By Piers Wilson, head of product management, Tier-3 Huntsman
Large scale cyber-attacks led by skilled hackers using ultra-sophisticated malware and zero day vulnerabilities are never far from the headlines at the moment. High profile cases such as the gang that was recently arrested for scamming £1.6 million from ATMs using malware serve as a reminder for financial institutions on the need to stay ahead of those trying to break through their perimeter. Unfortunately, they also cause us to focus attention on the outside threats and overlook those a little closer to home. Insiders, however, represent a significant problem for financial institutions, as well; a 2013 report by AlgoSecfound that almost two-thirds of organisations rate insiders as their greatest risk. So what are they doing about it?
Financial services firms are a hugely lucrative target for cyber-criminals, so it’s no surprise that they’ve built up a huge array of network security systems and controls; such as data loss prevention (DLP) systems, encryption, firewalls, IDS and anti-virus packages. As the headlines attest, however, these defences are failing to deliver total security.
Bill Anderson from Oculis Labs hit the nail on the head when he said that whilst a focus on network security might keep out external attackers, it won’t be enough to prevent insider-driven breaches. The problem is that the majority of network security solutions are only geared-up to identify the known threats, which leaves organisations open and vulnerable to unknown threats, such as those that are deliberately targeted to circumvent existing security efforts.
Going for the gold: rise of the inside job
Before they can tackle insider threats effectively, financial organisations must understand where the risks lie and how they’re created. The obvious reason is that insiders have special privileges that external attackers do not. They already have “legitimate” access to the network and systems and can compromise sensitive data all too easily; sometimes even without intending to, through ignorance, negligence, or just plain carelessness.
The problem is exacerbated further by the decreasing number of staff resources that organisations now have, with many employees being replaced by contractors, third party support personnel and service providers. For example, cloud-based IT services are typically staffed by non-employees, who administer service platforms that are beyond both the control and visibility of the organisation. Systems that depend solely on the cloud service provider for security can therefore, perhaps unknowingly, create very broad insider risks in this sense.
It is also a real challenge to address every eventuality in which an insider could be acting against the organisation. Since different insiders have differing motives, skill sets, risk profiles and access privileges, the controls put in place to address one scenario may be completely ineffective in another.
For instance, IT security teams must choose effective controls to deal with a diverse range of situations that could include:
- Data breaches that are accidental or caused by ignorance;
- Breaches that are opportunistic or planned and deliberate;
- Breaches made possible by misconfigured systems;
- Breaches that result from an administrator circumventing stringent controls;
- Breaches that result from inappropriate levels of privilege for insiders
Sometimes insider threats are viewed as application-level or fraud issues resulting from identity management problems; whereas cyber-security refers to more highly technical external ones. This can mean that institutions fail to counter a targeted, technical and motivated internal actor. The reality is that all these can be damaging and costly.
Sealing the vault: tackling the insider threat
There have been many attempts to tackle this broad range of insider threats head-on. For example, the FBI tried to develop a tool that could predict insider behaviour and stop cybercriminals before they could do any harm, but the results met with little success. It has since moved to a behavioural baselining methodology to detect anomalous insider activity as it occurs. This approach monitors how IT users are operating on the system and identifies when that activity is abnormal. The FBI’s CSO claims that this approach is far more effective. When combined with machine learning and activity profiling, Behaviour Anomaly Detection solutions like this can quickly detect an indicator of compromise that could signpost a potential malicious insider threat and alert the IT security teams, allowing them to take action before it is too late.
There are also more fundamental processes that can be implemented in order to reduce the threat from malicious insider activity. For example, it is essential to set access rights based on user roles, so that only those employees that have a real need to access a given resource have the ability to do so. If an employee doesn’t need access to customer bank accounts or trading secrets, then their access privileges shouldn’t permit it. Separating duties can also prevent subversion or collusion, and avoids implicating personnel in activities in which they had no part. The most useful controls are those that provide evidence to support their operation, which is generated continuously through normal use; such as collection and regular analysis of event logs and system/network activity.
In most cases, victims of insider breaches could have found evidence of data breaches in their log files, if only they had looked. For example, if a certain user is accessing a significant number of documents that aren’t reasonably within their remit, then the alarm would be triggered and the breach responded to quickly. Imagine the problems that this approach could help to avoid by detecting insiders like JérômeKerviel, who infamously cost French bank SociétéGénérale an astonishing €4.9 billion through abusing his access privileges to IT systems.
What this all adds up to is the need for financial organisations to avoid over-reliance on network security systems and signature-based tools to focus on the early detection of indicators of compromise, investigation and verification of those risks to the enterprise. This will enable them to take the appropriate action to deal with any given threat, regardless of the source or motive. By dealing with the disease rather than the symptoms, proactive technologies enable alerting the instant that systems, processes or people behave abnormally. This is often the first and clearest indicator that something’s not as it should be.