Posts

Personam ITD Case Study – IP Law Firm

INSIDER THREAT DETECTION

Detecting a conspiracy

PERSONAM detected a conspiracy to steal client data from an overseas office of an international IP law firm. The four employees involved in the activity included one of the senior partners of the firm.

 

Download the Case Study

Insider Threat Detection Software

 

 

Cutter IT: Data Hacking, No Day at the Breach Article

The Insider Track on Cyber Security

In June 2013, the actions of Edward Snowden set off a firestorm of revelations about the inner workings of one of the US’s most secretive organizations, the National Security Agency (NSA). As the country began debating the spy versus whistleblower status of Mr. Snowden, a second, equally chilling dialogue began: how was one person, a contractor, able to walk so easily out the door of a heavily monitored facility with a treasure trove of secrets?

 

Download the full article

 

CaptureSmall

 

 

The adversary is using your workforce against you

Reluctant to monitor your employees? What about their accounts?

You’re one of the lucky ones. You’ve built an organization made entirely of people you trust and have come to rely on. Not many can make that claim, but you don’t have to worry about one of your own stealing from you. Installing a system to monitor your employees would be a betrayal of that trust, and it won’t be on your agenda anytime soon.

In reality, you’re not doing yourself or your employees any favors. You are, in fact, inviting disaster in.

A lot has been made about the insider threat over the last couple of years. There’s been a rise in malicious insider attacks of theft, fraud and IT sabotage, and the cost on average will be higher for an attack originating inside the perimeter. But that only tells part of the story, as we look at how outside attackers are able to breach our networks.

A quick analysis of the numbers behind the 2015 Verizon Data Breach Investigations Report shows that over 90% of all data breaches involved the use of valid network credentials. That’s right: your employee’s credentials are providing the keys to the kingdom, with or without their knowledge.

 

It’s asymmetric warfare, and your employees aren’t the ones heavily armed in this fight.

 

Whether the attack is coming from inside or out, valid credentials are still needed to VDBIRLaptopaccess your resources on the network. An insider doesn’t have to work very hard for them: they’re given their network account on their first day on the job. But if you think the outsider has to work much harder, think again. An experienced hacker has enormous resources at their disposal. The first option is to simply buy stolen credentials on the internet, as happened with the recent Anthem data breach. Then there’s the tried-and-true process of guessing simple or unchanged default passwords used by negligent employees, contractors and vendor systems, like the case at Advocate Health Care. Next are the many applications of social engineering (such as that used on Target), including sophisticated spear-phishing attacks and compromised personal devices like phones and tablets (i.e. BYOD) that your employees are connecting to the network. It’s asymmetric warfare, and your employees aren’t the ones heavily armed in this fight.

Nor is this likely to change with any amount of training and awareness. After years of coverage by the press on the dangers, employee click-rate on phishing attacks remains high, according to the 2015 Verizon DBIR: 23% of recipients now open phishing messages and 11% click on the attachments. And it only takes one to let the attackers in.

As the most prominent avenue used by attackers to enter your network, user accounts need to be continuously monitored for signs of suspicious behavior or misuse, even when the owner of the account is beyond reproach.

Personam and Sphere of Influence Offer Advanced Insider-Threat Technology to CTTSO

Personam, Inc. has partnered with Sphere of Influence, Inc. to offer their behavioral profiling platform to the US Combatting Terrorism Technical Support Office (CTTSO). The technology actively monitors computer networks for insider threats and compromised accounts and is able to provide instantaneous actionable intelligence on active threats within an organization’s security perimeter, before threats manifest into breaches. The technology is 100% passive, neither interfering with operations nor accessing sensitive data. Based on advanced real-time computational analysis of digital behaviors, it detects active and persistent threats without generating what the industry calls ‘excessive false positives’.

Developed in a joint partnership, Personam, Inc. has already introduced several of its detectors to commercial organizations, protecting them from fraud, theft, vandalism, and compromised user accounts. The CTTSO recently selected the partnership’s offering into a group of semi-finalists that will be further evaluated for suitability.

