Personam ITD Case Study – IP Law Firm


Detecting a conspiracy

PERSONAM detected a conspiracy to steal client data from an overseas office of an international IP law firm. The four employees involved in the activity included one of the senior partners of the firm.


Download the Case Study

Insider Threat Detection Software



Cutter IT: Data Hacking, No Day at the Breach Article

The Insider Track on Cyber Security

In June 2013, the actions of Edward Snowden set off a firestorm of revelations about the inner workings of one of the US’s most secretive organizations, the National Security Agency (NSA). As the country began debating the spy versus whistleblower status of Mr. Snowden, a second, equally chilling dialogue began: how was one person, a contractor, able to walk so easily out the door of a heavily monitored facility with a treasure trove of secrets?


Download the full article





The adversary is using your workforce against you

Reluctant to monitor your employees? What about their accounts?

You’re one of the lucky ones. You’ve built an organization made entirely of people you trust and have come to rely on. Not many can make that claim, but you don’t have to worry about one of your own stealing from you. Installing a system to monitor your employees would be a betrayal of that trust, and it won’t be on your agenda anytime soon.

In reality, you’re not doing yourself or your employees any favors. You are, in fact, inviting disaster in.

A lot has been made about the insider threat over the last couple of years. There’s been a rise in malicious insider attacks of theft, fraud and IT sabotage, and the cost on average will be higher for an attack originating inside the perimeter. But that only tells part of the story, as we look at how outside attackers are able to breach our networks.

A quick analysis of the numbers behind the 2015 Verizon Data Breach Investigations Report shows that over 90% of all data breaches involved the use of valid network credentials. That’s right: your employee’s credentials are providing the keys to the kingdom, with or without their knowledge.


It’s asymmetric warfare, and your employees aren’t the ones heavily armed in this fight.


Whether the attack is coming from inside or out, valid credentials are still needed to VDBIRLaptopaccess your resources on the network. An insider doesn’t have to work very hard for them: they’re given their network account on their first day on the job. But if you think the outsider has to work much harder, think again. An experienced hacker has enormous resources at their disposal. The first option is to simply buy stolen credentials on the internet, as happened with the recent Anthem data breach. Then there’s the tried-and-true process of guessing simple or unchanged default passwords used by negligent employees, contractors and vendor systems, like the case at Advocate Health Care. Next are the many applications of social engineering (such as that used on Target), including sophisticated spear-phishing attacks and compromised personal devices like phones and tablets (i.e. BYOD) that your employees are connecting to the network. It’s asymmetric warfare, and your employees aren’t the ones heavily armed in this fight.

Nor is this likely to change with any amount of training and awareness. After years of coverage by the press on the dangers, employee click-rate on phishing attacks remains high, according to the 2015 Verizon DBIR: 23% of recipients now open phishing messages and 11% click on the attachments. And it only takes one to let the attackers in.

As the most prominent avenue used by attackers to enter your network, user accounts need to be continuously monitored for signs of suspicious behavior or misuse, even when the owner of the account is beyond reproach.

Personam ITD would have Saved Sony Millions

SONY, a global tech giant, was brought to kneel this past week by the Sony2most devastating type of cyber threat, an “inside job”. Losses weren’t only confined to a single division but rather affected nearly every operating unit of the global brand. Denied access to online systems, the worldwide workforce resorted to using pens, paper, landline telephones, and fax machines to perform essential duties. As reported by The Verge, the alleged culprits involved personnel with physical access to the computer network. More than a denial of service outage shrouded in a political statement, this was a heist of monstrous proportions, possibly perpetrated by North Korea in retaliation for the film “The Interview”. At least five unreleased movies from Sony Pictures were stolen and subsequently circulated freely to the public, with over 880,000 downloads in just a single day. The damage in terms of lost productivity and revenue is incalculable. Losses including those from high-profile feature films such as “Fury,” will be hundreds of millions of dollars against an already teetering balance sheet. This was the last thing Sony could afford yet the company employed no technology capable of detecting or repelling such an attack.

“At Personam, our Insider Threat Detector is the most advanced in the world.”

