Vulnerabilities / Threats
11:42 PM
Connect Directly
Repost This

Catching Attacks From The Inside Means Crunching More Data

Mining access logs and identity stores can provide a good picture of what's going on inside the firewall, including suspicious insider activity

Whether by mandate or mission, companies have increasingly focused on creating better systems for managing the identities and access rights of their employees. Such systems can be a goldmine of information on security events that may indicate that an attack is underway.

But it's not easy. Luck and a sharp eye caught the malicious code left behind by Rajendrasinh Makwana, the contractor convicted of attempting to delete data at Fannie Mae in 2008, after the company fired him. Yet, both technology and processes failed to catch Societe Generale's Jerome Kerviel, who used other traders' accounts to evade the safety measures put in place by the trading house, resulting in a $7 billion loss.

"To truly understand whether things are happening that shouldn't happen, you need to bring together a lot of pieces of data," says Chris Zannetos, CEO of Courion, an identity and access management provider. "It's like what Moneyball did for baseball. When you start mining the data, you start to see things that you would not otherwise see."

Finding suspicious access attempts in a sea of legitimate business operations, while minimizing false positives, requires that a company dive into the data and correlate five attributes of each event: who is doing it, what their access rights are, the sensitivity of the resource being accessed, the company's policy, and what operations the user is attempting. Three of the five metrics--identity, access and policy--are the basis for identity and access management systems, making log data created by the IAM technology an invaluable resource.

While companies would like simple access-management metrics that correlate with malicious behavior, signs of a compromise are rarely so obvious, says Jonathan Sander, director of product strategy for Quest Software, an enterprise software maker which is now part of Dell.

"There are some activities that are universally bad," Sander says. "If you have an administrator that is deleting log entries, that is bad. But most of the time, what is unacceptable is dependent on the industry and their policies."

The first place to focus are on those workers who have the ability to do the most damage: the administrators. The logs of the IT administrator activities should be reviewed by someone who is not an IT administrator but who has a security role. If the company does not have a chief security officer, then whoever has responsibility for the security of the business should review administrator activities and question any log entry that looks suspicious, advises Sander

"Anything you do not understand at first glance, they should have to explain," he says. "If it seems fishy, then push the issue."

[A study of insider attacks within financial firms offers lessons to other companies: identify important data, limit access, and scrutinize trusted users most closely. See Watch The Watchers: 'Trusted' Employees Can Do Damage.]

In many companies, business executives are hesitant to challenge IT administrators. While other users and employees are expected to follow policy, many administrators can easily skirt the rules. Nearly six in 10 companies monitor privileged accounts, but more than half of privileged users believe they can bypass the monitoring, according to the 2012 Cyber-Ark Trust, Security & Passwords survey.

"Organizations have started to get better at controlling the insiders that are not the administrators, or at least they have a plan to do it," says Quest's Sander. "A lot of times the administrators are going unchecked, so that is a problem that deserves more attention right now."

In addition, companies need to prevent privileged users from sharing their account credentials. Many firms have a single superuser account for multiple administrators, but sharing increases risk and limits how accountable an administrator can be held for the misuse of a server or other corporate resource.

By tracking each individual privileged user and monitoring high-impact corporate resources, companies will have a better chance of detecting attacks, when they come.

"You are replacing a bad system with a secure system, and allowing thereby tracking of individuals and their actions, and that alone puts you in a much, much better position," Sander says. "It raises the bar of what somebody would have to do to abuse those privileges very, very high."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/17/2012 | 3:11:19 PM
re: Catching Attacks From The Inside Means Crunching More Data

am pretty sure that monitoring and logging are out into place for
this particular reason right here. They are studied and learned from
in the event to better protect themselves f or a future attack. It is
to bad that these logs are usually not used unless an incident occurs
that requires them to see what happened. With a 7 billion dollar hit
someone is going to be very upset and looking for measure so it does
not happen again.



User Rank: Apprentice
12/4/2012 | 10:07:54 PM
re: Catching Attacks From The Inside Means Crunching More Data
Check all outbound traffic. Hackers will get in, but you can prevent them from getting out. Outbound traffic is the choke point.
Bryan Yurcan
Bryan Yurcan,
User Rank: Apprentice
12/4/2012 | 4:16:52 PM
re: Catching Attacks From The Inside Means Crunching More Data
Interesting, something all financial services companies need to be aware of
Ivy Schmerken
Ivy Schmerken,
User Rank: Apprentice
12/4/2012 | 4:02:10 PM
re: Catching Attacks From The Inside Means Crunching More Data
Great article! Wall Street firms plagued by insider trading and fraud should heed the advice here, as well as the warnings about IT administrators who believe they can skirt monitoring.-Š Clearly, this takes data correlation effort on the part of inhouse security experts.-Š Is every firm up to the task?
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web