Personam CEO, Chris Kauffman, said, “It takes one week for our platform to learn the behaviors of an organization well enough to identify threats. Threatening behavior has been discovered in 100% of our commercial clients thus far, all of whom have been running conventional detection solutions for years. Given the ubiquitous nature of the insider threat, which mostly goes undetected, I’m extremely excited to see the Federal Government showing serious interest in this technology”.

The team’s technology is completely self-learning. The platform teaches itself to discern between potential threats and normal behavior. Sphere of Influence Managing Partner, Thad Scheer, said “there’s no rule book for what constitutes an insider threat or what to look for, every situation is different. What’s unique about our platform is that it teaches itself to find threats, making it nearly impossible to subvert, even if you know it’s there”.

Sphere of Influence, Inc. is a Virginia-based software developer that specializes in advanced data analytics and big data. The Analytics Studios at Sphere of Influence are the largest on the East Coast and provide solutions for Automotive, Agriculture, Consumer Products, Defense, and Intelligence.

Personam, Inc. is a new cyber-security company that focuses exclusively on detecting insider threats and compromised user accounts. The company’s patented technology generates automated threat intelligence by monitoring live networks 24×7 with behavioral profiling.

Read more here.

Personam to Showcase Technology at NITSIG Insider Threat Symposium

PRESS RELEASE

Personam Inc., the leader in insider threat protection technology today announced its upcoming participation at the 2015 NITSIG Insider Threat Symposium & Expo which will take place at the Johns Hopkins University – Applied Physics Laboratory (JHU-APL) Kossikoff Center in Laurel, Maryland on March 31st, 2015.

 

McLean, VA (PRWEB) March 24, 2015

Personam Inc., the leader in insider threat protection technology, today announced its upcoming participation at the 2015 NITSIG Insider Threat Symposium & Expo which will take place at the Johns Hopkins University – Applied Physics Laboratory (JHU-APL) Kossikoff Center in Laurel, Maryland on March 31st, 2015.

The Insider Threat Symposium & Expo provides opportunities for professional development with informative presentations from leading experts in insider threat, and an exposition that will feature industry technologies and services.

At the Insider Threat Symposium & Expo, Personam Inc. will be featuring its patent pending technology, geared specifically to detect insider threats and compromised accounts.

“Our technology uncovers compromised accounts, breached perimeters, and malicious insiders that other products miss”, said Chris Kauffman, Personam Inc.’s CEO. “Traditional technologies are incapable of detecting these types of threats. We have discovered active attacks on customer networks with every deployment to date, even when other cyber products are present.”

About Personam

Personam is the leading innovator using advanced analytics and machine learning to detect insider threat attacks in-progress. Personam’s appliance provides passive network monitoring without the dependence of endpoint software agents or pre-defined event input data. Often installed and operational in less than an hour, Personam continuously monitors the behavior patterns of the users and devices on the network. The moment a threat is detected, analysts in Personam’s monitoring center are notified and aid the client with incident response. Personam’s headquarters and research labs are located in McLean, VA.

Press Release: http://www.prweb.com/releases/2015/03/prweb12601057.htm

http://www.nationalinsiderthreatsig.org/nitsig-insiderthreatsymposiumexpo.html
http://www.talonsecuritysolutionsllc.com/

Too Little, Too Late – Morgan Stanley could have prevented the Data Leak

In a recent article about the Morgan Stanley insider theft case, Gregory Fleming, the president of the wealth management arm said:

“While the situation is disappointing, it is always difficult to prevent harm caused by those willing to steal”

Disappointing?  350,000 clients were compromised, the top 10% of investors, and this following a breach that left 76 million households exposed.

