If you've ever developed a new product or formulated a new business idea, you've most likely grappled with the question of whether you should to protect it legally in some way. After working hard to develop intellectual property (IP), businesses usually want to protect it from others benefiting from it without permission. Typical methods for protection include patent filing and copyright registration, for example.
Although certain IP rights are automatic, you need to take steps to protect it: No one else is going to look for patent and design infringements or copyright and trademark violations on your behalf. Which returns us to the ongoing litigation between Waymo and Uber over thousands of IP documents.
Waymo, the self-driving car subsidiary of Google’s parent company, Alphabet, has accused one of its former engineers of stealing thousands of confidential documents before joining Uber’s self-driving team. Uber maintains it was unaware that the former Waymo employee, Anthony Levandowski, had allegedly downloaded 14,000 documents from Google's autonomous vehicle unit before leaving to launch his own start up, Otto, which Uber later acquired.
Waymo and Uber are racing to develop the first network of self-driving cars, to create what would be a potentially huge (and profitable) transportation service in the future. The crucial Intellectual Property (IP) that was allegedly stolen involves ‘LiDAR’, a new type of laser system that allows the cars to see roads and obstacles around them.
Waymo is suing Uber, claiming that on his way out the door, Levandowski took with him several gigabits worth of confidential documents related to Google’s proprietary LiDAR design, which they believe were later used in the creation of Uber’s own custom autonomous driving technology. At least some of this information likely qualifies for trade secret protection.
The most contentious arguments leading up to the trial have been around whether or not Levandowski downloaded the files before leaving Waymo, who he might have shared them with, and what Uber knew about the alleged theft and when. Uber refutes this, naturally, with both companies headed to trial in October. And Levandowski has since been dismissed.
For high risk employees such as Levandowski, who produce or have access to commercially sensitive IP, stringent controls, applied using advanced user behavior and data loss protection technology, are necessary. Information security and digital forensics checks have a critical role to play in ensuring that access to corporate IT systems is closely monitored, and that analysis of high-risk employee activities is performed regularly to identify suspect behavior.
Mining Digital Evidence to Uncover the Truth
For organizations that require more rigorous and exacting protection for sensitive (and valuable) data, fortunately there is a proven and highly-effective anomaly detection solution from HoloNet Security called OnFire. OnFire provides extremely precise user profiling by focusing on how each user is accessing sensitive data by linking moving data, and its source and destination, with each user.
What makes OnFire’s approach better than alternatives, is that all of this is done in real-time. Unlike other vendors that rely on a time-consuming process that involves reviewing third-party logs, then running analytics, at HoloNet we develop our own “right metadata” close to real-time and are thus able to provide next-to-real-time alerts.
In the case of Mr. Levandowski’s alleged transgression, OnFire’s advanced user anomaly detection would have already identified and correlated sensitive data (IP) with high-risk users (like Mr. Levandowski), with their applications and devices. In real-time, OnFire would have indicated whether Mr. Levandowski had or had not downloaded the large number files in question by comparing that activity to his normal “baseline”.
In real-time, OnFire would have also detected data download anomalies associated with Mr. Levandowski’s device. A drill-down would also have shown that the volume of data involved had exceeded the daily norm. With each real-time anomaly detection, OnFire would have alerted the network administrator.
It took months for Waymo to reach the conclusion that their IP had been allegedly stolen. Within seconds after detecting unusual activity, HoloNet OnFire would have been able to display conclusively what had transpired with indisputable digital evidence. By linking moving data, with its source, destination, and user, OnFire would have immediately and conclusively resolved the suspicions, speculation, and unanswered truths that are driving Waymo and Uber into costly litigation and placing both companies under the spotlight of undesirable media attention.
Almost all security incidents have to answer the same set of questions: what has been compromised? Who did it? How did they do it? By what method and from where? But obviously, this is easier said than done. Until recently, using the available tools and methods to answer these questions has been tremendously difficult because you typically need one or more tools just to answer one of these questions- never mind all three. For example, you generally need one tool to track cloud users and activity and at least one more to do that for on-premise applications. And because of the overwhelming number of security alerts, just figuring out which events to investigate is overwhelming.
However, with the application of machine learning, analytics has improved tremendously. Many User and Entity Behavioral Analytics (UEBA) and Cloud Access Security Brokers (CASB) can track users, data, and applications, so the question now becomes – what should the behavioral tools and analysts focus on?
Because the vast majority of reported breaches involved the use of stolen credentials or other unauthorized and suspicious insider threats, it only makes sense to focus on user and data activity. Here are some of the more common behaviors that indicate you may have a problem and a proper user behavior analytics solutions will need to detect each of these:
Suspicious geolocation activity. Today's mobile workforce can be logging on from multiple remote locations, such as their homes, the gym, hotels, airports, the beach and customer locations. When users sign-in from off-campus locations, security teams need to determine if they are legitimate users or remote attackers who are using compromised valid user credentials. Behavioral analysis applies geolocation monitoring to every access attempt and validates it against what’s physically possible. While at the same time taking into account time and the distance between sign-in attempts and, then comparing this activity to a baseline of what is normal behavior for the legitimate account owner- this is critical in determining if user credentials have been stolen and are being used by remote hackers.
Exfiltration attempts. Data exfiltration is a big concern for many organizations and can occur when employees are negligent or are trying to be more efficient by creating workarounds of outdated technology (I can be more productive using my personal device instead of the company issued equipment) and using USB drives or online apps like Slack or Box. Detecting and preventing data leaks has become more difficult as new technologies and methods to transfer data emerge. Monitoring for abnormal user behavior such as obtaining data that are not normally accessed by the user, or transferring data to unusual locations can detect data exfiltration attempts.
Credential sharing. Studies show that more than 20% of employees share their passwords with someone else, even though it’s strictly against policy. Monitoring for simultaneous, remote, or unusual usage of user accounts can help detect and mitigate credential sharing.
While some many offerings have the capability to answer these questions, it’s important to take into account both on-premise and cloud based data and applications. And optimally be able to reconstruct the hidden relationship between data movement with its user, device, and application in real-time and maintain that relationship. So make sure you're able to get the answers to what has been compromised? Who did it? How did they do it? By what method and from where?
This blog reflects the contribution of the HoloNet team and guest bloggers who are security experts. HoloNet Security is led by a team of seasoned security industry professionals with a long, proven track record of successful security products and services.