One of the more interesting outgrowths of the recent revelations around NSA cyber-surveillance practices is the sudden declaration from all manner of information security vendors that their product or service could have “prevented Snowden”. Now these claims are being met with a great deal of skepticism in the security community, as they should. The very nature of the insider threat is that they cannot be prevented. Prevention would require placing restrictions on the IT admin and architecture personnel that would effectively prevent them from doing their jobs. The insider is already in the network, with the necessary accounts, permissions, keys and passwords to access the systems and data stores themselves, at the application level, but also at the more granular file and directory level. And whether that insider goes rogue or has his accounts compromised by an advanced malware attack, those access entitlements and credentials are legitimate, and their use by itself will not trigger any security alerts.
In a sense, this question gets to the larger issue of security architecture in today’s threat environment. The very clear reality is that all we have done to harden the perimeter, scan for malware, update and patch our systems and filter packets for malicious intent is functionally the equivalent of a speed bump. These defenses keep out the script kiddies and the hacktivists and the routine internet hackers and criminals seeking an easy score. But the real risks – insiders and targeted attacks with specific intent to steal data or funds – are going to succeed. These types of attackers are fully aware of the structure of the enterprise security layered defense posture, what it is comprised of architecturally and how to defeat it. So when we start thinking about these kinds of risks, we have to think in terms of detection, not prevention.
Snowden could not have been “prevented”. He had administrative access at the file and database levels. He had a plausible reason for many of his activities on the network. It would take sufficient network, user, application and access data and effective behavioral analytics to understand what he was doing for what it actually was. With the Securonix security intelligence solution, he would have been identified as an HPA – a user with Highly Privileged Access entitlements – and continuously monitored. The key is that he and his fellow SysAdmins would be seen by the Securonix behavioral profiler algorithms as a “Peer Group” and that would allow the system to immediately alert when he accessed files of a type and in a volume that none of his fellow admins were accessing. The SOC and the incident response team would have been alerted immediately, and he could have been prevented from leaving the building with the laptops and thumb drives that are now so famous around the globe.
So it is completely reasonable to be skeptical when vendors promise a solution that can prevent the next Ed Snowden or Bradley Manning. The most damaging attacks are often the hardest to prevent – you need to build a security infrastructure that breaks down the barriers that separate all the relevant data and you need an effective way to analyze that data on an ongoing basis in real time. It’s a concept called Actionable Security Intelligence and Securonix is delivering it today.