Morgan Stanley fired one employee

The fact is, this breach was preventable. Firms like Morgan Stanley are remiss in allowing these to occur, and are adding to the problem by perpetuating the myth that they cannot be stopped.  The minimal approach of repurposing perimeter cyber security solutions does not work.  These perimeter solutions and practices have been in place in each case of insider breaches including the U.S. government (i.e. Bradley Manning, Edward Snowden), Goldman Sachs, and the multiple Morgan Stanley breaches.  Even Sony Entertainment had some intrusion protection in place.  Cyber security professionals remain one step behind the criminals in defining events, thresholds, and signatures – none of these are effective for the insider.

Building behavioral profiles for all employees, managers, and executives using objective criteria is the best, and possibly the only, feasible way to catch the insider.  Current approaches that focus the search for malicious insiders based on the appropriateness of web sites, or the stability of an employee based on marital situations seem logical, but provide little value.  There are a lot of people that get divorces that do not steal from their employers or their country.

Rules and thresholds defined by human resource and cybersecurity professionals have proven ineffective at stopping the insider.  Data analytics using unsupervised machine learning on a large, diverse dataset is essential.

Personam catches insiders before damaging exfiltrations.  It is designed for the insider threat, both human and machine based, and has a proven record of identifying illegal, illicit, and inadvertent behaviors that could have led to significant breaches.

The malicious insider can be caught, and it is time to take the threat seriously and time to stop giving firms like Morgan Stanley (and Sony) a pass on their unwillingness to address the fact that they have people on the inside willing to do harm to their clients, their company, and in some cases, our country.

Personam Featured in MarketWatch Article on Insider Threat

Personam’s Founder and CEO, Chris Kauffman, was interviewed for a MarketWatch article on insider threats , “Are you a psychopath? Your boss wants to know”.

 

About Personam

Personam is the leading innovator using advanced analytics and machine learning to detect insider threat attacks in-progress. Personam’s appliance provides passive network monitoring without the dependence of endpoint software agents or pre-defined event input data. Often installed and operational in less than an hour, Personam continuously monitors the behavior patterns of the users and devices on the network. The moment a threat is detected, analysts in Personam’s monitoring center are notified and aid the client with incident response. Personam’s headquarters and research labs are located in McLean, VA. More information can be found at www.PersonamInc.com.

Why the Government Insider Threat Program Will Fail

President Obama has ordered federal employees to monitor the behavioral patterns of coworkers and report suspicious observations to officials.  Under this policy a coworker’s failure to cast suspicion on another coworker could result in penalties that include criminal charges.

Seriously! This is the current policy for preventing the next insider threat, to pit coworker against coworker!

Well…interestingly enough, they are half-right. Behavior profiling is the only way to identify an insider threat. Typically these “threats” are clever people who conceal a hidden agenda, often in plain sight. If a trusted insider is careful, as both Bradley Manning and Edward Snowden were, then we shouldn’t expect to catch them in the act of stealing, spying, or exfiltrating. They will do their jobs normally, act normally, and do nothing careless that would alert suspicion. Of course, that’s just on the surface. There will always be little behaviors these people can’t control that are different from “normal” because, let’s face it, they are different from normal coworkers. Insider threats have a secret agenda and the burden of carrying whatever motivates them to embrace that agenda. They might be good fakers, but at some level they are different, and those differences will manifest in behavior – maybe not in big things, but in little things they do every day.  If it were possible to monitor their behaviors with a sensitive enough instrument then, theoretically, we could detect the fact they are different and isolate “suspicious” differences from “normal” differences.

Of course the experts in the field (behavior psychologists and security researchers) have no idea what constitutes suspicious behavior.  Heck, in any given group of workers we don’t even know what we should consider normal, let alone suspicious.  If you typically print 20 pages per week and suddenly have a week where you print 100 pages, is that evidence you are the insider threat or were you just assigned a big presentation where lots copies are needed? If someone sends you a link to a file or website that is unrelated to your normal work, is opening that link or downloading that file evidence you are a threat?  Perhaps, but probably 99.999% of the time the answer is no.

