Bringing together groups of employees in a company with internal intelligence can help detect rogue insiders earlier, experts say

Dark Reading Staff, Dark Reading

December 13, 2011

4 Min Read

In September, U.S. prosecutors indicted 48-year-old Chunlai Yang, a naturalized Chinese-American citizen, on charges of stealing software code and other trade secrets from his employer, trading-software firm CME Group. U.S. authorities arrested Yang a few days before he allegedly planned to leave the United States and form a company based on the stolen technology.

The incident (PDF) demonstrates many of the attributes of an insider attack. Almost two-thirds of employees that commit insider theft have already accepted a position at another company or are planning to start their own firm, according to a survey of recent insider cases released last week by security firm Symantec. In addition, insiders tend to steal data that they work with every day and to which they have some feeling of entitlement, with three-quarters of incidents involving data to which the insider had access.

"The entitled disgruntled thief has a belief that they own the data, even though the company is paying them," says Harley V. Stock, a forensic psychologist and a co-author of the report. "They have a perception of injustice that the company has not been treating them well."

In 2010, the leak of a large cache of diplomatic memos from the U.S. Department of State through Wikileaks captured the attention of governments and companies, and shined a light on the problems of insider attacks. Now, studies of the issue might suggest better ways of tackling the prevention of insider theft and attacks.

[ Companies and universities look for specific algorithms that will help identify malicious insiders. See Analyzing Data To Pinpoint Rogue Insiders. ]

In reviewing the cases, the Symantec study found that a profile emerged of the typical intellectual-property thief. They are male with an average age of 37 years and occupy a technical position, such as scientist, engineer, programmer or sales, the study found. Trade secrets are the most common type of intellectual property stolen, accounting for about 52 percent of cases, while administrative data was taken in 30 percent of the cases and source code in 20 percent of the thefts.

Defending against insider attacks is not straightforward. In the vast majority of cases, the insider steal information that they were authorized to access, making purely technical solutions ineffective. The two authors of the Symantec study -- Stock and forensic psychologist Eric Shaw -- believe that companies should educate their workers around the corporate intellectual-property policies and recommend that companies create a team of cross-disciplinary workers similar to the teams formed to detect signs of and prevent workplace violence.

"We are advocating that these teams also start dealing with the insider threat," Stock says. "They are advanced in understanding worker behavior, acting as a team and rapidly coming to an analysis, if there is a problem."

A second study released this week confirms many of the facets of the insider problem, but focuses on a different solution for detecting and mitigating attacks by a company's own workers.

The study, conducted by the Ponemon Institute on behalf of Hewlett-Packard, found that technical and privileged users regularly access information beyond their responsibilities with little technical oversight. More than 60 percent of privileged users -- typically system and database administrators -- had accessed sensitive or confidential data to satisfy their curiosity. More than 40 percent of privileged users can bypass IT security, if the restriction prevent them from delivering services.

"In general, a lot of the respondents admitted that they were not using a technology-based solution for govern access," says Larry Ponemon, founder and chairman of the Ponemon Institute. That's a problem, he says, because "the combination of more data, more application, and more people has made the issue of user access a mushrooming problem."

A good understanding of who is accessing what is lacking in most companies, Ponemon says. More than 40 percent of companies do not have a unified view of how privileged users access data and systems across the business, according to the Ponemon study. It's a key weakness in dealing with insider attacks.

Companies are setting controls and then not monitoring the security of the overall systems, says Tom Reilly, vice president and general manager for HP's enterprise security group.

"Our approach is a security intelligence platform, which focuses on how controls are working, who is actually using the access rights," Reilly says. "You pay particular attention to sensitive data and sensitive systems."

The researchers behind the Symantec study, Stock and Shaw, agree that companies need better intelligence to detect the potentially subtle changes in behavior that could presage an insider going rogue.

"One of the things that we try to make a point of is that companies should analyze monitoring data for changes in behavior," says Stock. "Yet most companies do not have the tools to detect such changes."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

2011

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights