Computerworld

Can we really stop malicious insiders?

Detection of insiders committing fraud requires broad event collection, robust analytics, and mechanisms that remove false positives.

In terms of malicious insiders committing fraud, can anything "really" be done?

There is a popular quote from the 2003 version of the film The Italian Job that comes to mind when I read this question. "I trust everyone. It's the devil inside them I don't trust." The threat from insiders, being fraudsters or otherwise, has always been there - certainly before security companies started talking about them. What has changed, and this is in direct response to the question, is that - yes, there are things that can be done, many in fact.

First, let's look at the advantages insiders have: Trust and access. Consider a college intern, Sam, working for a large financial organization. Sam's job requires him to enter payees into the corporate database, and to do this job he his granted access to the database. Sam eventually realizes that his access doesn't just allow him to create payees, but also pay those payees because of flawed access controls, lack of segregation of duties, poor policies, etc. Sam begins generating false payees associated with a PO Box he set up, and then has checks sent to that PO Box.

This is pretty low tech - not likely to make its way into the newest James Bond film. But Sam's activities are also representative of how many fraudulent, insider incidents are perpetrated using activity that stays below the radar of most security controls. What is needed to address this are solutions designed to do just that - detect suspicious activity carefully concealed as legitimate, normal, and otherwise boring.

Detecting fraudulent, insider activity requires a combination of network and data security. While firewalls, routers, VPNs, and IPS solutions provide tremendous value they are just the peanut butter. Similarly, while applications, database activity monitoring (DAM) solutions, and identity solutions provide valuable insight, they are only the chocolate. However, by putting network and data security solutions together under one monitoring umbrella with SIEM (Security Information and Event Management) you have a delicious treat, and a comprehensive approach to mitigating fraudulent, insider activity.

Page Break

When it comes to fraud is it critical to monitor in a cross-channel model. That is, monitor all points where users interact with data such as Web portals, telephony systems, applications, data stores, and even physical controls. This needs to be augmented by the supporting information gleaned from network infrastructure such as the firewalls, switches and VPNS. By collecting data in a cross-channel model:

  • Events can be correlated in real-time - thus detecting the fraudulent activity early;
  • Patterns can be generated to form baselines;
  • Anomalies and statistical deviations can be highlighted;
  • Profiling can be conducted against applications and users to separate normal from suspicious activity.

These advanced analytics, part of a robust SIEM platform, provide the necessary foundation for discovering the "devil inside."

So let's revisit the incident with Sam played out in a scenario where cross-channel network and data security monitoring are in place.

-- To lessen his chances of being caught Sam comes in unusually early or stays unusually late; this information is captured through physical access control monitoring;

-- Sam is logged into the payee application much longer than his peers; this information is captured through application and or database monitoring;

-- Sam has created a large number of payees that all have the same PO Box; again, this information is captured through application and or database monitoring;

-- Opting to work remotely to further reduce his risk of being discovered: Sam begins using a VPN connection to access the payee application; this information is captured by the VPN appliance; Sam's credentials over the VPN and credentials on the application while different are correlated with the identity solution to derive at a single person - Sam;

-- While the multiple instances by themselves may not warrant investigation, taken as an aggregate, and evaluated in a cross-channel model - physical access, remote access, application, database, and identity, the combination of activities seems potentially malicious and does warrant investigation.

Detection of insiders committing fraud requires broad event collection, robust analytics, and mechanisms that remove false positives and guide investigators down the most relevant paths first (all of which are delivered by a comprehensive SIEM platform). Most organizations agree that fraud will never be 100 percent removed; however, the mitigation of fraudulent activity remains a chief concern and anti-fraud strategies can be enriched using these techniques.