The adversary is using your workforce against you

Reluctant to monitor your employees? What about their accounts?

You’re one of the lucky ones. You’ve built an organization made entirely of people you trust and have come to rely on. Not many can make that claim, but you don’t have to worry about one of your own stealing from you. Installing a system to monitor your employees would be a betrayal of that trust, and it won’t be on your agenda anytime soon.

In reality, you’re not doing yourself or your employees any favors. You are, in fact, inviting disaster in.

A lot has been made about the insider threat over the last couple of years. There’s been a rise in malicious insider attacks of theft, fraud and IT sabotage, and the cost on average will be higher for an attack originating inside the perimeter. But that only tells part of the story, as we look at how outside attackers are able to breach our networks.

A quick analysis of the numbers behind the 2015 Verizon Data Breach Investigations Report shows that over 90% of all data breaches involved the use of valid network credentials. That’s right: your employee’s credentials are providing the keys to the kingdom, with or without their knowledge.


It’s asymmetric warfare, and your employees aren’t the ones heavily armed in this fight.


Whether the attack is coming from inside or out, valid credentials are still needed to VDBIRLaptopaccess your resources on the network. An insider doesn’t have to work very hard for them: they’re given their network account on their first day on the job. But if you think the outsider has to work much harder, think again. An experienced hacker has enormous resources at their disposal. The first option is to simply buy stolen credentials on the internet, as happened with the recent Anthem data breach. Then there’s the tried-and-true process of guessing simple or unchanged default passwords used by negligent employees, contractors and vendor systems, like the case at Advocate Health Care. Next are the many applications of social engineering (such as that used on Target), including sophisticated spear-phishing attacks and compromised personal devices like phones and tablets (i.e. BYOD) that your employees are connecting to the network. It’s asymmetric warfare, and your employees aren’t the ones heavily armed in this fight.

Nor is this likely to change with any amount of training and awareness. After years of coverage by the press on the dangers, employee click-rate on phishing attacks remains high, according to the 2015 Verizon DBIR: 23% of recipients now open phishing messages and 11% click on the attachments. And it only takes one to let the attackers in.

As the most prominent avenue used by attackers to enter your network, user accounts need to be continuously monitored for signs of suspicious behavior or misuse, even when the owner of the account is beyond reproach.

Personam ITD would have Saved Sony Millions

SONY, a global tech giant, was brought to kneel this past week by the Sony2most devastating type of cyber threat, an “inside job”. Losses weren’t only confined to a single division but rather affected nearly every operating unit of the global brand. Denied access to online systems, the worldwide workforce resorted to using pens, paper, landline telephones, and fax machines to perform essential duties. As reported by The Verge, the alleged culprits involved personnel with physical access to the computer network. More than a denial of service outage shrouded in a political statement, this was a heist of monstrous proportions, possibly perpetrated by North Korea in retaliation for the film “The Interview”. At least five unreleased movies from Sony Pictures were stolen and subsequently circulated freely to the public, with over 880,000 downloads in just a single day. The damage in terms of lost productivity and revenue is incalculable. Losses including those from high-profile feature films such as “Fury,” will be hundreds of millions of dollars against an already teetering balance sheet. This was the last thing Sony could afford yet the company employed no technology capable of detecting or repelling such an attack.

“At Personam, our Insider Threat Detector is the most advanced in the world.”

Sony isn’t alone, the vast majority of companies and government agencies are equally vulnerable from an inside job perpetrated by a rogue employee or person with inside access. The most advanced firewalls provide little protection against the enemy cloaked as a trusted insider with access. Defensive measures point outward, assuming attackers will assert their greatest effort against the strongest fortifications. However, attackers target the weakest layer of security, the trust place in employees with access to the network. Thieves, activists, and foreign spies spear phish credentials from top-level employees or outright recruit those individuals to their cause. The hactivist organization Anonymous, for example, deliberately inserts members into job interviews to plant those members in positions of trust.

Sony’s situation doesn’t need to be the new normal. The insider threat is preventable. Not through defending assets but instead employing behavior profiling. Improved hiring practices, background checks, two-factor authentication, advanced firewalls, and log-file analyzers are ineffective at detecting a committed insider. The only real way to defend against the insider threat is to deploy automated behavioral profiling that indiscriminately observes distinct features and employs a non-parametric alerting system, meaning it uses no “set rules” for an insider to discover or bypass. This technology is effective, maintains employee privacy, and is available today.

