Financial institutions have long known about the ‘insider threat’ security issue, but now there is an increasing awareness of how that might be linked to theft of software-based intellectual property (IP). With many financial services so dependent on software at their heart, it is no surprise therefore that companies are looking beyond traditional security tools at new ways to mitigate these risks.
It is hard to quantify the exact scale of the problem, but recent studies would seem to validate these concerns. A PWC report into global cyber security (http://www.pwc.com/gsiss2015) reported on the increasing incident of Intellectual Property (IP) and that most security incidents are caused by company insiders. A US Department of Commerce report found that IP theft (all kinds, not just cybercrime) costs US companies $200 to $250 billion annually, while the Organization for Economic Development (OECD) estimated that counterfeiting and piracy costs companies as much as $638 billion per year. A recent Intel Security/McAfee report cited this example: [A] “firm with 800 employees had to cut its workforce in half after hackers stole its IP and a competing product appeared on the market.”
Insider threats appear in many forms:
- Hacktivists – insiders capturing sensitive data and then sharing it, while maintaining their anonymity
- Criminal organisations – organised criminal groups frequently use the Internet to commit fraudulent activities and the financial services sector is obvious a big target. There’s no reason why they won’t move on from stealing money to selling illegally obtained software.
- Careless and Compromised Employees. Employees who move data to insecure locations in order to ease their work processes create risk by unwittingly exposing this data to external hackers or bad actors who work within a company, at supply chain partner companies or among contractors.
Leaving Employees. “Leaving” employees who take sensitive data with them are a widespread problem. Studies consistently find that almost 60 percent of former employees have taken sensitive company data when they depart an organisation regardless of the reason why they left. One Symantec study (http://www.symantec.com/about/news/release/article.jsp?prid=20130206_01) found that 56 percent of workers believe it is okay to take data with them and use it at a competitor. This includes not only customer contact lists, but also the IP and trade secrets related to the programs with which these employees were involved.
What does this mean in practice in the financial services market? One example might be developing an innovative financial product that even before it is launched, is suddenly being replicated on the other side of the world.
Of course, financial services companies have been throwing large budgets at security for many years, but as so often reported in the media, this approach is far from fool-proof. Apart from the fact that ‘the bad guys’ will always find a way in, the very heart of creating software – the development process itself – is notoriously difficult to safeguard. This is because software development environments are often siloed and the problem is made worse by the volume and variety of contributors involved, often working in different locations or operating environments. It can be extremely difficult to achieve any real visibility of what is happening.
This is why more organisations are turning to techniques such as behavioural analytics in the fight against IP theft, detecting and surfacing anomalies, such as unusual activities and applying algorithms that sort through all the noise. One of the hottest areas in security prevention right now, behavioural analytics approaches identification of security vulnerabilities in a different way to traditional security tools.
Perhaps the best way to illustrate what this means in practice is by real-world example. A well-known chip manufacturer knew that its software IP was being stolen and passed on, but could not prove who, what or where. It spent over a million dollars with a large, well-known consulting and services firm over the period of a year, yet was still unable to determine the root of the problem. The solution proved to be applying behavioural analytics to the company’s Perforce version control log data, a process which involved examining over nine billion events executed by 20,000 software developers. Within a fortnight, concrete evidence was found against the two suspects, but also a further 11 unknown developers who had been replicating up to 500,000 files per day.
Why behavioural analytics is clever
What’s clever about behavioural analytics is that it is based on surfacing not just unusual activity, but then applying other criteria to calculate the risk. Most vulnerability management tools tend to identify a lot of ‘noise’: it is making sense of that volume that counts. For instance, behavioural analytics might pick up that a software developer in a bank is working outside his or her usual hours, or downloading vast amounts of code that is not then checked back in later. There could be perfectly innocent reasons for those actions, but equally, they could be a clue to something more sinister. Types of attack vary, from the spontaneous (such as an unhappy colleague leaving the company) through to more sustained and sophisticated attacks, which can include insiders working in conjunction with outside organisations to perpetrate IP theft.
Given that software is now at the very core of so many financial services, software-based IP has become an integral part of these organisations’ ‘crown jewels’. Software need to be protected like any other valuable asset and while behavioural analytics should be just part of a company’s overall security armoury, it could help banks and other financial firms to better protect their software-based IP.
Mark Warren is Product Marketing Director Perforce Software. Worldwide, the version management and code collaboration portfolio from Perforce Software is used by thousands of customers, including Salesforce.com, NVIDIA, Samsung, and EA Games. Mark has over two decades’ experience in the software industry with roles as a provider and consumer of advanced development tools. www.perforce.com