Vulnerabilities / Threats
12/3/2012
11:42 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Catching Attacks From The Inside Means Crunching More Data

Mining access logs and identity stores can provide a good picture of what's going on inside the firewall, including suspicious insider activity

Whether by mandate or mission, companies have increasingly focused on creating better systems for managing the identities and access rights of their employees. Such systems can be a goldmine of information on security events that may indicate that an attack is underway.

But it's not easy. Luck and a sharp eye caught the malicious code left behind by Rajendrasinh Makwana, the contractor convicted of attempting to delete data at Fannie Mae in 2008, after the company fired him. Yet, both technology and processes failed to catch Societe Generale's Jerome Kerviel, who used other traders' accounts to evade the safety measures put in place by the trading house, resulting in a $7 billion loss.

"To truly understand whether things are happening that shouldn't happen, you need to bring together a lot of pieces of data," says Chris Zannetos, CEO of Courion, an identity and access management provider. "It's like what Moneyball did for baseball. When you start mining the data, you start to see things that you would not otherwise see."

Finding suspicious access attempts in a sea of legitimate business operations, while minimizing false positives, requires that a company dive into the data and correlate five attributes of each event: who is doing it, what their access rights are, the sensitivity of the resource being accessed, the company's policy, and what operations the user is attempting. Three of the five metrics--identity, access and policy--are the basis for identity and access management systems, making log data created by the IAM technology an invaluable resource.

While companies would like simple access-management metrics that correlate with malicious behavior, signs of a compromise are rarely so obvious, says Jonathan Sander, director of product strategy for Quest Software, an enterprise software maker which is now part of Dell.

"There are some activities that are universally bad," Sander says. "If you have an administrator that is deleting log entries, that is bad. But most of the time, what is unacceptable is dependent on the industry and their policies."

The first place to focus are on those workers who have the ability to do the most damage: the administrators. The logs of the IT administrator activities should be reviewed by someone who is not an IT administrator but who has a security role. If the company does not have a chief security officer, then whoever has responsibility for the security of the business should review administrator activities and question any log entry that looks suspicious, advises Sander

"Anything you do not understand at first glance, they should have to explain," he says. "If it seems fishy, then push the issue."

[A study of insider attacks within financial firms offers lessons to other companies: identify important data, limit access, and scrutinize trusted users most closely. See Watch The Watchers: 'Trusted' Employees Can Do Damage.]

In many companies, business executives are hesitant to challenge IT administrators. While other users and employees are expected to follow policy, many administrators can easily skirt the rules. Nearly six in 10 companies monitor privileged accounts, but more than half of privileged users believe they can bypass the monitoring, according to the 2012 Cyber-Ark Trust, Security & Passwords survey.

"Organizations have started to get better at controlling the insiders that are not the administrators, or at least they have a plan to do it," says Quest's Sander. "A lot of times the administrators are going unchecked, so that is a problem that deserves more attention right now."

In addition, companies need to prevent privileged users from sharing their account credentials. Many firms have a single superuser account for multiple administrators, but sharing increases risk and limits how accountable an administrator can be held for the misuse of a server or other corporate resource.

By tracking each individual privileged user and monitoring high-impact corporate resources, companies will have a better chance of detecting attacks, when they come.

"You are replacing a bad system with a secure system, and allowing thereby tracking of individuals and their actions, and that alone puts you in a much, much better position," Sander says. "It raises the bar of what somebody would have to do to abuse those privileges very, very high."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Apprentice
12/17/2012 | 3:11:19 PM
re: Catching Attacks From The Inside Means Crunching More Data






I
am pretty sure that monitoring and logging are out into place for
this particular reason right here. They are studied and learned from
in the event to better protect themselves f or a future attack. It is
to bad that these logs are usually not used unless an incident occurs
that requires them to see what happened. With a 7 billion dollar hit
someone is going to be very upset and looking for measure so it does
not happen again.

Paul
Sprague

InformationWeek
Contributor

-

SSERGIO123
50%
50%
SSERGIO123,
User Rank: Apprentice
12/4/2012 | 10:07:54 PM
re: Catching Attacks From The Inside Means Crunching More Data
Check all outbound traffic. Hackers will get in, but you can prevent them from getting out. Outbound traffic is the choke point.
Bryan Yurcan
50%
50%
Bryan Yurcan,
User Rank: Apprentice
12/4/2012 | 4:16:52 PM
re: Catching Attacks From The Inside Means Crunching More Data
Interesting, something all financial services companies need to be aware of
Ivy Schmerken
50%
50%
Ivy Schmerken,
User Rank: Apprentice
12/4/2012 | 4:02:10 PM
re: Catching Attacks From The Inside Means Crunching More Data
Great article! Wall Street firms plagued by insider trading and fraud should heed the advice here, as well as the warnings about IT administrators who believe they can skirt monitoring.- Clearly, this takes data correlation effort on the part of inhouse security experts.- Is every firm up to the task?
Register for Dark Reading Newsletters
White Papers
Cartoon
Latest Comment: LOL.
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6213
Published: 2014-04-19
Unspecified vulnerability in Virtual User Generator in HP LoadRunner before 11.52 Patch 1 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1833.

CVE-2013-6214
Published: 2014-04-19
Unspecified vulnerability in the Integration Service in HP Universal Configuration Management Database 9.05, 10.01, and 10.10 allows remote authenticated users to obtain sensitive information via unknown vectors, aka ZDI-CAN-2042.

CVE-2012-0871
Published: 2014-04-18
The session_link_x11_socket function in login/logind-session.c in systemd-logind in systemd, possibly 37 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on the X11 user directory in /run/user/.

CVE-2012-6646
Published: 2014-04-18
F-Secure Anti-Virus, Safe Anywhere, and PSB Workstation Security before 11500 for Mac OS X allows local users to disable the Mac OS X firewall via unspecified vectors.

CVE-2013-4279
Published: 2014-04-18
imapsync 1.564 and earlier performs a release check by default, which sends sensitive information (imapsync, operating system, and Perl version) to the developer's site.

Best of the Web