At Personam, our Insider Threat Detector is the most advanced in the world. Our latest appliances are non-intrusive and easily inserted into local networks. These systems have caught insiders engaged in illegal or prohibited behaviors in 100% of their installations, a testament to how common insider threats truly are. Our detectors are so sensitive that the faintest threats are detected yet well-behaved enough to produce few false-positives.

If Sony had used Personam’s Insider Threat Detector, their current breach could have been prevented. For less than the cost of one hour of outage, Sony could have protected their entire company for years. The current best practices are ineffective at catching real insider threats and give a false sense of security. Companies and government agencies must acknowledge the damage insiders can bring and immediately prioritize non-parametric behavioral monitoring technologies that preserve the privacy of each employee’s digital activities while detecting malicious intent.

Too Little, Too Late – Morgan Stanley could have prevented the Data Leak

In a recent article about the Morgan Stanley insider theft case, Gregory Fleming, the president of the wealth management arm said:

“While the situation is disappointing, it is always difficult to prevent harm caused by those willing to steal”

Disappointing?  350,000 clients were compromised, the top 10% of investors, and this following a breach that left 76 million households exposed.

Morgan Stanley fired one employee

The fact is, this breach was preventable. Firms like Morgan Stanley are remiss in allowing these to occur, and are adding to the problem by perpetuating the myth that they cannot be stopped.  The minimal approach of repurposing perimeter cyber security solutions does not work.  These perimeter solutions and practices have been in place in each case of insider breaches including the U.S. government (i.e. Bradley Manning, Edward Snowden), Goldman Sachs, and the multiple Morgan Stanley breaches.  Even Sony Entertainment had some intrusion protection in place.  Cyber security professionals remain one step behind the criminals in defining events, thresholds, and signatures – none of these are effective for the insider.

Building behavioral profiles for all employees, managers, and executives using objective criteria is the best, and possibly the only, feasible way to catch the insider.  Current approaches that focus the search for malicious insiders based on the appropriateness of web sites, or the stability of an employee based on marital situations seem logical, but provide little value.  There are a lot of people that get divorces that do not steal from their employers or their country.

Rules and thresholds defined by human resource and cybersecurity professionals have proven ineffective at stopping the insider.  Data analytics using unsupervised machine learning on a large, diverse dataset is essential.

Personam catches insiders before damaging exfiltrations.  It is designed for the insider threat, both human and machine based, and has a proven record of identifying illegal, illicit, and inadvertent behaviors that could have led to significant breaches.

The malicious insider can be caught, and it is time to take the threat seriously and time to stop giving firms like Morgan Stanley (and Sony) a pass on their unwillingness to address the fact that they have people on the inside willing to do harm to their clients, their company, and in some cases, our country.

Why the Government Insider Threat Program Will Fail

President Obama has ordered federal employees to monitor the behavioral patterns of coworkers and report suspicious observations to officials.  Under this policy a coworker’s failure to cast suspicion on another coworker could result in penalties that include criminal charges.

Seriously! This is the current policy for preventing the next insider threat, to pit coworker against coworker!

Well…interestingly enough, they are half-right. Behavior profiling is the only way to identify an insider threat. Typically these “threats” are clever people who conceal a hidden agenda, often in plain sight. If a trusted insider is careful, as both Bradley Manning and Edward Snowden were, then we shouldn’t expect to catch them in the act of stealing, spying, or exfiltrating. They will do their jobs normally, act normally, and do nothing careless that would alert suspicion. Of course, that’s just on the surface. There will always be little behaviors these people can’t control that are different from “normal” because, let’s face it, they are different from normal coworkers. Insider threats have a secret agenda and the burden of carrying whatever motivates them to embrace that agenda. They might be good fakers, but at some level they are different, and those differences will manifest in behavior – maybe not in big things, but in little things they do every day.  If it were possible to monitor their behaviors with a sensitive enough instrument then, theoretically, we could detect the fact they are different and isolate “suspicious” differences from “normal” differences.

Of course the experts in the field (behavior psychologists and security researchers) have no idea what constitutes suspicious behavior.  Heck, in any given group of workers we don’t even know what we should consider normal, let alone suspicious.  If you typically print 20 pages per week and suddenly have a week where you print 100 pages, is that evidence you are the insider threat or were you just assigned a big presentation where lots copies are needed? If someone sends you a link to a file or website that is unrelated to your normal work, is opening that link or downloading that file evidence you are a threat?  Perhaps, but probably 99.999% of the time the answer is no.

Fooled by Randomness

The problem with the Government’s Insider Threat Program is it asks squishy human beings to be the sensor, the profiler, and the alarm. Suddenly coworkers are jotting down notes when a cubemate takes an unusual number of bathroom breaks.  Is she the next Edward Snowden or is she pregnant?  It’s left to an individual’s imagination to consider what is “normal” vs. “abnormal”.  Naturally, people will inject identity and cultural bias, they will show favor to coworkers whom they like and show disfavor to those they dislike, office politics will weigh in, and people will err when attempting to read suspicion into normal events.  Nassim Nicholas Taleb’s great book, “Fooled by Randomness: The Hidden Role of Chance in Life and in the Markets” illustrates so clearly how human beings are easily fooled into seeing causality when there is only correlation, or at misreading the presence of correlation.  Behaviors one might think are clear indicators of suspicion, like printing 100 pages when 20 is the norm, are just part of the everyday “jitter” in the normal behavior of individuals, departments, and organizations.

False Positives

Behavior profiling results in a tremendous number of false positives, i.e. false accusations.  The experts don’t know what behaviors to monitor, there is no proper baseline for “normal”, and no objective way of discerning whether a novel behavior is threatening or benign.  Moreover, because differences and novelty stand out simply because they are different – humans are biased toward labeling such as suspicious.  Imagine an already clogged government bureaucracy that is further impeded by a flood of false accusations, each of which requiring some non-trivial investigation in order to clear the names of good people.  Also imagine that the actual insider threat, the next Bradley Manning or Edward Snowden, doesn’t behave in any of the “obvious” ways that would trigger coworker suspicion, their behavior modalities are subtle and go unnoted, allowing them to continue to be successful at inflicting damage.

Analytics to the Rescue

The worst thing we could do, far worse than doing nothing, would be what the administration’s policy requires; i.e. use coworkers to monitor each other and report suspicious behavior in a context where underreporting is punishable under the criminal code.  There’s absolutely no way that ends well.

If the goal is to solve the problem and mitigate the insider threat then we need to take the human out of the loop. The correct approach is to use digital sensors to collect a wide array of features that are representative of daily activity in a workforce and then feed such collection streams into an Analytics Process that objectively profiles behavior to separate normal behavior from unusual behavior as well as classifying non-threatening vs. threatening.  This is the best way to identify an insider threat; but not without its own set of problems.

First, the problem of determining “normal” behavior and separating that from “abnormal/anomalous” behavior.  On the surface this appears easily done with simple statistical methods, but with deeper reflection it gets much more complicated when dealing with human behaviors.  Even when a person does the same job every day, we do it differently each time. There is variation, i.e. “jitter”, in almost every aspect of both human behavior and organizational behavior. For example, is suddenly printing 100 pages when 20 is the norm something we should consider an outlier, or is it ok despite the fact it is statistically unusual? We end up needing a technology that can discriminate between “normal anomalies” and “abnormal anomalies”; which, despite the grammatical contradiction, is exactly the challenge.

Second, the problem of false positives.  Because bona fide threats are so rare compared to the number of everyday things people do that are different or unusual, false positives are inevitable. The social system breaks down if we are constantly casting a shadow of suspicion on good workers who express normal everyday behaviors.  This has prevented behavior profiling technology from succeeding in the past. Although researchers have invented various ways to crack the normal vs. anomaly problem, the technologies still produce a flood of false positives that make them impractical and unusable.

Third, the problem of scoring the threat itself.  Even when a behavior has been correctly profiled as “truly unusual”, it might still be ok. Radically unusual behavior is often a good thing, especially if we want a workforce to innovate, adapt, and progress; otherwise we might as well use robots.  It’s no easy task to profile a behavior and determine its potential as a threat. Expert psychologists and security researchers have never found any reliable predictive patterns, there is no “standard model” for a bad actor in a high-trust environment.

