The Devil Inside: Creative Threat Detection Inside the Firewall
At EMC World this week, EMC CEO Joe Tucci brought up an interesting idea in his keynote, what essentially amounts to the hacker inside the firewall. How can you protect your company when the hacker is using valid credentials to get on your system?
And that’s not because one of your employees is trying to compromise your system either. It’s because today hackers often use phishing and other techniques to steal valid credentials to get on the system as a trusted user.
Once that happens, they can happily run amok inside your computing system wherever those credentials give access.
To prevent these kind of insider attacks, Tucci suggests the system should be smarter about understanding who the user is. Instead of assuming that if a user has a valid user name and password, he or she is the person associated with the credentials, the system should have other ways of validating, looking for anomolies such as location.
For instance, if the system detects that the user is coming from a strange place or is trying to access parts of the system, he or she doesn’t normally use, it might revoke permissions temporarily and send a message to the user to contact IT.
As the world becomes increasingly complex, the systems we use have to become correspondingly intelligent to meet the demands of the enterprise. As we scale up in size and scope, it becomes impossible for humans to monitor logs to find these irregularities. It’s up to the system to do it for us.
And this could be true for compliance too. By putting a rules engine on top of the content management system, for instance, you can prevent users from sharing sensitive information with people who aren’t supposed to see it
I have a friend who works at large financial services company. One day he was trying to fill out an application, but was having problems, so he decided to email it to himself and complete it at home later. The system detected his social security number and kicked it back before it got outside the firewall, preventing him from sharing this sensitive information automatically.
Anyone who has a credit card, has probably had similar experiences. You might have been informed with an automated phone call, email or text when there was unusual activity on your card, or it was being used in a place you don’t normally visit.
These systems can save your company from running into trouble with regulators or prevent attacks with valid credentials. The trick is to be flexible enough to allow employees to get their work done — you don’t want a system to be so sensitive it’s constantly revoking permission — yet still allow IT pros to do their job.