Fooled by Randomness

The problem with the Government’s Insider Threat Program is it asks squishy human beings to be the sensor, the profiler, and the alarm. Suddenly coworkers are jotting down notes when a cubemate takes an unusual number of bathroom breaks.  Is she the next Edward Snowden or is she pregnant?  It’s left to an individual’s imagination to consider what is “normal” vs. “abnormal”.  Naturally, people will inject identity and cultural bias, they will show favor to coworkers whom they like and show disfavor to those they dislike, office politics will weigh in, and people will err when attempting to read suspicion into normal events.  Nassim Nicholas Taleb’s great book, “Fooled by Randomness: The Hidden Role of Chance in Life and in the Markets” illustrates so clearly how human beings are easily fooled into seeing causality when there is only correlation, or at misreading the presence of correlation.  Behaviors one might think are clear indicators of suspicion, like printing 100 pages when 20 is the norm, are just part of the everyday “jitter” in the normal behavior of individuals, departments, and organizations.

False Positives

Behavior profiling results in a tremendous number of false positives, i.e. false accusations.  The experts don’t know what behaviors to monitor, there is no proper baseline for “normal”, and no objective way of discerning whether a novel behavior is threatening or benign.  Moreover, because differences and novelty stand out simply because they are different – humans are biased toward labeling such as suspicious.  Imagine an already clogged government bureaucracy that is further impeded by a flood of false accusations, each of which requiring some non-trivial investigation in order to clear the names of good people.  Also imagine that the actual insider threat, the next Bradley Manning or Edward Snowden, doesn’t behave in any of the “obvious” ways that would trigger coworker suspicion, their behavior modalities are subtle and go unnoted, allowing them to continue to be successful at inflicting damage.

Analytics to the Rescue

The worst thing we could do, far worse than doing nothing, would be what the administration’s policy requires; i.e. use coworkers to monitor each other and report suspicious behavior in a context where underreporting is punishable under the criminal code.  There’s absolutely no way that ends well.

If the goal is to solve the problem and mitigate the insider threat then we need to take the human out of the loop. The correct approach is to use digital sensors to collect a wide array of features that are representative of daily activity in a workforce and then feed such collection streams into an Analytics Process that objectively profiles behavior to separate normal behavior from unusual behavior as well as classifying non-threatening vs. threatening.  This is the best way to identify an insider threat; but not without its own set of problems.

First, the problem of determining “normal” behavior and separating that from “abnormal/anomalous” behavior.  On the surface this appears easily done with simple statistical methods, but with deeper reflection it gets much more complicated when dealing with human behaviors.  Even when a person does the same job every day, we do it differently each time. There is variation, i.e. “jitter”, in almost every aspect of both human behavior and organizational behavior. For example, is suddenly printing 100 pages when 20 is the norm something we should consider an outlier, or is it ok despite the fact it is statistically unusual? We end up needing a technology that can discriminate between “normal anomalies” and “abnormal anomalies”; which, despite the grammatical contradiction, is exactly the challenge.

Second, the problem of false positives.  Because bona fide threats are so rare compared to the number of everyday things people do that are different or unusual, false positives are inevitable. The social system breaks down if we are constantly casting a shadow of suspicion on good workers who express normal everyday behaviors.  This has prevented behavior profiling technology from succeeding in the past. Although researchers have invented various ways to crack the normal vs. anomaly problem, the technologies still produce a flood of false positives that make them impractical and unusable.

Third, the problem of scoring the threat itself.  Even when a behavior has been correctly profiled as “truly unusual”, it might still be ok. Radically unusual behavior is often a good thing, especially if we want a workforce to innovate, adapt, and progress; otherwise we might as well use robots.  It’s no easy task to profile a behavior and determine its potential as a threat. Expert psychologists and security researchers have never found any reliable predictive patterns, there is no “standard model” for a bad actor in a high-trust environment.

