The security world is awash with various malware-centric cyber kill chain models and advanced styles of threat defense that focus on network traffic, payload, and endpoint analyses. But if you step back and look at what most security tools and frameworks are trying to accomplish at a very high level, it boils down to:
- Detecting and/or blocking adversaries as they try to get inside your organization to steal your valuable data and intellectual property (IP)
- Detecting and/or blocking adversaries as they try to exfiltrate that IP and data to use for their own purposes.
With absolute intrusion prevention no longer possible and the new security mantra of fast detection and response, one could argue that disproportionate time and effort are spent watching the perimeter doors and too little time is spent guarding the internal resource vault that holds the company’s most sensitive IP. Privileged insiders who already have the keys to the kingdom may pose an immediate threat.
The Source of the Crime
IP theft isn’t a new problem. In 2003, gaming company Valve Corp. suffered losses estimated at hundreds of millions of dollars when source code of its Half-Life 2 game (five years in the making) was stolen and posted on the Internet. More recently, Wall Street traders from Goldman Sachs and Flow Traders BV were accused of taking proprietary computer source code used to make high-speed stock and commodity trades that earn millions of dollars in profits each year. In 2013, the IP Commission Report put the costs of intellectual property theft in excess of $300 billion in the United States alone.
To understand how best to protect such critical assets, it’s important to consider where they are stored. For companies that build commercial software products or implement internal software apps and platforms, their IP consists of source code and related assets stored in version control/source control management (SCM) systems. These systems not only store the assets, but also facilitate the collaboration across all the product contributors, who access the SCM system to update their work and share it with others.
Typical Behaviors of a Data Thief
The conclusion of this year’s RSA conference, one of the security industry’s biggest events of the year, was that “at the end of the day, the bad guys are still getting in.” Once they’re in, they usually take time to wander about the organization searching for valuable digital assets (e.g., source code, design specifications, strategic business plans, product road maps, formulas, or industry ”secret sauce”). They often look at these assets at odd hours of the day, take from inactive projects or hoard information (that is, take more information than they contribute back).
While some security tools focus on monitoring and correlating network log data or endpoint data (watching the perimeter doors) to spot anomalous behavior, this approach may require time-consuming manual rules and threshold setting, and often results in security teams being inundated with false positive alerts. Some tools may lack context-specific information (e.g., who, when, how and where) that typifies the behavior of a data thief and don’t compare his or her actions to a baseline of “normal behavior.” Many tools just give a simple count of how many files were downloaded but don’t specify exactly which files were downloaded or which critical projects were affected.
For example, a worker who takes small amounts of software code (or other assets) every week won’t necessarily be detected if a threshold has been set to trigger an alert at an arbitrary fixed value. But if the worker’s access patterns were compared in a cluster map to a baseline of peers who don’t steal assets, this slow data leak could be detected.
When a bad guy starts exploring the corporate IP vault, you’d be well served to detect unusual high-risk behavior and provide actionable insights to your security teams. Certainly, this approach is preferable to watching the doors for everything and drowning in the security alert noise.
Solution: Behavioral Analytics Applied to SCM Audit Logs
Software development projects in large corporations typically involve thousands of software developers working on thousands of projects over the span of many years. The projects also involve other contributors for assets such as video, graphics, or audio elements. SCM tools manage those complex development workflows by meticulously tracking all access to project repositories and files. This means they can generate detailed audit logs. A month of log data from an SCM system might yield millions of different interactions with files and projects; for the purpose of detecting anomalies, the more granular the log data, the better.
The focus of security teams is quickly moving toward where the data and critical IP reside. A new class of security tools uses machine learning and applies behavioral analytics models to detailed audit logs and other data sources to identify and prioritize threats. These tools enable organizations to take necessary actions to prevent data exfiltration by individuals who have gained access to the source of mission-critical IP.
Your corporate assets are at risk, and every day that you avoid taking action shortens the time until your IP will be leaked. Here are six steps toward better data security:
- Identify the most important IP in your organization and choose which groups and/or individuals should have access.
- Use multi-factor and/or continuous authentication and fine-grained access control. And enforce strong passwords and different levels of security controls based on asset type.
- Provide the ability to encrypt data at rest and in transit.
- Continuously monitor data access and make sure that detailed audit logs are implemented in a secure SCM repository.
- Implement a security platform that can apply behavioral analytics models to audit logs and quickly identify high-risk anomalous data access.
- Integrate your SIEM and other log data with a flexible security platform that can provide detailed context-rich actionable data to identify high-risk threats to your most important projects and files.