Big Data Analytics Fights Insider Threats

Cyberdefenders for years have adopted Fort Apache strategies to protect their networks. Strong perimeters could prevent attackers from reaching precious data, they reasoned.

As technology marched on, however, the idea of an impermeable wall became as quaint as the Maginot Line on the eve of World War II. Firewalls alone no longer were strong enough to keep data safe. The mantra emanating from security circles was “It’s not if you’ll be breached, it’s when.”

“Traditional defense is focused outward on incoming network traffic and not focused on internal behavior,” observed Saryu Nayyar, CEO of Gurucul.

Yet it’s increasingly internal threats — either insiders who are bad apples or outsiders posing as insiders through compromised credentials — who are putting organizations at risk.

“Outsiders that want to hack into organizations are becoming smarter,” Nayyar told TechNewsWorld, “so we’re seeing a pretty steep rise in compromised accounts.”

Root Cause of Threats

One way network defenders have tried to foil inside attacks is through better access controls. They not only have improved authentication of a person’s identity, but also have imposed limits on who has access to what on a system.

However, Net marauders have found ways to authenticate themselves to systems with stolen credentials — and once in a system, to elevate their privileges so they can see the highest levels of confidential information.

To counter the antics of clever credential thieves, Gurucul has forged solutions that use big data analytics to create a context around everything connected to the network — users, accounts and devices.

After studying the behaviors of who and what are being connected to the network, Gurucul’s system can establish a baseline of activity for them. If a user or device engages in behavior outside that baseline, more analysis is applied, based on dynamically created peer group behavior, as well as a stockpile of behavioral information gleaned from prior installations.

All that analysis is designed to reduce the probability of false positives in the system.

“Someone could be doing activity that’s not normal, but it’s not necessarily risky,” Nayyar noted. “That’s where the peer group comes in. If they’re behaving like their peer group, then there’s no reason to upgrade their risk.”

Getting a handle on identity management within an organization is a very important component of intrusion protection, she added. “First and foremost, identity is the root cause of most modern day threats.”

Rogue Bank Apps

It’s said that imitation is the sincerest form of flattery, and that may be the case with rogue banking apps. Since Eurograbber and Carberp achieved success in stealing millions from East European banking accounts, banking Trojans have been gaining popularity among cybercriminals.

“We’ve seen an increasing rise of fake and rogue mobile applications targeting both banking and healthcare,” said Arian Evans, vice president for product strategy for RiskIQ.

“Healthcare records are big money right now,” he told TechNewsWorld. That was borne out last week in the Ponemon Institute’s fifth annual report on privacy and security issues facing healthcare organizations, which found criminal attacks against them up 125 percent in 2014 from 2013.

The banking industry has its own problems with cyberpredators, though.

“There’s a growing ecosystem of mobile applications that impersonate legitimate banking applications and aggregators,” Evans said.

In a sample of 350,000 mobile banking applications analyzed by RiskIQ, about one out of every 10, or 40,000 apps, contained adware or malware, he noted.

These neo bank robbers have been brazen in carrying out some of their scams. One bank began receiving calls from disgruntled customers about its Windows mobile banking application not working properly, Evans recalled.

“The help desk kept filing tickets for the calls until it found out the bank didn’t have a Windows mobile app,” he said. “It was an app in the Windows mobile store for their bank that people were downloading and using, and all it was doing was capturing the user information and sending it to Russia.”

Beyond Ad Blocking

Ad Blockers can do a good job of diverting advertising away from your eyeballs, but they don’t do such a good job of blocking marketers from siphoning your personal data when you land on a page. That’s one of the roles of a program called “Blur,” made by Abine.

Formerly called “Do Not Track,” the software blocks data-scraping activity that occurs behind the veil of a Web page. For example, when you land on a page with a Facebook button, information about you is sent back to Facebook, whether you click the button or not. Blur blocks that info from being sent to Facebook without disabling the button.

“You have to be careful what you block, because if you block the wrong stuff, you’ll break the Web page,” explained Andrew Sudbury, cofounder and CTO of Abine.

That can be a challenge.

“We’re saying users should be in control of what data they share when they go online,” he told TechNewsWorld, “but we have to do a lot of work to make sure the site works.”

Some websites behave like the kid with the only bat and ball on the block, basically saying, “‘if you don’t let us resell the data about your visit, you can’t use our site,'” Sudbury explained.

“Sometimes it’s not possible to have these things work and protect a user’s privacy,” he added, “but it’s not really made clear to the user that that’s the case.”

