Too Little, Too Late – Morgan Stanley could have prevented the Data Leak

In a recent article about the Morgan Stanley insider theft case, Gregory Fleming, the president of the wealth management arm said:

“While the situation is disappointing, it is always difficult to prevent harm caused by those willing to steal”

Disappointing?  350,000 clients were compromised, the top 10% of investors, and this following a breach that left 76 million households exposed.

Morgan Stanley fired one employee

The fact is, this breach was preventable. Firms like Morgan Stanley are remiss in allowing these to occur, and are adding to the problem by perpetuating the myth that they cannot be stopped.  The minimal approach of repurposing perimeter cyber security solutions does not work.  These perimeter solutions and practices have been in place in each case of insider breaches including the U.S. government (i.e. Bradley Manning, Edward Snowden), Goldman Sachs, and the multiple Morgan Stanley breaches.  Even Sony Entertainment had some intrusion protection in place.  Cyber security professionals remain one step behind the criminals in defining events, thresholds, and signatures – none of these are effective for the insider.

Building behavioral profiles for all employees, managers, and executives using objective criteria is the best, and possibly the only, feasible way to catch the insider.  Current approaches that focus the search for malicious insiders based on the appropriateness of web sites, or the stability of an employee based on marital situations seem logical, but provide little value.  There are a lot of people that get divorces that do not steal from their employers or their country.

Rules and thresholds defined by human resource and cybersecurity professionals have proven ineffective at stopping the insider.  Data analytics using unsupervised machine learning on a large, diverse dataset is essential.

Personam catches insiders before damaging exfiltrations.  It is designed for the insider threat, both human and machine based, and has a proven record of identifying illegal, illicit, and inadvertent behaviors that could have led to significant breaches.

The malicious insider can be caught, and it is time to take the threat seriously and time to stop giving firms like Morgan Stanley (and Sony) a pass on their unwillingness to address the fact that they have people on the inside willing to do harm to their clients, their company, and in some cases, our country.

algorithm, anomaly detection, answer, Bradley Manning, breach, cyber security, Edward Snowden, insider threat, preventable, wikileaks

The world was awed two years ago when IBM’s Watson defeated Jeopardy! champions Brad Rutter and Ken Jennings. Watson’s brilliant victory reintroduced the potential of machine learning to the public. Ideas flowed, and now this technology is being applied practically in the fields of healthcare, finance and education. Emulating human learning, Watson’s success lies in its ability to formulate hypotheses using models built from training questions and texts.

Three years ago, Army Private First Class Bradley Manning leaked massive amounts of classified information to WikiLeaks and brought to public awareness the significance of data breaches. In response to this and several other highly publicized data breaches, government committees and task forces established recommendations and policies, and invested heavily in cyber technologies to prevent such an event from reoccurring. Surely, we thought, if anyone had the motivation and resources to get a handle on the insider threat problem, it is the government. But, Edward Snowden, who caused the recent NSA breach, has made it painfully obvious how impotent the response was.

Lest we assume this is a just government problem, enormous evidence abounds showing how vulnerable commercial industry is to the insider. We are inundated with a flood of articles describing how malicious insiders have cost private enterprise billions of dollars in lost revenue, so why has no one offered a plausible solution?

The insider threat remains an unmitigated problem for most organizations, not because the technologies do not exist, but rather because the cyber defense industry is still attempting to discover the threat using a rules-based paradigm. Virtually all cyber defense solutions in the market today apply explicit rules, whether they are antivirus programs, firewalls with access control lists, deep packet inspectors, or protocol analyzers. This paradigm is very effective in defending against known malware and network exploits, but fails utterly when confronted with new attacks (i.e. “zero-days”) or the surreptitious insider.

In contrast, acknowledging that it was impossible to build a winning system that relied on enumerating all possible questions, IBM designed Watson to generalize and learn patterns from previous questions and use these models to hypothesize answers to novel questions. The hypothesis with the highest confidence was selected as the answer.

Like Watson, an effective technology to detecting the insider must adaptively learn historical network patterns and then use those patterns to automatically discover anomalous activity. Such anomalous traffic is symptomatic of unauthorized data collection and exfiltration.

