Insider Threat Detection and Response

By Alex Goldman

February 29, 2008

ISP-Planet's Alex Goldman reports on threat management from the Wall Street Technology Association's seminar last week.

The Wall Street Technology Association (WSTA) on Threat Management and Information Security featured many speakers. One talked about a threat that affects businesses of all sizes.

Brian Contos, CEO of Cupertino, Calif.-based security vendor ArcSight (IPO planned for later this year) pointed out that the insider threat is very different from most of the security issues administrators work to prevent.

"The insider is not James Bond; the insider is low tech," said Contos. "The insider will copy data to their iPod, e-mail it out to Gmail or Yahoo. Often, this activity is careless, not malicious. A key employee will leave a laptop on a plane and it's gone."

Of course, those who do undertake malicious activity will do so for alarmingly low fees. "How much do you think secrets, secrets that involved assets destroyed and loss of life, cost? $5,000."

You cannot tell a malicious insider just by their appearance. "It's not the SAM (Socially Awkward Male). And when you catch them, it can be tough to tell the difference between a malicious act and a mistake."

You catch insider threats by looking for unusual behavior. The Dupont data thief was caught when administrators realized he had downloaded an unusual amount of information ($400 million worth, Dupont claims).

ArcSight specializes in correlating data from many sources. For example, an employee has a name, possibly a badge number, and also a network ID. "We call correlating the network ID, firewall, and device information '3D correlation,'" said Contos. "We're looking for a role violation, such as an administrator accessing financial records. We use data from many sources now, including Exchange, printers, SAP, Oracle, and, where available, video."

Misused privileges are an important clue, but it's also important to be able to see more basic rule violations. "It's suspicious if Lisa's IP address is using Tina's ID," said Contos. "ID management is as disliked as PKI and enterprise DRM, but it will eventually be adopted."

When catching one thiefWhen you catch a malicious insider, Contos observed, you immediately ask three questions:

  1. What else are they doing?
  2. Who else is involved?
  3. How long have they been doing it?

If this issue concerns you, implement awareness programs through the HR department. Make sure all executives receive training.

"Malicious insiders usually work in groups," Contos said. People can be making as little as a few hundred dollars each month off of malicious activity, "but it seems to work for them" until they get caught.

Alex Goldman is Managing Editor at ISP-Planet. This story appears courtesy of ISP-Planet.



Comment and Contribute
(Maximum characters: 1200). You have
characters left.