Insider Threat Detector (Shameless Plug Time)

At Personam, we have developed, and are currently field testing, the only technology in the world that actually does this in a practical sustainable way, at scale, and in real-time.  We use a common type of cyber-security appliance as a sensor to collect features that are representative of a workforce’s daily activities. That sensor drives real-time streams into a unique Analytics Processor that incorporates advanced profiling and unsupervised machine learning to create behavioral profiles and to identify human (and non-human) actors with truly anomalous behavior. One of our most important secret ingredients is our approach to radically reducing false positives, something that makes this type of technology practical for the first time.  Another secret ingredient is our solution to the problem of profiling behaviors in real-time, at scale, on incredibly large data streams.  The final stage in processing is to analyze the profiling output with a supervised machine learning layer that scores the threat.

Our technology has thus far proven effective at finding insider threats, simulated with AI bots, early in their activity cycle and before they would defect or go public. Unlike previous experiments and prototypes that have been developed by others in this area, ours is a practical and fieldable technology that effectively detects insider threats without clogging the bureaucracy with false positives.

 

Barriers to Adoption

Anytime an employer considers deploying a technology that collects on the behaviors of its workforce there will be concerns about ethics, privacy, and civil liberties.  People don’t like being monitored while they work, particularly if they think a subconscious tick might expose something private or interfere with reputation and career advancement. These are valid concerns that cannot be easily dismissed.  Some workforces will be more sensitive than others.  For example, people who work in classified environments already expect to be monitored and agree to random search every time they enter a facility; the same isn’t necessarily true for people who work at the insurance company, hospital, brewery, or bank.

We don’t open people’s mail!

Personam developed Insider Threat Detector technology with these concerns in mind. The cyber-based sensor component doesn’t invasively snoop into what people are doing on the computer or the network. We don’t analyze payload data and the contents of private communications remain private.  Our technology doesn’t provide security staff any access to private communications or the ability to eavesdrop.  In fact, it works just as well on encrypted data streams as it does on unencrypted streams.  Our design goal was to be no more intrusive than technologies that are already common in large enterprises.

That leaves false-positives.  Our technology reduces false positives from a flood to a very manageable trickle, but there will always be some false-positives because the science is based on math, not magic.  This technology is intended to provide early warning and alert, not to accuse or indict.  We don’t label people as threats, we identify suspicious behavior and score the behavior on a threat scale – where the scale is adjusted so even the highest score is still low.  Investigation and forensics are required before anyone can be considered a threat.  That said, even this will worry some – hence, there will be barriers to universally adopting this technology. Regardless of those barriers, however, this is far less intrusive than pitting coworker against coworker under a cloud of universal suspicion, as is the current policy.

Shout Out for a Demo

If you would like a private demonstration of this technology please contact us. We love showing off!

 

Personam Briefs the CXO Forum on Insider Threats to Small and Medium Businesses

Chris Kauffman, Founder and CEO of Personam, spoke to a gathering at the CXO Forum this morning on the things every executive needs to know about Insider Threats. Patrick Stump of Roka Security was also on hand to brief the group on the growing external threats to organizations.

CXO Forum is a monthly gathering for CEOs of growing and mid-sized companies. The CXO offers C-level executives a safe haven where peer-to-peer discussions of ideas and solutions can take place in an environment of collaboration that builds collegiality. Recently, the forum’s members have grown concerned over the escalation of cyber threats to their businesses.

About Personam

Personam is the leading innovator using advanced analytics and machine learning to detect insider threat attacks in-progress. Personam’s appliance provides passive network monitoring without the dependence of endpoint software agents or pre-defined event input data. Often installed and operational in less than an hour, Personam continuously monitors the behavior patterns of the users and devices on the network. The moment a threat is detected, analysts in Personam’s monitoring center are notified and aid the client with incident response. Personam’s headquarters and research labs are located in McLean, VA. More information can be found at www.PersonamInc.com.

Cyber Security Summit in NYC

Personam generated large crowds at their booth supporting the Cyber Security Summit in NYC. Companies from industries ranging from Big Pharma, Finance, Banking, to Energy all spent time learning about Personam’s insider threat detecting solution. Most of the attendees already understood the importance of protecting their organizations from internal threats, but many did not know that an advanced solution was now available. They spoke to Personam representatives, and watched live demos in the booth. The Summit proved to be a great one-day event.