WSTA Seminar:
Insider Threat Detection and Response

At the Wall Street Technology Association seminar on threat management, one speaker spoke about that most insidious of threats and said that technology can help you thwart it.

by Alex Goldman ISP-Planet Managing Editor [February 21, 2008]

The Wall Street Technology Association (WSTA) on Threat Management and Information Security featured many speakers. One talked about a threat that affects businesses of all sizes.

Brian Contos, CEO of Cupertino, Calif.-based security vendor ArcSight (IPO planned for later this year) pointed out that the insider threat is very different from most of the security issues administrators work to prevent.

"The insider is not James Bond; the insider is low tech," said Contos. "The insider will copy data to their iPod, e-mail it out to Gmail or Yahoo. Often, this activity is careless, not malicious. A key employee will leave a laptop on a plane and it's gone."

Of course, those who do undertake malicious activity will do so for alarmingly low fees. "How much do you think secrets, secrets that involved assets destroyed and loss of life, cost? $5,000."

You cannot tell a malicious insider just by their appearance. "It's not the SAM (Socially Awkward Male). And when you catch them, it can be tough to tell the difference between a malicious act and a mistake."

You catch insider threats by looking for unusual behavior. The Dupont data thief was caught when administrators realized he had downloaded an unusual amount of information ($400 million worth, Dupont claims).

ArcSight specializes in correlating data from many sources. For example, an employee has a name, possibly a badge number, and also a network ID. "We call correlating the network ID, firewall, and device information '3D correlation,'" said Contos. "We're looking for a role violation, such as an administrator accessing financial records. We use data from many sources now, including Exchange, printers, SAP, Oracle, and, where available, video."

Misused privileges are an important clue, but it's also important to be able to see more basic rule violations. "It's suspicious if Lisa's IP address is using Tina's ID," said Contos. "ID management is as disliked as PKI and enterprise DRM, but it will eventually be adopted."

When catching one thief
When you catch a malicious insider, Contos observed, you immediately ask three questions:

1. What else are they doing?
   
   
2. Who else is involved?
   
   
3. How long have they been doing it?

If this issue concerns you, implement awareness programs through the HR department. Make sure all executives receive training.

"Malicious insiders usually work in groups," Contos said. People can be making as little as a few hundred dollars each month off of malicious activity, "but it seems to work for them" until they get caught.

— End