While reading an article about the recent insider data breach at Morgan Stanley, one particular quote stuck with me: “There is one thing that stood out in this case – that nothing stands out”.
The sticking point for me is that nobody wakes up one morning and declares, ‘TODAY is the day that I will maliciously leak corporate data’. Just because nothing stands out doesn’t mean that there weren’t some indicators that could have predicted, or at least identified, a potential insider threat. The challenge is that today’s conventional security methodologies and products are not designed or optimized to effectively surface these indicators.
So how can these types of insider data breaches be prevented? Being able to accurately identify the sensitivity of corporate documents so that the proper controls can be enforced is a good start. However, in the case of Morgan Stanley, the employee in question was probably a privileged user with legitimate access to the data. Identifying potential insider threats must go beyond access control rights. Enter the notion of Big Data Security Analytics, with a specific focus on Behavioral Analytics.
Big data is not a new term or concept. What is new however is how organizations are evolving and learning to leverage big data so that relevant details can be extracted and analyzed. Through the analysis of various data inputs from across the organization (application usage, system access, web server logs, etc.), ‘normal’ user behavioral patterns can be established. Changes in behaviour can serve as a sort of ‘early warning detection system’ to help guide corporate security groups to specific users. In this way, even if changes in usage patterns occur over a long period of time, they do not go unnoticed.
With behavioral analytics, a threat index value can be associated with all employees based on many factors. As usage patterns change, and this is coupled with the nature of the change as well as the frequency, the threat index score can increase or decrease accordingly. With all of the value that a threat index can provide security watchdogs, the true value is obtained when downstream systems can programmatically respond to changes to the index score. In this way, an ecosystem is formed which can dynamically change application or system user privileges.
If organizations don’t evolve to leverage big data and concepts like behavioral analytics, we’ll be reading a lot more articles that speak to how, “nothing stood out”.