behavior.
Mining Digital Evidence to Uncover the Truth
For organizations that require more rigorous and exacting protection for sensitive (and valuable) data, fortunately there is a proven and highly-effective anomaly detection solution from HoloNet Security called OnFire. OnFire provides extremely precise user profiling by focusing on how each user is accessing sensitive data by linking moving data, and its source and destination, with each user.
What makes OnFire’s approach better than alternatives, is that all of this is done in real-time. Unlike other vendors that rely on a time-consuming process that involves reviewing third-party logs, then running analytics, at HoloNet we develop our own “right metadata” close to real-time and are thus able to provide next-to-real-time alerts.
In the case of Mr. Levandowski’s alleged transgression, OnFire’s advanced user anomaly detection would have already identified and correlated sensitive data (IP) with high-risk users (like Mr. Levandowski), with their applications and devices. In real-time, OnFire would have indicated whether Mr. Levandowski had or had not downloaded the large number files in question by comparing that activity to his normal “baseline”.
In real-time, OnFire would have also detected data download anomalies associated with Mr. Levandowski’s device. A drill-down would also have shown that the volume of data involved had exceeded the daily norm. With each real-time anomaly detection, OnFire would have alerted the network administrator.
It took months for Waymo to reach the conclusion that their IP had been allegedly stolen. Within seconds after detecting unusual activity, HoloNet OnFire would have been able to display conclusively what had transpired with indisputable digital evidence. By linking moving data, with its source, destination, and user, OnFire would have immediately and conclusively resolved the suspicions, speculation, and unanswered truths that are driving Waymo and Uber into costly litigation and placing both companies under the spotlight of undesirable media attention.
Almost all security incidents have to answer the same set of questions: what has been compromised? Who did it? How did they do it? By what method and from where? But obviously, this is easier said than done. Until recently, using the available tools and methods to answer these questions has been tremendously difficult because you typically need one or more tools just to answer one of these questions- never mind all three. For example, you generally need one tool to track cloud users and activity and at least one more to do that for on-premise applications. And because of the overwhelming number of security alerts, just figuring out which events to investigate is overwhelming.
However, with the application of machine learning, analytics has improved tremendously. Many User and Entity Behavioral Analytics (UEBA) and Cloud Access Security Brokers (CASB) can track users, data, and applications, so the question now becomes – what should the behavioral tools and analysts focus on?
Because the vast majority of reported breaches involved the use of stolen credentials or other unauthorized and suspicious insider threats, it only makes sense to focus on user and data activity. Here are some of the more common behaviors that indicate you may have a problem and a proper user behavior analytics solutions will need to detect each of these:
Suspicious geolocation activity. Today's mobile workforce can be logging on from multiple remote locations, such as their homes, the gym, hotels, airports, the beach and customer locations. When users sign-in from off-campus locations, security teams need to determine if they are legitimate users or remote attackers who are using compromised valid user credentials. Behavioral analysis applies geolocation monitoring to every access attempt and validates it against what’s physically possible. While at the same time taking into account time and the distance between sign-in attempts and, then comparing this activity to a baseline of what is normal behavior for the legitimate account owner- this is critical in determining if user credentials have been stolen and are being used by remote hackers.
Exfiltration attempts. Data exfiltration is a big concern for many organizations and can occur when employees are negligent or are trying to be more efficient by creating workarounds of outdated technology (I can be more productive using my personal device instead of the company issued equipment) and using USB drives or online apps like Slack or Box. Detecting and preventing data leaks has become more difficult as new technologies and methods to transfer data emerge. Monitoring for abnormal user behavior such as obtaining data that are not normally accessed by the user, or transferring data to unusual locations can detect data exfiltration attempts.
Credential sharing. Studies show that more than 20% of employees share their passwords with someone else, even though it’s strictly against policy. Monitoring for simultaneous, remote, or unusual usage of user accounts can help detect and mitigate credential sharing.
While some many offerings have the capability to answer these questions, it’s important to take into account both on-premise and cloud based data and applications. And optimally be able to reconstruct the hidden relationship between data movement with its user, device, and application in real-time and maintain that relationship. So make sure you're able to get the answers to what has been compromised? Who did it? How did they do it? By what method and from where?
This blog reflects the contributions of the HoloNet team and guest bloggers who are data security experts. HoloNet Security is led by a team of seasoned security industry professionals with a proven record of success creating innovative security products and services.