Published on May 31, 2017
"Without Securonix we never would have found this!"
Typical Big Data Security Analytics deployments of the Securonix solution are for use cases such as insider threat detection, data exfiltration, privileged account misuse and external cyber threats. The trusted insider accessing and downloading files that they’ve never accessed before or that their peers haven’t touched is a common discovery. And then we typically see them sending this treasure trove of files in mass to a personal email address, cloud storage site, USB drives or in most cases all of the above.
Another threat indicator we often see on our dashboard is an infected workstation or server that is beaconing out to a remote host so the malware can start siphoning out a payload that it has amassed long before we ever got involved. However, the nature of rule-less threat detection that is based entirely on behavioral is such that we can find A LOT of weird behavior in any environment.
The peculiar activity in this case also elicited a '...NEVER would have found this' reaction from the primary users. While we normally work with the cyber security, insider threat program or the security operations center (SOC) teams, here the users at this large industrial manufacturer were part of the intellectual property protection team – a group we at Securonix find ourselves increasingly engaging with. They were once engineers themselves but now found themselves on a team determined to find, classify and protect the crown jewels they once had a hand in creating.
These jewels resided in a custom application with a DB2 backend and they were also in PTC Windchill, which has well over 1 million users worldwide. The Securonix platform has a very well developed application analytics capability. Before Securonix went into production the team conducted an exhaustive project to classify everything that might be considered Intellectual Property. They also started to identify the access privileges for each classification of IP. When we started rolling everything out they knew exactly who should have access to which files, and what needed to be monitored with extreme prejudice. The Securonix professional implementation team came into a great situation since much of the heavy lifting had already been done, and the client was a sophisticated, highly engaged and well-organized team.
Securonix still had to take the IP classifications and associated access privileges, and ensure they were then adhered to. This, as most IAM and SIEM experts will tell you, is by no means an easy task. However with the behavior analytics engine turned on, Securonix was quickly able to learn what normal interactions with these files looks like, and then start bubbling up the extremely high priority activities.
Upon initial deployment, Securonix caused a number of immediate investigations, which the professional services team quickly incorporated into the machine learning or supervised learning algorithms as the data scientists like to say. These tweaks resulted in fine tuning to get the autonomous learning really dialed in. Securonix’s super-enrichment was a crucial capability that provided the additional context necessary for our threat models to operate, and dramatically enhance threat detection. An example is a high-risk user + anomalous access + large/multiple files copied.
Soon after the system was up and running, a true anomaly appeared on the dashboard - an unclassified user was accessing a drawing that the user had never accessed before. Immediately the investigation team started triaging the situation and in a matter of a few hours, they discovered a gaping hole in the perimeter. As it turned out, there was an artifact left behind in documentation. In an earlier time, partners used to receive datasheets with embedded links to schematic drawings. One of these datasheets had not been updated according to the new security processes, and still linked back to sensitive intellectual property stored on internal servers.
As organizations move to open interactions with their employees, customer, and partners, it is easy for them to miss items like these and open themselves to the risk of an inadvertent or malicious data breach. Finding security flaws like this on your own is obviously the best-case scenario. While the latest Verizon Data Breach Investigation Report (10th edition) found that only 2% of the breaches in 2016 involved partners, hackers are well aware that 3rd parties are an extremely viable attack vector. Many technical details are not described in this post to spare the innocent. But security teams must come to terms with the fact that the traditional legacy security technologies present in this case (both SIEM and DLP) were not able to identify repeat access to internal IP from this channel. If you would like to learn more about what Securonix and big data security analytics can do for you and be protecting your intellectual property I recommend contacting us and scheduling a demo before the data walks out the proverbial (back) door.
To learn more about how Securonix can help you gain visibility into, and protect the sensitive intellectual property housed in your organization - even if you are using custom applications, please visit our Securonix Next-Gen SIEM platform page.