Vulnerabilities in Many Forms
Vulnerabilities are from many sources. One familiar source of these issues occurs with the output from scan reports listing items needing to be reviewed. Another source of constant issues for the Admins and CISOs are the users. This source is generally unintentional (clicking on links, files, etc. from emails). At times this detrimental activity may be intentional and directed. Within the last six months there has been two cases of persons intentionally stealing confidential information. One of these latest cases was with Harold Thomas Martin III liberating this information while working with the NSA hacking group.
With the use of technology, the business can plan and harden the system (e.g. removing the USB functionality) to the point where it is almost being not in a workable condition, and the deviants will find a way to exfiltrate the data. As long as people will build a better mousetrap, the mice will find a work-around. This aspect of the industry is what is driving the constant change, new vulnerabilities, and new attacks.
The focus has shifted from a defensive posture of working to limiting access to a more analytic stance. This has taken the form of monitoring user accounts and behavior. Analyzing this with data analytic tools is by far the more prudent route in comparison to attempting to monitor all of the apps, endpoints, and devices on a granular level.
This is optimal not only for the insider threat but also for the user with compromised credentials. The same methodology used to monitor user activity may also be applied for this. Any usual activity, such as odd login times, mass number of emails to other users with the same message, or data being access would flag the account.
With any medium and larger sized business, there will be a large amount of data to analyze. Not using data analytics and machine learning for the analysis and to remove the noise would prove to be problematic, time consuming, and a non-economical method to monitor for insider threats. A tool that has proved useful for this has been Gurucul’s Risk Analytics. This in particular meshes the analytics and machine learning to generate a baseline. This may be compared to present activities for anomalous behavior indicative of the compromised credentials or an insider acting inappropriately.
Although this continues to be an issue, there are methods to monitor and track the user’s activities. This is merely another step to be applied to secure the enterprise.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.