Posts

Detect the Threat – How it Works Brief

Detecting active threats on a compromised network is an exceptionally difficult task, and very few organizations have been able to accomplish it. The evidence of this is clear from a single industry statistic: eighty-six percent (86%) of all data breaches go undetected by the breached organization1. Insider threats play a significant role in this problem, and traditional cyber security tools can do little to address it.

 

Download How it Works Brief

HowItWorksSM

 

 

Tech that finds bad guys (and girls too)

A hotel worker in China entered Frank’s room while he was away at dinner and installed a new type of spyware on his laptop.  The spyware traveled home with Frank, waiting to connect to the corporate network. Once behind the firewall the spyware infected hosts, generated link charts of business relationships, harvested intellectual property, and collected information on employees and customers.  Occasionally it phoned home, passing data in small chunks that ultimately constitute a treasure trove of secrets to Chinese intelligence.  This went on for months without detection because it used very little bandwidth and communicated through drop points that were legitimate looking URLs in the United States. Anti-virus vendors had never seen this custom-made spyware before so they had no catalog of its signature.
Meanwhile, Cindy has worked for the company for three years but lately her political views have shifted toward the radical. She is loyal to an organization that operates a fringe website dedicated to spreading propaganda about the type of business the company does.  Cindy doesn’t talk politics at work, she keeps her opinions to herself and doesn’t work in critical areas. Cindy’s duties are in mid-level administration and her user accounts only grant limited access to servers, network resources, corporate documents, and production equipment.  Despite proper restrictions Cindy has regular access to a lot of data as part of her job; and because other employees are sloppy about network file sharing she might be able to find things she isn’t authorized access to.  When Cindy stumbles on something interesting she copies it to a thumb drive.  She doesn’t steal a lot in terms of megabytes and she doesn’t spend much time doing it.  Cindy is careful, 98% of the time she’s performing her normal work duties, it’s only 2% of her computer use that is about to cost the company millions.
In a company with thousands of retail POS terminals the management has no idea of an ongoing attack against their customers. Recently a new type of custom malware has been circulating that infects these POS terminals.  After infecting a terminal the malware skims credit card numbers and customer identity, phoning home through a sophisticated distributed botnet.  POS terminals are built on aging technology that is almost never updated with security patches and the vendor can’t even tell whether a terminal has been infected let alone do anything about it. How does management even know it has a problem?
Like most insider threat scenarios these have one thing in common, they are difficult to detect while they are happening.
A lot of people don’t realize we do hard-science R&D at Personam. Almost our entire R&D budget is spent developing profiling technology (not the corrupt southern cop kind of profiling but the good kind). We build algorithms that detect and profile patterns of behavior, we call “patterns of life”. With this technology we can reliably detect anomalies in data that is noisy and full of “normal anomalies”.  Fraud detection and cyber-defense insider threat detection are probably the top two applications for this. Our newest technologies have unique advantages such as being able to detect zero-day attacks and spot malicious activity that hides in plain sight, all in real-time.
We have cyber-defense algorithms running today that easily spot the Cindy scenario, which is actually the Bradley Manning scenario from WikiLeaks. These same algorithms also detect the Frank scenario and the POS scenario with ease.
Profiling is a specialty within Data Analytics that’s basically about transforming large uninteresting and mostly indistinguishable data into high-value “patterns of life”.  Combined with unsupervised machine learning we can do some pretty amazing stuff.
I wanted to blog this because it’s cool.  We recently challenged our science guys to solve the insider threat problem and they made spectacular progress!
Related links:
http://www.infoworld.com/d/security/when-in-china-dont-leave-your-laptop-alone-208168
http://securityledger.com/tantalizing-clues-in-dexter-malware-lead-to-mystery-man-and-zeus/
In particular I think we nail these two scenarios.  Unfortunately, we don’t manufacture appliances, so getting our technology on a network near you is the problem.