Inspired by the WikiLeaks incident, Sphere’s R&D team has investigated machine learning algorithms that construct historical models by grouping users by their network fingerprints. As an example, without any rules or specifications, the algorithms learn that bookkeeping applications transmit a distinctive pattern that enables grouping accountants together, and HR professionals are grouped by the recruiting sites they visit. These behavioral models generalize normal activity and can be used as templates to detect outliers. While users commonly generate some outliers, suspicious users deviate significantly from their cohorts, such as the network administrator that accesses the HR department’s personnel records. Like Watson, the models allow the system to form hypotheses.

Applied to cyber security, every time an entity accesses the network, the algorithms hypothesize if the activity conforms to its model. If it does not conform, that activity is labeled an outlier. Because these methods use a statistical confidence that dynamically balances internal thresholds on network activities (e.g., sources and destinations, direction and amount of data transferred, times, protocols, etc.), it becomes extremely hard for a malicious insider to outsmart. Simply the fact that the system does not reveal its thresholds can have a significant deterrent effect.

A paradigm shift in cyber technologies is happening now. Cyber security professionals agree that preventing data breaches from a malicious insider is a difficult task, and the past suggests that next major breach will not be detected with existing rules-driven cyber defense solutions. Next generation cyber security technology developers must seek inspiration from IBM’s Watson and other successful implementations of machine learning before we can hope to prevail against the insider threat.


Tech that finds bad guys (and girls too)

A hotel worker in China entered Frank’s room while he was away at dinner and installed a new type of spyware on his laptop.  The spyware traveled home with Frank, waiting to connect to the corporate network. Once behind the firewall the spyware infected hosts, generated link charts of business relationships, harvested intellectual property, and collected information on employees and customers.  Occasionally it phoned home, passing data in small chunks that ultimately constitute a treasure trove of secrets to Chinese intelligence.  This went on for months without detection because it used very little bandwidth and communicated through drop points that were legitimate looking URLs in the United States. Anti-virus vendors had never seen this custom-made spyware before so they had no catalog of its signature.
Meanwhile, Cindy has worked for the company for three years but lately her political views have shifted toward the radical. She is loyal to an organization that operates a fringe website dedicated to spreading propaganda about the type of business the company does.  Cindy doesn’t talk politics at work, she keeps her opinions to herself and doesn’t work in critical areas. Cindy’s duties are in mid-level administration and her user accounts only grant limited access to servers, network resources, corporate documents, and production equipment.  Despite proper restrictions Cindy has regular access to a lot of data as part of her job; and because other employees are sloppy about network file sharing she might be able to find things she isn’t authorized access to.  When Cindy stumbles on something interesting she copies it to a thumb drive.  She doesn’t steal a lot in terms of megabytes and she doesn’t spend much time doing it.  Cindy is careful, 98% of the time she’s performing her normal work duties, it’s only 2% of her computer use that is about to cost the company millions.
In a company with thousands of retail POS terminals the management has no idea of an ongoing attack against their customers. Recently a new type of custom malware has been circulating that infects these POS terminals.  After infecting a terminal the malware skims credit card numbers and customer identity, phoning home through a sophisticated distributed botnet.  POS terminals are built on aging technology that is almost never updated with security patches and the vendor can’t even tell whether a terminal has been infected let alone do anything about it. How does management even know it has a problem?
Like most insider threat scenarios these have one thing in common, they are difficult to detect while they are happening.
A lot of people don’t realize we do hard-science R&D at Personam. Almost our entire R&D budget is spent developing profiling technology (not the corrupt southern cop kind of profiling but the good kind). We build algorithms that detect and profile patterns of behavior, we call “patterns of life”. With this technology we can reliably detect anomalies in data that is noisy and full of “normal anomalies”.  Fraud detection and cyber-defense insider threat detection are probably the top two applications for this. Our newest technologies have unique advantages such as being able to detect zero-day attacks and spot malicious activity that hides in plain sight, all in real-time.
We have cyber-defense algorithms running today that easily spot the Cindy scenario, which is actually the Bradley Manning scenario from WikiLeaks. These same algorithms also detect the Frank scenario and the POS scenario with ease.
Profiling is a specialty within Data Analytics that’s basically about transforming large uninteresting and mostly indistinguishable data into high-value “patterns of life”.  Combined with unsupervised machine learning we can do some pretty amazing stuff.
I wanted to blog this because it’s cool.  We recently challenged our science guys to solve the insider threat problem and they made spectacular progress!
Related links:
In particular I think we nail these two scenarios.  Unfortunately, we don’t manufacture appliances, so getting our technology on a network near you is the problem.