Insider Threat Detector (Shameless Plug Time)

At Personam, we have developed, and are currently field testing, the only technology in the world that actually does this in a practical sustainable way, at scale, and in real-time.  We use a common type of cyber-security appliance as a sensor to collect features that are representative of a workforce’s daily activities. That sensor drives real-time streams into a unique Analytics Processor that incorporates advanced profiling and unsupervised machine learning to create behavioral profiles and to identify human (and non-human) actors with truly anomalous behavior. One of our most important secret ingredients is our approach to radically reducing false positives, something that makes this type of technology practical for the first time.  Another secret ingredient is our solution to the problem of profiling behaviors in real-time, at scale, on incredibly large data streams.  The final stage in processing is to analyze the profiling output with a supervised machine learning layer that scores the threat.

Our technology has thus far proven effective at finding insider threats, simulated with AI bots, early in their activity cycle and before they would defect or go public. Unlike previous experiments and prototypes that have been developed by others in this area, ours is a practical and fieldable technology that effectively detects insider threats without clogging the bureaucracy with false positives.


Barriers to Adoption

Anytime an employer considers deploying a technology that collects on the behaviors of its workforce there will be concerns about ethics, privacy, and civil liberties.  People don’t like being monitored while they work, particularly if they think a subconscious tick might expose something private or interfere with reputation and career advancement. These are valid concerns that cannot be easily dismissed.  Some workforces will be more sensitive than others.  For example, people who work in classified environments already expect to be monitored and agree to random search every time they enter a facility; the same isn’t necessarily true for people who work at the insurance company, hospital, brewery, or bank.

We don’t open people’s mail!

Personam developed Insider Threat Detector technology with these concerns in mind. The cyber-based sensor component doesn’t invasively snoop into what people are doing on the computer or the network. We don’t analyze payload data and the contents of private communications remain private.  Our technology doesn’t provide security staff any access to private communications or the ability to eavesdrop.  In fact, it works just as well on encrypted data streams as it does on unencrypted streams.  Our design goal was to be no more intrusive than technologies that are already common in large enterprises.

That leaves false-positives.  Our technology reduces false positives from a flood to a very manageable trickle, but there will always be some false-positives because the science is based on math, not magic.  This technology is intended to provide early warning and alert, not to accuse or indict.  We don’t label people as threats, we identify suspicious behavior and score the behavior on a threat scale – where the scale is adjusted so even the highest score is still low.  Investigation and forensics are required before anyone can be considered a threat.  That said, even this will worry some – hence, there will be barriers to universally adopting this technology. Regardless of those barriers, however, this is far less intrusive than pitting coworker against coworker under a cloud of universal suspicion, as is the current policy.

Shout Out for a Demo

If you would like a private demonstration of this technology please contact us. We love showing off!


Cyber Security Summit in NYC

Personam generated large crowds at their booth supporting the Cyber Security Summit in NYC. Companies from industries ranging from Big Pharma, Finance, Banking, to Energy all spent time learning about Personam’s insider threat detecting solution. Most of the attendees already understood the importance of protecting their organizations from internal threats, but many did not know that an advanced solution was now available. They spoke to Personam representatives, and watched live demos in the booth. The Summit proved to be a great one-day event.

algorithm, anomaly detection, answer, Bradley Manning, breach, cyber security, Edward Snowden, insider threat, preventable, wikileaks

The world was awed two years ago when IBM’s Watson defeated Jeopardy! champions Brad Rutter and Ken Jennings. Watson’s brilliant victory reintroduced the potential of machine learning to the public. Ideas flowed, and now this technology is being applied practically in the fields of healthcare, finance and education. Emulating human learning, Watson’s success lies in its ability to formulate hypotheses using models built from training questions and texts.

Three years ago, Army Private First Class Bradley Manning leaked massive amounts of classified information to WikiLeaks and brought to public awareness the significance of data breaches. In response to this and several other highly publicized data breaches, government committees and task forces established recommendations and policies, and invested heavily in cyber technologies to prevent such an event from reoccurring. Surely, we thought, if anyone had the motivation and resources to get a handle on the insider threat problem, it is the government. But, Edward Snowden, who caused the recent NSA breach, has made it painfully obvious how impotent the response was.

