How do you get foresight into plans or actions of a knowledgeable employee who intends to inflict damage to your company?
It’s very difficult to control the flow of information within today’s work-place. In any normal “business” day there could be foreign national interactions, USB key exchanges, contractors working from home –all greatly increasing opportunity for espionage and data theft.
There is plenty of room for mischief and the amount of harm done by a well-informed saboteur is non-trivial. It is an order of magnitude more damaging than a security breach from a stranger.
The definition of an insider by CERT: A current or former employee, contractor, or business partner who:
- Has or had authorised access to an organisation’s network, system, or data and
- Intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organisation’s information or information systems
The trouble with an "insider" is that they have legitimate access. They are working within internal regulation, aware of company policy and unlikely to break rules. So access control won't work nor will "intrusion detection" as there is technically no intrusion.
Most of the time an employee will be reported for unusual behaviour by a co-worker or an audit. There are also personnel screening processes that have to be in place before hiring. Training and awareness help employees notice unusual activity.
That's all old-school stuff - it works, and it is crucial. In addition there are technical approaches that have gained a rightful place in the "must-have" list.
Most companies should turn on network and application activity logging, file integrity checks and data loss monitoring. Stitching together the alerts that are generated by "big brother" helps spot things that are "out of the norm". For example if a file changes or an email is sent with a sensitive attachment, a user or behaviour can be marked as "bad" and declared suitable for further surveillance.
Unfortunately there is still plenty of noise obstructing an accurate and clear reading of what is good, bad or ugly behaviour.
We hop on and off social networks, plug and unplug cables, head to work late, forget to submit expense reports, make travel arrangements out of policy, skip virus updates and get overly zealous downloading information. The list goes on. Human behaviour can seem hopelessly impossible to predict.
Statistics bring in the magic of mathematics to make sense of data and tell us "what's up". It is a science that fills in blanks in our memory, keeps us honest about the present and paints a rough approximation of our future.
There is good research literature on the topic of user behaviour analysis. At Accenture we are working at taking these tried and true analytics and making it practical to wrangle cyber security by applying root cause analysis, propensity analysis, link analysis and econometric forecasts.
Assessing threats across transactions, individuals and groups that are unobservable to the naked human eye is definitely interesting and growing in importance.
While tackling the problem of employee betrayal can be hard, we can turn to “big data” and analytics to help trip up the enemy within.