Vulnerabilities / Threats
11:42 PM
Connect Directly

Catching Attacks From The Inside Means Crunching More Data

Mining access logs and identity stores can provide a good picture of what's going on inside the firewall, including suspicious insider activity

Whether by mandate or mission, companies have increasingly focused on creating better systems for managing the identities and access rights of their employees. Such systems can be a goldmine of information on security events that may indicate that an attack is underway.

But it's not easy. Luck and a sharp eye caught the malicious code left behind by Rajendrasinh Makwana, the contractor convicted of attempting to delete data at Fannie Mae in 2008, after the company fired him. Yet, both technology and processes failed to catch Societe Generale's Jerome Kerviel, who used other traders' accounts to evade the safety measures put in place by the trading house, resulting in a $7 billion loss.

"To truly understand whether things are happening that shouldn't happen, you need to bring together a lot of pieces of data," says Chris Zannetos, CEO of Courion, an identity and access management provider. "It's like what Moneyball did for baseball. When you start mining the data, you start to see things that you would not otherwise see."

Finding suspicious access attempts in a sea of legitimate business operations, while minimizing false positives, requires that a company dive into the data and correlate five attributes of each event: who is doing it, what their access rights are, the sensitivity of the resource being accessed, the company's policy, and what operations the user is attempting. Three of the five metrics--identity, access and policy--are the basis for identity and access management systems, making log data created by the IAM technology an invaluable resource.

While companies would like simple access-management metrics that correlate with malicious behavior, signs of a compromise are rarely so obvious, says Jonathan Sander, director of product strategy for Quest Software, an enterprise software maker which is now part of Dell.

"There are some activities that are universally bad," Sander says. "If you have an administrator that is deleting log entries, that is bad. But most of the time, what is unacceptable is dependent on the industry and their policies."

The first place to focus are on those workers who have the ability to do the most damage: the administrators. The logs of the IT administrator activities should be reviewed by someone who is not an IT administrator but who has a security role. If the company does not have a chief security officer, then whoever has responsibility for the security of the business should review administrator activities and question any log entry that looks suspicious, advises Sander

"Anything you do not understand at first glance, they should have to explain," he says. "If it seems fishy, then push the issue."

[A study of insider attacks within financial firms offers lessons to other companies: identify important data, limit access, and scrutinize trusted users most closely. See Watch The Watchers: 'Trusted' Employees Can Do Damage.]

In many companies, business executives are hesitant to challenge IT administrators. While other users and employees are expected to follow policy, many administrators can easily skirt the rules. Nearly six in 10 companies monitor privileged accounts, but more than half of privileged users believe they can bypass the monitoring, according to the 2012 Cyber-Ark Trust, Security & Passwords survey.

"Organizations have started to get better at controlling the insiders that are not the administrators, or at least they have a plan to do it," says Quest's Sander. "A lot of times the administrators are going unchecked, so that is a problem that deserves more attention right now."

In addition, companies need to prevent privileged users from sharing their account credentials. Many firms have a single superuser account for multiple administrators, but sharing increases risk and limits how accountable an administrator can be held for the misuse of a server or other corporate resource.

By tracking each individual privileged user and monitoring high-impact corporate resources, companies will have a better chance of detecting attacks, when they come.

"You are replacing a bad system with a secure system, and allowing thereby tracking of individuals and their actions, and that alone puts you in a much, much better position," Sander says. "It raises the bar of what somebody would have to do to abuse those privileges very, very high."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/17/2012 | 3:11:19 PM
re: Catching Attacks From The Inside Means Crunching More Data

am pretty sure that monitoring and logging are out into place for
this particular reason right here. They are studied and learned from
in the event to better protect themselves f or a future attack. It is
to bad that these logs are usually not used unless an incident occurs
that requires them to see what happened. With a 7 billion dollar hit
someone is going to be very upset and looking for measure so it does
not happen again.




User Rank: Apprentice
12/4/2012 | 10:07:54 PM
re: Catching Attacks From The Inside Means Crunching More Data
Check all outbound traffic. Hackers will get in, but you can prevent them from getting out. Outbound traffic is the choke point.
Bryan Yurcan
Bryan Yurcan,
User Rank: Apprentice
12/4/2012 | 4:16:52 PM
re: Catching Attacks From The Inside Means Crunching More Data
Interesting, something all financial services companies need to be aware of
Ivy Schmerken
Ivy Schmerken,
User Rank: Apprentice
12/4/2012 | 4:02:10 PM
re: Catching Attacks From The Inside Means Crunching More Data
Great article! Wall Street firms plagued by insider trading and fraud should heed the advice here, as well as the warnings about IT administrators who believe they can skirt monitoring.- Clearly, this takes data correlation effort on the part of inhouse security experts.- Is every firm up to the task?
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.