Last month the US Securities Exchange Commission announced that it had fined broker-dealer Voya Financial Advisors $1M for failing to adequately protect customer data from hackers. Voya had fallen victim to a classic social engineering attack, in which hackers posing as legitimate contractors phoned the firm’s IT dept asking for their login credentials to be reset. Some of the bogus reset requests were successful, allowing the attackers through the gate and into the firm’s internal systems.
Now, it has to be said based on the SEC case documents that Voya appears to be no cybersecurity slouch and has systems and policies in place to detect and deal with these types of incidents. Indeed in this case the attack was detected within hours. But the complexity of IT systems, and a lack of visibility into all of the hackers’ activities, meant it took a couple of days to completely to shut them out. This gave them the time they needed to steal valuable confidential customer information. (Fortunately, no customer funds are believed to have been compromised due to this incident).
The Voya case highlights the importance of ‘‘Insider Threat’ as one of the principal cybersecurity risks that organizations face today. Malicious Insider Threat refers to incidents where attackers bypass perimeter defenses using legitimate user credentials. Such incidents can involve disgruntled current/former employees using their own authorized user accounts, but more often involve outsiders using credentials that have been stolen. Employee carelessness, whereby an employee may inadvertently access and share something they shouldn’t have also increasingly falls into this category as data privacy concerns increase.
Social engineering, phishing, credential stuffing - all are ways to obtain functioning user account credentials that an attacker shouldn’t have. Insider Threat now accounts for more than 80% of serious cybersecurity incidents (Verizon Data Breach Incident Report 2017), and is inherently difficult to combat because new barriers erected against it generally become additional burdens for legitimate users as well.
How can we manage situations where we can’t be certain that users really are who they say they are (or aren’t displaying malicious intentions) even when they present valid credentials? The answer is that we need to take a tip from the physical world of secure facility management. If you walk up to any secure data center in the world today, you will of course be asked to present evidence of identity and authorization before you can gain entry. But inside the facility, you will also notice that there are video cameras on every corridor and between each row of equipment racks. Even after you have gained admittance, security is still watching you.
If continuous monitoring is appropriate for people who have physical access to IT systems then it also makes sense for users who have gained virtual admittance to the same infrastructure. The challenge of course is that the virtual world is much less orderly and more dynamic than the interior of a well-managed data center or other sensitive facility. To really understand what a user is doing within our systems we need visibility into multiple facets of their activities: What systems are they accessing, and from where? What privilege levels do they have? Who are they calling on our VoIP system? From which files and database tables are they downloading information? Which domains are they are visiting, internal or external? What does threat intelligence say about those domains?
Information that can answer these questions is typically spread across multiple systems with no easy way to find it all or bring it all together. Fortunately there is one data source that contains information on a large cross-section of user activity, and that is the network. Meaningful user activity always crosses the network at some point. Technologies such as Corvil can see files, URLs, database tables, VoIP calls, etc. in network traffic, and link them with user account details, thereby providing a picture of user behavior to rival the one that data center facility security can see on their video screens.
In the physical world, video surveillance is of course moving on from simply throwing images onto screens. Human operators do not have the attention span required to continuously monitor hundreds of video streams, or to reviews thousands of hours of recorded video. These scaling limitations are overcome nowadays by facial recognition and by applying machine learning to automatically recognize risky circumstances and individuals that warrant attention.
The same reasoning naturally applies to network visibility. Being able to see what users are doing is a sine qua non for incident detection and investigation, but operators will need assistance to continuously monitor behavior, detect risky activities, and search through recorded results. Fortunately, machine learning models and techniques are currently showing a lot of promise at helping to manage these tasks. Applications of machine learning to the general problem of threat detection have been around for some time, but the specific area of user behavior is particularly interesting for the problem of Insider Threat. Example applications will include automatically recognizing which user is active on a given device from their network activity, and continuously verifying that behavior is consistent with learned past patterns for a given identity.
Armed with these techniques, network visibility solutions will be able not only to link a user’s presented identity to that user’s network activity, but also to establish a link in the opposite direction: from a trace of network activity to the actual user identity who generated it. Broader and more intelligent visibility into the activity of user accounts and the real identities behind them will hopefully help firms like Voya to shutdown Insider Threat attacks more quickly, and before real damage is done.
Schedule a Demo to learn how Corvil’s unique low-noise detection and user-centric network forensics helps protect your company from the inside.