Catching Attacks From The Inside Means Crunching More Data

Mining access logs and identity stores can provide a good picture of whats going on inside the firewall, including suspicious insider activity

Whether by mandate or mission, companies have increasingly focused on creating better systems for managing the identities and access rights of their employees. Such systems can be a goldmine of information on security events that may indicate that an attack is underway.
But its not easy. Luck and a sharp eye caught
the malicious code
left behind by Rajendrasinh Makwana, the contractor convicted of attempting to delete data at Fannie Mae in 2008, after the company fired him. Yet, both technology and processes failed to catch Societe Generales Jerome Kerviel, who used other traders accounts to
evade the safety measures
put in place by the trading house, resulting in a $7 billion loss.
To truly understand whether things are happening that shouldnt happen, you need to bring together a lot of pieces of data, says Chris Zannetos, CEO of Courion, an identity and access management provider. Its like what Moneyball did for baseball. When you start mining the data, you start to see things that you would not otherwise see.
Finding suspicious access attempts in a sea of legitimate business operations, while minimizing false positives, requires that a company dive into the data and correlate five attributes of each event: who is doing it, what their access rights are, the sensitivity of the resource being accessed, the companys policy, and what operations the user is attempting. Three of the five metrics--identity, access and policy--are the basis for identity and access management systems, making log data created by the IAM technology an invaluable resource.
While companies would like simple access-management metrics that correlate with malicious behavior, signs of a compromise are rarely so obvious, says Jonathan Sander, director of product strategy for Quest Software, an enterprise software maker which is now part of Dell.
There are some activities that are universally bad, Sander says. If you have an administrator that is deleting log entries, that is bad. But most of the time, what is unacceptable is dependent on the industry and their policies.
The first place to focus are on those workers who have the ability to do the most damage: the administrators. The logs of the IT administrator activities should be reviewed by someone who is not an IT administrator but who has a security role. If the company does not have a chief security officer, then whoever has responsibility for the security of the business should review administrator activities and question any log entry that looks suspicious, advises Sander
Anything you do not understand at first glance, they should have to explain, he says. If it seems fishy, then push the issue.
[A study of insider attacks within financial firms offers lessons to other companies: identify important data, limit access, and scrutinize trusted users most closely. See
Watch The Watchers: Trusted Employees Can Do Damage
.]
In many companies, business executives are hesitant to challenge IT administrators. While other users and employees are expected to follow policy, many administrators can easily skirt the rules. Nearly six in 10 companies monitor privileged accounts, but more than half of privileged users believe they can bypass the monitoring, according to the 2012 Cyber-Ark Trust, Security & Passwords survey.
Organizations have started to get better at controlling the insiders that are not the administrators, or at least they have a plan to do it, says Quests Sander. A lot of times the administrators are going unchecked, so that is a problem that deserves more attention right now.
In addition, companies need to prevent privileged users from sharing their account credentials. Many firms have a single superuser account for multiple administrators, but sharing increases risk and limits how accountable an administrator can be held for the misuse of a server or other corporate resource.
By tracking each individual privileged user and monitoring high-impact corporate resources, companies will have a better chance of detecting attacks, when they come.
You are replacing a bad system with a secure system, and allowing thereby tracking of individuals and their actions, and that alone puts you in a much, much better position, Sander says. It raises the bar of what somebody would have to do to abuse those privileges very, very high.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Catching Attacks From The Inside Means Crunching More Data