Breach Diary

  • May 4. APWG releases its Phishing Activities Trend Report for 4Q14 which finds a record number of malware variants — 23,500,000, or an average of 255,000 new threats each day — identified during the period.
  • May 5. Sally Beauty Holdings announces it is investigating reports of unusual activity involving payment cards its customers used at some of its outlets.
  • May 5. Spikes Security releases survey of 200 IT professionals that finds 72 percent of their organizations had to pay “very significant” or “significant” regulatory fines due to a data breach originating from a browser on a network endpoint.
  • May 6. The Hard Rock Casino in Las Vegas confirms it suffered a data breach between Sept. 3, 2014, and April 2, 2015, that compromised credit card data, and names and addresses of an undisclosed number of customers at restaurant, bar and retail locations within its property.
  • May. 6. U.S. District Court Judge Susan Morgan of the Eastern District of Louisiana dismissed a proposed class action lawsuit against eBay over a data breach in 2014. She ruled the plaintiffs failed to prove they were tangibly injured in the attack.
  • May 6. Experian announced at the Vision 2015 Conference that it has launched a dedicated enterprise fraud and ID business unit in North America to address the escalating fraud risk and identity management challenges facing businesses, financial institutions and government agencies.
  • May 7. Federal appeals court in New York rules illegal the use of Section 215 of the U.S.A. Patriot Act by the NSA for bulk collection of domestic calling records.
  • May 7. Ponemon Institute reports that for first time in five years, healthcare organizations are reporting the No. 1 cause of data breaches is criminal activity (45 percent), surpassing breaches caused by mistakes and employee negligence (12 percent).
  • May 7. Firekeepers Casino Hotel in Battle Creek, Michigan, announces it is investigating a possible data security incident involving one of its point-of-sale systems.

Upcoming Security Events

  • May 14. B-Sides Denver. Society Denver, 1434 Blake St., Denver, Colorado. Free.
  • May 15. B-Sides Knoxville. Scruffy City Hall, 32 Market Square, Knoxville, Tennessee. Fee: TBD.
  • May 16. B-Sides Chicago. Concord Music Hall, 2047 N. Milwaukee Ave., Chicago. Free.
  • May 19. Has Your Cyber Security Program Jumped the Shark? 1 p.m. ET. Dark Reading webinar. Free with registration.
  • May 19. Detecting Threats Via Network Anomalies. 2 p.m. ET. Black Hat webcast. Free with registration.
  • May 21. Ponemon Institute: The Cost of Time To Identify & Contain Advanced Threats. 11 a.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • May 26-29. Symposium on Electronic Crime Research. CaixaForum / Casa Ramona, Avenue Francesc Ferrer i Gurdia, 6-8, Barcelona, Spain. Registration: before May 12, APWG members, 400 euros; students and faculty, 300 euros; law enforcement and government, 400 euros; others, 500 euros; after May 11, APWG members, 500 euros; students and faculty, 350 euros; law enforcement and government, 500 euros; others, 600 euros.
  • May 27-28. SecureWorld Atlanta. Cobb Galleria Centre (Ballroom), 2 Galleria Parkway Southeast, Atlanta. Registration: open sessions pass, US$25; conference pass, $175; SecureWorld plus training, $545.
  • May 30. B-Sides New Orleans. Hilton Garden Inn, New Orleans Convention Center, 1001 South Peters Street, New Orleans. Cost: $10.
  • June 3. B-Sides London. ILEC Conference Centre, 47 Lillie Road, London, SW6 1UD, UK. Free.
  • June 8-10. SIA Government summit 2015. W Hotel, Washington, D.C. Meeting Fees: members, $595; nonmember, $795.

  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.
  • June 13. B-Sides Charlotte. Sheraton Charlotte Airport, 3315 Scott Futrell Dr. Charlotte, North Carolina. Free.
  • June 16-17. Black Hat Mobile Security Summit. ExCel London, London, UK. Registration: before April 11, Pounds 400; before June 16, Pounds 500; after June 15, Pounds 600.
  • June 16-18. AFCEA Defensive Cyber Operations Symposium. Baltimore Convention Center, Baltimore, Maryland. Registration: government-military, free; member, $575; nonmember, $695; small business, $445; other, $695.
  • June 17. SecureWorld Portland. DoubleTree by Hilton. 1000 NE Multnomah, Portland, Oregon. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • June 20. B-Sides Cleveland. B Side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd, Cleveland Heights, Ohio.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1795; before July 25, $2,195; after July 24, $2,595.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 01. ASIS 2015. Anaheim Convention Center, Anaheim, California. Registration: through May 31 — member, $895; nonmember, $1,150; government, $945; student, $300; June 1-Aug. 31 — $995, $1,250, $1,045, $350; Sept. 1-Oct. 1 — $1,095, $1,350, $1,145, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels