With so many bad guys “out there” it’s often easy to overlook the threat on “this side of the firewall.” A recent study by the US Dept of Homeland Security and the Computer Emergency Response Team (CERT) at Carnegie Mellon University entitled “Insider Threat Study: Illicit Cyber Activity Involving Fraud in the U.S. Financial Services Sector” shines the spotlight on this important area that should be of concern for us all. One of the more interesting findings was that:
“Criminals who executed a ‘low and slow’ approach accomplished
more damage and escaped detection for longer.”
This shouldn’t be a surprise yet most organizations are ill prepared to deal with precisely this scenario. The reason? It’s easier to simply look for the big break-ins than it is for the slow siphoning of resources. It is the “death by a thousand cuts” where no single laceration is significant enough to trip the alarm but when taken together the damage is quite costly. Clearly, we have to expand our field of view if we are going to catch these stealthy attacks. The report goes on to say that:
“Transaction logs, database logs, and access logs were known to be used
in the ensuing incident response for only 20 percent of the cases.“
Therein lies some of the problem. The records of illicit activity are probably there but they are lost in a sea of unrelated data. Picking the needle from a field of a thousand haystacks is a hard problem. In fact, it’s exactly the sort of problem that necessarily requires a computer with some pretty sophisticated detection algorithms to detect.
Sort of like the kind of problems that the field of business analytics and big data are focused on, right? So why not apply some of those same techniques to log analysis to find security incidents across a variety of platforms?
That’s exactly the sort of security intelligence that could help catch some of these attacks faster than the 32 month average that this study reports it takes on average. It won’t be easy but it begins with a change in thinking about the nature of the threat and this report seems a good starting point to inform that thinking.
For more information on some of what IBM is doing in this space take a look at: