Endpoint
7/29/2015
10:30 AM
Anna Chiang
Anna Chiang
Commentary
50%
50%

Code Theft: Protecting IP At The Source

Your corporate assets are at risk and every day that you avoid taking action shortens the time until your IP will be leaked. Here are six steps toward better data security.

The security world is awash with various malware-centric cyber kill chain models and advanced styles of threat defense that focus on network traffic, payload, and endpoint analyses. But if you step back and look at what most security tools and frameworks are trying to accomplish at a very high level, it boils down to:

  • Detecting and/or blocking adversaries as they try to get inside your organization to steal your valuable data and intellectual property (IP)
  • Detecting and/or blocking adversaries as they try to exfiltrate that IP and data to use for their own purposes.

With absolute intrusion prevention no longer possible and the new security mantra of fast detection and response, one could argue that disproportionate time and effort are spent watching the perimeter doors and too little time is spent guarding the internal resource vault that holds the company’s most sensitive IP. Privileged insiders who already have the keys to the kingdom may pose an immediate threat.

The Source of the Crime
IP theft isn’t a new problem. In 2003, gaming company Valve Corp. suffered losses estimated at hundreds of millions of dollars when source code of its Half-Life 2 game (five years in the making) was stolen and posted on the Internet. More recently, Wall Street traders from Goldman Sachs and Flow Traders BV were accused of taking proprietary computer source code used to make high-speed stock and commodity trades that earn millions of dollars in profits each year. In 2013, the IP Commission Report put the costs of intellectual property theft in excess of $300 billion in the United States alone.

To understand how best to protect such critical assets, it’s important to consider where they are stored. For companies that build commercial software products or implement internal software apps and platforms, their IP consists of source code and related assets stored in version control/source control management (SCM) systems. These systems not only store the assets, but also facilitate the collaboration across all the product contributors, who access the SCM system to update their work and share it with others.

Typical Behaviors of a Data Thief
The conclusion of this year’s RSA conference, one of the security industry’s biggest events of the year, was that “at the end of the day, the bad guys are still getting in.” Once they’re in, they usually take time to wander about the organization searching for valuable digital assets (e.g., source code, design specifications, strategic business plans, product road maps, formulas, or industry ”secret sauce”). They often look at these assets at odd hours of the day, take from inactive projects or hoard information (that is, take more information than they contribute back).

While some security tools focus on monitoring and correlating network log data or endpoint data (watching the perimeter doors) to spot anomalous behavior, this approach may require time-consuming manual rules and threshold setting, and often results in security teams being inundated with false positive alerts. Some tools may lack context-specific information (e.g., who, when, how and where) that typifies the behavior of a data thief and don’t compare his or her actions to a baseline of “normal behavior.” Many tools just give a simple count of how many files were downloaded but don’t specify exactly which files were downloaded or which critical projects were affected.

For example, a worker who takes small amounts of software code (or other assets) every week won’t necessarily be detected if a threshold has been set to trigger an alert at an arbitrary fixed value. But if the worker’s access patterns were compared in a cluster map to a baseline of peers who don’t steal assets, this slow data leak could be detected.

When a bad guy starts exploring the corporate IP vault, you’d be well served to detect unusual high-risk behavior and provide actionable insights to your security teams. Certainly, this approach is preferable to watching the doors for everything and drowning in the security alert noise.

Solution: Behavioral Analytics Applied to SCM Audit Logs
Software development projects in large corporations typically involve thousands of software developers working on thousands of projects over the span of many years. The projects also involve other contributors for assets such as video, graphics, or audio elements. SCM tools manage those complex development workflows by meticulously tracking all access to project repositories and files. This means they can generate detailed audit logs. A month of log data from an SCM system might yield millions of different interactions with files and projects; for the purpose of detecting anomalies, the more granular the log data, the better.

The focus of security teams is quickly moving toward where the data and critical IP reside. A new class of security tools uses machine learning and applies behavioral analytics models to detailed audit logs and other data sources to identify and prioritize threats. These tools enable organizations to take necessary actions to prevent data exfiltration by individuals who have gained access to the source of mission-critical IP.

Your corporate assets are at risk, and every day that you avoid taking action shortens the time until your IP will be leaked. Here are six steps toward better data security:

  1. Identify the most important IP in your organization and choose which groups and/or individuals should have access.
  2. Use multi-factor and/or continuous authentication and fine-grained access control. And enforce strong passwords and different levels of security controls based on asset type.
  3. Provide the ability to encrypt data at rest and in transit.
  4. Continuously monitor data access and make sure that detailed audit logs are implemented in a secure SCM repository.
  5. Implement a security platform that can apply behavioral analytics models to audit logs and quickly identify high-risk anomalous data access.
  6. Integrate your SIEM and other log data with a flexible security platform that can provide detailed context-rich actionable data to identify high-risk threats to your most important projects and files. 

Before joining Perforce as the marketing lead for Helix Threat Detection products, Anna did product marketing for BlueRISC, a security company which provides threat detection, endpoint security and forensic analysis products that identify software vulnerabilities and malware ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
50%
50%
Ulf Mattsson,
User Rank: Moderator
7/30/2015 | 2:38:08 PM
The perimeter is gone
I agree that some security tools are "watching the perimeter doors." I think that this is a general problem with many IT Security deployments. The perimeter is gone and Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber attacks.

According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.

Ponemon concluded that "This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification."

Ulf Mattsson, CTO Protegrity
RayD116
50%
50%
RayD116,
User Rank: Apprentice
7/30/2015 | 11:47:01 AM
Very Interesting read..
My company does this.  Very effective defense against insider threats finding the Snowden sneaking around my source code and IP.

Ray
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.