Catching Attacks From The Inside Means Crunching More Data

Mining access logs and identity stores can provide a good picture of what's going on inside the firewall, including suspicious insider activity
Whether by mandate or mission, companies have increasingly focused on creating better systems for managing the identities and access rights of their employees. Such systems can be a goldmine of information on security events that may indicate that an attack is underway.

But it's not easy. Luck and a sharp eye caught the malicious code left behind by Rajendrasinh Makwana, the contractor convicted of attempting to delete data at Fannie Mae in 2008, after the company fired him. Yet, both technology and processes failed to catch Societe Generale's Jerome Kerviel, who used other traders' accounts to evade the safety measures put in place by the trading house, resulting in a $7 billion loss.

"To truly understand whether things are happening that shouldn't happen, you need to bring together a lot of pieces of data," says Chris Zannetos, CEO of Courion, an identity and access management provider. "It's like what Moneyball did for baseball. When you start mining the data, you start to see things that you would not otherwise see."

Finding suspicious access attempts in a sea of legitimate business operations, while minimizing false positives, requires that a company dive into the data and correlate five attributes of each event: who is doing it, what their access rights are, the sensitivity of the resource being accessed, the company's policy, and what operations the user is attempting. Three of the five metrics--identity, access and policy--are the basis for identity and access management systems, making log data created by the IAM technology an invaluable resource.

While companies would like simple access-management metrics that correlate with malicious behavior, signs of a compromise are rarely so obvious, says Jonathan Sander, director of product strategy for Quest Software, an enterprise software maker which is now part of Dell.

"There are some activities that are universally bad," Sander says. "If you have an administrator that is deleting log entries, that is bad. But most of the time, what is unacceptable is dependent on the industry and their policies."

The first place to focus are on those workers who have the ability to do the most damage: the administrators. The logs of the IT administrator activities should be reviewed by someone who is not an IT administrator but who has a security role. If the company does not have a chief security officer, then whoever has responsibility for the security of the business should review administrator activities and question any log entry that looks suspicious, advises Sander

"Anything you do not understand at first glance, they should have to explain," he says. "If it seems fishy, then push the issue."

[A study of insider attacks within financial firms offers lessons to other companies: identify important data, limit access, and scrutinize trusted users most closely. See Watch The Watchers: 'Trusted' Employees Can Do Damage.]

In many companies, business executives are hesitant to challenge IT administrators. While other users and employees are expected to follow policy, many administrators can easily skirt the rules. Nearly six in 10 companies monitor privileged accounts, but more than half of privileged users believe they can bypass the monitoring, according to the 2012 Cyber-Ark Trust, Security & Passwords survey.

"Organizations have started to get better at controlling the insiders that are not the administrators, or at least they have a plan to do it," says Quest's Sander. "A lot of times the administrators are going unchecked, so that is a problem that deserves more attention right now."

In addition, companies need to prevent privileged users from sharing their account credentials. Many firms have a single superuser account for multiple administrators, but sharing increases risk and limits how accountable an administrator can be held for the misuse of a server or other corporate resource.

By tracking each individual privileged user and monitoring high-impact corporate resources, companies will have a better chance of detecting attacks, when they come.

"You are replacing a bad system with a secure system, and allowing thereby tracking of individuals and their actions, and that alone puts you in a much, much better position," Sander says. "It raises the bar of what somebody would have to do to abuse those privileges very, very high."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Editors' Choice
Evan Schuman, Contributing Writer, Dark Reading
Tara Seals, Managing Editor, News, Dark Reading
Jeffrey Schwartz, Contributing Writer, Dark Reading