Lest we assume this is a just government problem, enormous evidence abounds showing how vulnerable commercial industry is to the insider. We are inundated with a flood of articles describing how malicious insiders have cost private enterprise billions of dollars in lost revenue, so why has no one offered a plausible solution?

The insider threat remains an unmitigated problem for most organizations, not because the technologies do not exist, but rather because the cyber defense industry is still attempting to discover the threat using a rules-based paradigm. Virtually all cyber defense solutions in the market today apply explicit rules, whether they are antivirus programs, firewalls with access control lists, deep packet inspectors, or protocol analyzers. This paradigm is very effective in defending against known malware and network exploits, but fails utterly when confronted with new attacks (i.e. “zero-days”) or the surreptitious insider.

In contrast, acknowledging that it was impossible to build a winning system that relied on enumerating all possible questions, IBM designed Watson to generalize and learn patterns from previous questions and use these models to hypothesize answers to novel questions. The hypothesis with the highest confidence was selected as the answer.

Like Watson, an effective technology to detecting the insider must adaptively learn historical network patterns and then use those patterns to automatically discover anomalous activity. Such anomalous traffic is symptomatic of unauthorized data collection and exfiltration.

Inspired by the WikiLeaks incident, Sphere’s R&D team has investigated machine learning algorithms that construct historical models by grouping users by their network fingerprints. As an example, without any rules or specifications, the algorithms learn that bookkeeping applications transmit a distinctive pattern that enables grouping accountants together, and HR professionals are grouped by the recruiting sites they visit. These behavioral models generalize normal activity and can be used as templates to detect outliers. While users commonly generate some outliers, suspicious users deviate significantly from their cohorts, such as the network administrator that accesses the HR department’s personnel records. Like Watson, the models allow the system to form hypotheses.

Applied to cyber security, every time an entity accesses the network, the algorithms hypothesize if the activity conforms to its model. If it does not conform, that activity is labeled an outlier. Because these methods use a statistical confidence that dynamically balances internal thresholds on network activities (e.g., sources and destinations, direction and amount of data transferred, times, protocols, etc.), it becomes extremely hard for a malicious insider to outsmart. Simply the fact that the system does not reveal its thresholds can have a significant deterrent effect.

A paradigm shift in cyber technologies is happening now. Cyber security professionals agree that preventing data breaches from a malicious insider is a difficult task, and the past suggests that next major breach will not be detected with existing rules-driven cyber defense solutions. Next generation cyber security technology developers must seek inspiration from IBM’s Watson and other successful implementations of machine learning before we can hope to prevail against the insider threat.


Wake up! It’s the insider threat you need to worry about



Edward Snowden is the new face of the insider threat, the media even calls him the “Ultimate Insider Threat”.  This is someone who has the highest-level security clearance, endures a background reinvestigation every 5 years, takes a polygraph exam, and still betrays his sacred oath and trust of his employers.
When it comes to asserting workforce trustworthiness, industry and government are both guilty of over-relying on employment pre-screening, background investigations, and oaths.  These are effective to a degree and good first steps but obviously inadequate when it comes to preventing losses and breaches.

Insider threats are detectable because they don’t behave exactly like everyone else.  Maybe on the surface these people appear to be the same as their coworkers, but at some level their behaviors are different.  A sensitive enough instrument can detect such subtle differences in behavior, and if the noise of anomalies can be removed then high-quality actionable alerts can be generated from the “unusual anomalies”.  This is the basis of the Insider Threat Detection technology that has been developed by Personam over the past two years.

The problem isn’t cyber-security, which is focused on the threat of digital attacks against digital assets.  This is an industrial security threat, where a person of trust betrays that trust and misuses access to cause deep harm or substitute a third-party agenda.  Unlike cyber-attacks, an effective insider might not even use your digital assets as the vehicle for attack or exfiltration, they might steal files from a safe or do other things.  However, if a person’s normal behavioral modalities change even slightly then shadows of those changes are often reflected how they use the computer, thus computer activity can yield a behavioral profile for an individual, even if the actual threatening behavior is more analog than digital.

By connecting a sensitive behavioral profiling instrument to a network we can construct individual profiles that are accurate enough to perform this type of anomaly detection. Such algorithm-synthesized profiles apply to human and non-human users of a network, giving some cyber-security crossover to this approach in addition to the industrial security focus. However, Insider Threat Detection is not cyber-security, it is industrial security that uses cyber-technology as a sensor.

In our case the goal of this technology is to detect the active insider threat early in the activity cycle. We believe strongly that there is no way to fully prevent insider threats from occurring because no background screening process on Earth will ever accomplish that. To defend against the insider we believe early detection of active threat behaviors is the key to loss prevention.
This is possible thanks to Advanced Data Analytics (Analytics 2.0) techniques which evaluate dozens (or even thousands) of simultaneous feature dimensions on Big Data under a powerful layer of unsupervised machine learning. What makes insider threat detection different from conventional Analytics 2.0 is that it must work on streaming data, in real-time, and at-scale.

At Personam, because we have been so invested in Advanced Data Analytics these past few years, we were able to solve these problems and invented an instrument that does what I describe here.  We use it every day on our networks and it is already installed at beta customers, primarily law offices.

The bottom line is that even the most intense background checks are not good enough, you need to be able to detect insider threats when they become active and before those threats move to Hong Kong.


Tech that finds bad guys (and girls too)

A hotel worker in China entered Frank’s room while he was away at dinner and installed a new type of spyware on his laptop.  The spyware traveled home with Frank, waiting to connect to the corporate network. Once behind the firewall the spyware infected hosts, generated link charts of business relationships, harvested intellectual property, and collected information on employees and customers.  Occasionally it phoned home, passing data in small chunks that ultimately constitute a treasure trove of secrets to Chinese intelligence.  This went on for months without detection because it used very little bandwidth and communicated through drop points that were legitimate looking URLs in the United States. Anti-virus vendors had never seen this custom-made spyware before so they had no catalog of its signature.
Meanwhile, Cindy has worked for the company for three years but lately her political views have shifted toward the radical. She is loyal to an organization that operates a fringe website dedicated to spreading propaganda about the type of business the company does.  Cindy doesn’t talk politics at work, she keeps her opinions to herself and doesn’t work in critical areas. Cindy’s duties are in mid-level administration and her user accounts only grant limited access to servers, network resources, corporate documents, and production equipment.  Despite proper restrictions Cindy has regular access to a lot of data as part of her job; and because other employees are sloppy about network file sharing she might be able to find things she isn’t authorized access to.  When Cindy stumbles on something interesting she copies it to a thumb drive.  She doesn’t steal a lot in terms of megabytes and she doesn’t spend much time doing it.  Cindy is careful, 98% of the time she’s performing her normal work duties, it’s only 2% of her computer use that is about to cost the company millions.
In a company with thousands of retail POS terminals the management has no idea of an ongoing attack against their customers. Recently a new type of custom malware has been circulating that infects these POS terminals.  After infecting a terminal the malware skims credit card numbers and customer identity, phoning home through a sophisticated distributed botnet.  POS terminals are built on aging technology that is almost never updated with security patches and the vendor can’t even tell whether a terminal has been infected let alone do anything about it. How does management even know it has a problem?
Like most insider threat scenarios these have one thing in common, they are difficult to detect while they are happening.
A lot of people don’t realize we do hard-science R&D at Personam. Almost our entire R&D budget is spent developing profiling technology (not the corrupt southern cop kind of profiling but the good kind). We build algorithms that detect and profile patterns of behavior, we call “patterns of life”. With this technology we can reliably detect anomalies in data that is noisy and full of “normal anomalies”.  Fraud detection and cyber-defense insider threat detection are probably the top two applications for this. Our newest technologies have unique advantages such as being able to detect zero-day attacks and spot malicious activity that hides in plain sight, all in real-time.
We have cyber-defense algorithms running today that easily spot the Cindy scenario, which is actually the Bradley Manning scenario from WikiLeaks. These same algorithms also detect the Frank scenario and the POS scenario with ease.
Profiling is a specialty within Data Analytics that’s basically about transforming large uninteresting and mostly indistinguishable data into high-value “patterns of life”.  Combined with unsupervised machine learning we can do some pretty amazing stuff.
I wanted to blog this because it’s cool.  We recently challenged our science guys to solve the insider threat problem and they made spectacular progress!
Related links:
In particular I think we nail these two scenarios.  Unfortunately, we don’t manufacture appliances, so getting our technology on a network near you is the problem.