From: Forbes
Much like the United Kingdom has aggressively implemented Closed Circuit Television (“CCTV”) to fight crime, security software vendors are now rolling out comparable monitoring capabilities for computer networks to help detect and deter cyber-security crimes, and some are already seeing big financial exits.
With a major security breach seeming to happen every week (e.g. Citi, Lockheed, Sony, RSA, etc.) it is clear that the current cyber-security defense model of “hard on the outside, chewy on the inside” is not working against advanced intrusions known as Advanced Persistent Threats (“APTs”). The bad guys are finding ways to get around an organization’s moat and castle walls, and are running amok on the inside. And in fact the bad guys may have always been on the inside all along — they could be employees or contractors who are using their keys to the kingdom’s castle for nefarious reasons. As Gartner security analyst Neil MacDonald likes to say, the reality is “Your systems have been compromised. You just don’t know it (yet).”
Historically the focus of security has been hardening an organizations’ “DMZ,” the part of an organization’s network that connects to the Internet. Vendors such as Checkpoint and Cisco — as well as upstart vendor Palo Alto Networks who appears to be on the IPO track — supply firewalls and Intrusion Detection Systems to try to ensure nothing bad gets in.
On the inside of an organization’s network, security technology has historically focused on keeping systems patched with latest version of the operating system to address any security vulnerabilities and to also push the latest Anti-Virus (“AV”) signature file. BigFix scored a big exit by being acquired by IBM in the former category and of course McAfee’s and Symantec’s bread and butter is AV. Newer technologies such as Security Information and Event Management (SIEM) can also help detect abnormal activity by the bad guys by correlating log files and network security alerts. ArcSight is the major player in this market with an IPO and subsequent major acquisition by HP, and one or two others in this space (e.g. Splunk) are rumored to be on the IPO track.
But even with these layers of technology as part of a “defense in depth” approach, security breaches are still happening at an even more significant pace with more damaging results. In the end, many of these advanced intrusions and data security breaches are focused on taking over access to the accounts and permissions of specific “privileged” users in an organization who have access to sensitive data, be it plans for a next generation warplane, State Department cables, Google’s source code or RSA’s algorithms that are used in their SecureID two-factor authentication technology. These privileged users are specifically targeted by outside hackers because they have proverbial keys to the kingdom, but in some cases the inside user themselves is intent on stealing or doing damage.
One solution that is emerging to this problem is to carefully monitor everything (e.g. every key stroke and every mouse click) that a privileged user does on the network, while also putting more granular limits on what they can do. Basically “trust but verify,” with the goal being detecting any anomalies in a privileged user’s computing usage (e.g. why is this person downloading the source code at 3 a.m.?). This is not uncommon as it relates to other privileged users in other jobs — the “Eye in the Sky” in the casinos in Las Vegas is equally monitoring the gamblers for cheating but is also monitoring the dealers, and at a bank the CCTV is not only looking for robbers but the teller slipping some money in their pocket.
Instructive of the value of this new approach is that immediately after its breach, the RSA division of EMC acquired private company Netwitness for a reported large premium. Netwitness is known for analyzing user activity monitoring at the network layer. In addition, the latest security vendor to file for an IPO, Imperva, has as its core solution the ability to monitor database access and usage by Database Administrators, another type of privileged user.
In some sense this move parallels crime fighting in the real world. In the 1990s the United Kingdom began to aggressively deploy CCTV to fight crime. Innovative startups in security are now rolling out comparable monitoring capabilities for networks to help detect and deter cyber-security crimes, and some are already seeing big financial exits. There is a debate in the United Kingdom of the effectiveness of CCTV and the impact of being a “surveillance society,” but these issues have not stopped its usage with a reported 1 CCTV for every 32 people in the UK. Undoubtedly the same urgency to fight cyber-crime may lead to privileged user monitoring being also as widely deployed within IT organizations.
Leave a Reply