Behavioural analysis can alert you to suspicious or abnormal actions before data is lost, but be ready for false alarms. By Barry Mansfield.
The concept of "pre-crime" first appeared in Minority Report, a short story by Philip K Dick that was made into a Hollywood blockbuster in 2002. The plot envisaged a future society where illegal acts are prevented through the efforts of a small group of gifted individuals who can see the future.
Minority Report may have been science fiction, but the modern software industry is busily at work developing its own variation on the theme. A number of vendors specialising in behavioural analysis promise a new era of computing in which insider attacks or intellectual property theft can be anticipated and even prevented through the modelling of historical data.
Several companies, including Imperva, NetContinuum and Tizor Systems, have developed behavioural analysis software that will notify the network manager of large or aberrant extractions from the company database. The software can be configured to track data by user and profile each person's "normal" behaviour to formulate a blueprint of what they are supposed to be doing - and raise a flag when abnormal activity is detected.
Behavioural analysis could, for example, catch an unscrupulous salesperson before they extract the details of 10,000 top customers from their employer's database, hand in their resignation and defect to a rival company. The tools can also help network managers understand the well-meaning portion of their data users' activities.
By turning the monitors to detection mode, you can track which systems are pulling large amounts of customer data out of the core databases and where that information is going, highlighting potential sources of data loss. It is possible, after all, that users are running systems and queries that are no longer necessary, but simply forgot to turn them off.
Timing is everything
Prevention is at the very heart of behavioural analysis. Valuable intellectual property should not be travelling out of an undocumented port to a server in a far-flung foreign jurisdiction, and identifying this kind of extrusion is of limited use once the information has left the building. The same is true of an email with details of 1,000 customers sent to an account outside the company.
Network extrusion-prevention tools attempt to fingerprint a user's critical data in order to identify it while it is travelling around the network. Some of these tools can cut off connections in midstream, saving organisations from the embarrassing loss of substantial amounts of data. Some enable the network manager to set limits. For example, it can be possible to allow the transmission of personal data belonging to one person to a single email address, but stop any attempt to email entire sets of multiple customers. A few products will even examine the contents of.zip files to ensure that the easy routes around extrusion prevention are blocked.
All these solutions come with reporting, and most offer incident-level notifications based on violations of set policies. However, policies must be intelligently implemented to ensure that inventive ways to get around incident reporting are not manipulated - sending a single record every hour to a valid email address might circumvent a policy that allows a small amount of data, for example.
Tools such as Application Security's AppRadar go a step further and can be used to search the network for all instances of commonly known databases, helping managers to understand where all their data resides on the network. This is particularly helpful considering how divisions and departments often implement new systems the core IT or security teams are unaware of.
Keep your perspective
Despite the increasing popularity of behavioural analysis software, the notion that "pre-crime" can be applied to the world of business computing is controversial to say the least. It raises a number of ethical and technical questions ranging from the accuracy of predictions made and the frequency of false positives to legal issues around privacy and employee rights.
"The main problem is that the false alarm rate is so high," says Bruce Schneier, chief technology officer of BT Counterpane. "As an employer you can expect sudden changes in the behaviour of your workforce a few hundred times a day. The problem is not whether the software predicts the crimes, the problem is how often it predicts them and gets it all wrong."
Andy Kellett, a senior analyst at Butler Group, believes that the basic premise of behavioural analysis is commonly misunderstood. "This kind of software isn't really about predicting future events," he explains. "It's about building an understanding of what kind of user behaviour is and isn't acceptable. Then, when unusual or suspicious behaviour is recognised, it can be flagged up at the earliest possible stage."
Kellett says it is too easy to be cynical about some of the marketing messages circulated by software companies in pushing their own business model. "What the vendors are quite reasonably suggesting is that if you use all the features and functions of their technology, you have all your corporate risk profile rules in place, you've done all the work behind the systems to ensure everybody understands what they can and can't do, and what is expected of them, then eventually you come to a point where you should be able to deal with aberrant behaviour."
Kellett also points out that while it may be the activities of foreign spy rings and insider thieves that capture the imagination and command headlines, non-malicious activity is the root cause of a significant percentage of data loss incidents. "Quite clearly, people do things to good intents and purposes that put the organisation at risk."
He refers to the financial loss and reputation damage suffered by Nationwide recently when one of its laptops, containing the details of nearly 11 million customers, was stolen from an employee who had failed to inform the building society when copying details on to the hard drive.
The organisation was subsequently fined £980,000 by the FSA. At the time, it was claimed that encryption software costing as little as £75 per device would have made it impossible for anyone stealing the laptop to decipher its contents. However, behavioural analysis software could represent an even cheaper alternative - and could have blocked the transfer of large amounts of sensitive data on to the laptop, preventing it from leaving the building.
Behavioural analysis is particularly well suited to working environments where it is not practical to tightly lock down networks by traditional methods. Examples are medical research and higher education, where visiting professors and researchers need full access to the available resources.
Geoff Sweeney, co-founder and chief technology officer of Tier 3, says there are two main reasons why organisations become interested in adopting behavioural analysis software. "Some have suffered from what we call a compelling event, an incident that has opened their eyes as to how vulnerable their data is. The second common driver is a business decision to outsource or offshore, and the company wants to plan ahead for managing the associated IT security risks around that move."
The breach at Nationwide was the latest in a long line of incidents reported by high-profile organisations such as Marks & Spencer, Halifax, the NHS and even the Metropolitan Police, with the latter case involving the theft of a laptop from its outsourcing partner, LogicaCMG.
Schneier claims that behavioural analysis has a track record of being counter-productive. "If you're looking for very rare events, the basic mathematics is against you. Finding the shooter before he shoots means you'll get things so wrong, you'll turn the software off."
The human factor
In spite of everything, there is no foolproof way to stop a determined insider with strong technical expertise. High-level IT staff involved in the collection and modelling of historical data are in a unique position of trust; they will be aware of the definitions around acceptable usage and will be able to evade detection. Database logs are too easy to manipulate both before and after the fact. Therefore it is important to minimise the pool of employees able to bypass controls.
Schneier is keen to point out that the privacy issue could also pose problems. "Once you start spying on people illegally, the software gets turned off," he warns. The legal implications of using behavioural analysis software will vary according to how employees' behaviour is being monitored, so interested parties are encouraged to seek professional advice.
CASE STUDY - expressHR
Vendor-management company expressHR deployed Secerno's intelligent database assurance platform earlier this year. The solution underpins the company's security strategy, ensuring confidence in a system that is used by more than 14,000 people across the UK annually.
The expressHR Vendor Management Solution manages the provision of temporary, permanent and contract staff for a number of large recruitment agencies and other organisations. This means the information involved is frequently of the most confidential nature. This includes banking information, salaries, pay rates, charge rates, CVs and other personal details that must be protected by law. ExpressHR vendor management systems process more than £300 million of temporary labour spend and service thousands of users every year across a range of industry sectors, including government, defence and transport.
"It is very important for any organisation operating in the recruitment sector to safeguard the large amount of personal data that is handled daily," says Paul Raine, operations director at expressHR (pictured). "We have always prided ourselves in ensuring we take the most stringent steps to protect the information about the thousands of people which pass through our technology, which is why we signed this deal with Secerno."
Secerno claims to provide the first intelligent security platform for databases. With this in place, expressHR is now able to understand, control and protect its database and secure it comprehensively from internal attacks. The company has chosen to deploy the service in association with traditional penetration testing and application testing to protect against external attacks, but only Secerno can also stop SQL injections and other hacking attempts.
"Now that perimeter defences are no longer watertight, it's more important than ever to have technology that can effectively protect your applications right up close," says Raine. "The great thing about Secerno is that it gives us protection where we need it most - right in front of our most important asset, our data."
Raine explains that expressHR has chosen to operate the business using the software- as-a-service approach, which provides big benefits in terms of cost, speed and efficiency. However, the model brings with it a number of security concerns associated with delivering mission-critical business services over the internet.
To help address this, Secerno's powerful audit tool allows expressHR to independently demonstrate its security levels. Secerno's reporting and analysis capabilities provide legally admissible audit information and enables expressHR to demonstrate compliance with necessary regulations.
ExpressHR is using Secerno to monitor the state of security, and is using Secerno.SQL to block abnormal behaviour by constructing a highly detailed personal profile for each and every user accessing the service.