Sony isn’t alone, the vast majority of companies and government agencies are equally vulnerable from an inside job perpetrated by a rogue employee or person with inside access. The most advanced firewalls provide little protection against the enemy cloaked as a trusted insider with access. Defensive measures point outward, assuming attackers will assert their greatest effort against the strongest fortifications. However, attackers target the weakest layer of security, the trust place in employees with access to the network. Thieves, activists, and foreign spies spear phish credentials from top-level employees or outright recruit those individuals to their cause. The hactivist organization Anonymous, for example, deliberately inserts members into job interviews to plant those members in positions of trust.

Sony’s situation doesn’t need to be the new normal. The insider threat is preventable. Not through defending assets but instead employing behavior profiling. Improved hiring practices, background checks, two-factor authentication, advanced firewalls, and log-file analyzers are ineffective at detecting a committed insider. The only real way to defend against the insider threat is to deploy automated behavioral profiling that indiscriminately observes distinct features and employs a non-parametric alerting system, meaning it uses no “set rules” for an insider to discover or bypass. This technology is effective, maintains employee privacy, and is available today.

At Personam, our Insider Threat Detector is the most advanced in the world. Our latest appliances are non-intrusive and easily inserted into local networks. These systems have caught insiders engaged in illegal or prohibited behaviors in 100% of their installations, a testament to how common insider threats truly are. Our detectors are so sensitive that the faintest threats are detected yet well-behaved enough to produce few false-positives.

If Sony had used Personam’s Insider Threat Detector, their current breach could have been prevented. For less than the cost of one hour of outage, Sony could have protected their entire company for years. The current best practices are ineffective at catching real insider threats and give a false sense of security. Companies and government agencies must acknowledge the damage insiders can bring and immediately prioritize non-parametric behavioral monitoring technologies that preserve the privacy of each employee’s digital activities while detecting malicious intent.

Wake up! It’s the insider threat you need to worry about



Edward Snowden is the new face of the insider threat, the media even calls him the “Ultimate Insider Threat”.  This is someone who has the highest-level security clearance, endures a background reinvestigation every 5 years, takes a polygraph exam, and still betrays his sacred oath and trust of his employers.
When it comes to asserting workforce trustworthiness, industry and government are both guilty of over-relying on employment pre-screening, background investigations, and oaths.  These are effective to a degree and good first steps but obviously inadequate when it comes to preventing losses and breaches.

Insider threats are detectable because they don’t behave exactly like everyone else.  Maybe on the surface these people appear to be the same as their coworkers, but at some level their behaviors are different.  A sensitive enough instrument can detect such subtle differences in behavior, and if the noise of anomalies can be removed then high-quality actionable alerts can be generated from the “unusual anomalies”.  This is the basis of the Insider Threat Detection technology that has been developed by Personam over the past two years.

The problem isn’t cyber-security, which is focused on the threat of digital attacks against digital assets.  This is an industrial security threat, where a person of trust betrays that trust and misuses access to cause deep harm or substitute a third-party agenda.  Unlike cyber-attacks, an effective insider might not even use your digital assets as the vehicle for attack or exfiltration, they might steal files from a safe or do other things.  However, if a person’s normal behavioral modalities change even slightly then shadows of those changes are often reflected how they use the computer, thus computer activity can yield a behavioral profile for an individual, even if the actual threatening behavior is more analog than digital.

By connecting a sensitive behavioral profiling instrument to a network we can construct individual profiles that are accurate enough to perform this type of anomaly detection. Such algorithm-synthesized profiles apply to human and non-human users of a network, giving some cyber-security crossover to this approach in addition to the industrial security focus. However, Insider Threat Detection is not cyber-security, it is industrial security that uses cyber-technology as a sensor.

In our case the goal of this technology is to detect the active insider threat early in the activity cycle. We believe strongly that there is no way to fully prevent insider threats from occurring because no background screening process on Earth will ever accomplish that. To defend against the insider we believe early detection of active threat behaviors is the key to loss prevention.
This is possible thanks to Advanced Data Analytics (Analytics 2.0) techniques which evaluate dozens (or even thousands) of simultaneous feature dimensions on Big Data under a powerful layer of unsupervised machine learning. What makes insider threat detection different from conventional Analytics 2.0 is that it must work on streaming data, in real-time, and at-scale.

At Personam, because we have been so invested in Advanced Data Analytics these past few years, we were able to solve these problems and invented an instrument that does what I describe here.  We use it every day on our networks and it is already installed at beta customers, primarily law offices.

The bottom line is that even the most intense background checks are not good enough, you need to be able to detect insider threats when they become active and before those threats move to Hong Kong.


Tech that finds bad guys (and girls too)

A hotel worker in China entered Frank’s room while he was away at dinner and installed a new type of spyware on his laptop.  The spyware traveled home with Frank, waiting to connect to the corporate network. Once behind the firewall the spyware infected hosts, generated link charts of business relationships, harvested intellectual property, and collected information on employees and customers.  Occasionally it phoned home, passing data in small chunks that ultimately constitute a treasure trove of secrets to Chinese intelligence.  This went on for months without detection because it used very little bandwidth and communicated through drop points that were legitimate looking URLs in the United States. Anti-virus vendors had never seen this custom-made spyware before so they had no catalog of its signature.
Meanwhile, Cindy has worked for the company for three years but lately her political views have shifted toward the radical. She is loyal to an organization that operates a fringe website dedicated to spreading propaganda about the type of business the company does.  Cindy doesn’t talk politics at work, she keeps her opinions to herself and doesn’t work in critical areas. Cindy’s duties are in mid-level administration and her user accounts only grant limited access to servers, network resources, corporate documents, and production equipment.  Despite proper restrictions Cindy has regular access to a lot of data as part of her job; and because other employees are sloppy about network file sharing she might be able to find things she isn’t authorized access to.  When Cindy stumbles on something interesting she copies it to a thumb drive.  She doesn’t steal a lot in terms of megabytes and she doesn’t spend much time doing it.  Cindy is careful, 98% of the time she’s performing her normal work duties, it’s only 2% of her computer use that is about to cost the company millions.
In a company with thousands of retail POS terminals the management has no idea of an ongoing attack against their customers. Recently a new type of custom malware has been circulating that infects these POS terminals.  After infecting a terminal the malware skims credit card numbers and customer identity, phoning home through a sophisticated distributed botnet.  POS terminals are built on aging technology that is almost never updated with security patches and the vendor can’t even tell whether a terminal has been infected let alone do anything about it. How does management even know it has a problem?
Like most insider threat scenarios these have one thing in common, they are difficult to detect while they are happening.
A lot of people don’t realize we do hard-science R&D at Personam. Almost our entire R&D budget is spent developing profiling technology (not the corrupt southern cop kind of profiling but the good kind). We build algorithms that detect and profile patterns of behavior, we call “patterns of life”. With this technology we can reliably detect anomalies in data that is noisy and full of “normal anomalies”.  Fraud detection and cyber-defense insider threat detection are probably the top two applications for this. Our newest technologies have unique advantages such as being able to detect zero-day attacks and spot malicious activity that hides in plain sight, all in real-time.
We have cyber-defense algorithms running today that easily spot the Cindy scenario, which is actually the Bradley Manning scenario from WikiLeaks. These same algorithms also detect the Frank scenario and the POS scenario with ease.
Profiling is a specialty within Data Analytics that’s basically about transforming large uninteresting and mostly indistinguishable data into high-value “patterns of life”.  Combined with unsupervised machine learning we can do some pretty amazing stuff.
I wanted to blog this because it’s cool.  We recently challenged our science guys to solve the insider threat problem and they made spectacular progress!
Related links:
In particular I think we nail these two scenarios.  Unfortunately, we don’t manufacture appliances, so getting our technology on a network near you is the problem.


Personam to Brief the House Intelligence Committee on Insider Threat

The staff of the House Permanent Select Committee On Intelligence has invited Chris Kauffman, Personam’s Founder and CEO, to brief them on Personam’s insider threat detection capabilities. In the wake of the high-profile Bradley Manning and Edward Snowden events, and the Presidential Memorandum on National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs, the staff is interested in learning how existing practices like background checks and training & awareness programs can be supplemented with advanced technology for the continuous monitoring of the workforce.

About Personam

Personam is the leading innovator using advanced analytics and machine learning to detect insider threat attacks in-progress. Personam’s appliance provides passive network monitoring without the dependence of endpoint software agents or pre-defined event input data. Often installed and operational in less than an hour, Personam continuously monitors the behavior patterns of the users and devices on the network. The moment a threat is detected, analysts in Personam’s monitoring center are notified and aid the client with incident response. Personam’s headquarters and research labs are located in McLean, VA. More information can be found at