In February 2015, hackers broke into a database containing unencrypted data that included names, dates of birth, addresses and social security numbers.
“Traditionally, access control has been very static in the form of access lists attached to files that had to be continually updated,” Kearns told Computer Weekly.
“We would like people to look at the context surrounding every transaction, which in the case of the Anthem breach was access to a database.”
The context of transactions typically includes who is initiating the transaction, where and how they are accessing the system and the time of day, month or year the transaction is initiated.
All of these factors can then be compared with historical patterns of behaviour to identify anomalous behaviour, which could suggest malicious activity.
The concept of adaptive policy-based access management (Apam) is built around behavioural analysis through security systems.
Read more about behaviour-based security
Exploiting anomalous behaviour detection
The Anthem breach was discovered only when one of the IT system administrators noticed an unusual pattern of queries made on the database.
“That is something a good behavioural analysis system will detect immediately and flag up for someone to have a look at,” said Kearns.
But he said there is also an educational component to introducing such systems because, although US retailer Target had a system to detect anomalous behaviour, the warnings were not followed up at first.
“Target’s network operations centre ignored the initial warnings because the system was too new and they thought they were false alarms,” said Kearns.
Organisations deploying Apam systems, he said, will have to educate their IT staff about how to respond to alerts generated by those systems.
Returning to the Anthem breach, Kearns said many commentators have made much of the fact the data was unencrypted.
Stolen credentials stymie encryption measures
However, he said the fact that the data was accessed either by a malicious insider or a hacker using stolen credentials, it would have made no difference if the data had been stored in encrypted form.
“Anyone using legitimate credentials to access encrypted data will still be able to read it,” said Kearns.
Data is commonly and routinely accessed by hackers using legitimate credentials stolen through phishing attacks that typically trick employees into downloading credential-stealing malware.
“Again, education is an important component of defence through making employees more able to spot and avoid attempts to steal credentials through phishing attacks,” said Kearns.
In the light of the Anthem and Target breaches, he said organisations need to move on from static access controls to dynamic, adaptive, context-based and policy-based access controls.
“There was nothing whatsoever in place at Anthem to monitor and evaluate the database queries been made, to monitor data that was being sent out of the organisation, or to monitor when or where users where online,” said Kearns.
Responsibility roles vital to security education
At the same time, organisations must ensure that users, IT security teams and business managers need the education and training to know what to look for and how best to respond.
“Although many organisations pay lip-service to security education, it is difficult to do – particularly when there are no clear lines of responsibility for it,” said Kearns.
Organisations that have successful information security education and training programmes make it clear who is responsible for delivering that education and training on a continuous basis.
“It cannot be a once-off exercise on joining the organisation, but has to be continually updated, carried out on a regular basis and tested regularly to measure its effectiveness,” said Kearns.
The business case for behaviour-based security systems, he said, is that they are dynamic and can grow with the business as well as the threat landscape.
“Because you are not looking for specific threats in the way you are with anti-virus software, for instance, there is no need to constantly update them as the threats evolve,” said Kearns.
“Instead, you are looking at behaviour and the negative impacts of that behaviour which are relatively few, such as sending data out of an organisation, and are easier to stay on top of.”
Managing users' expectations
According to Kearns, once such systems are up and running, there is relatively little maintenance. However, he conceded there could be some user resistance to start with.
“Because you cannot identify out of the box all of the anomalous behaviour, there will be a period for the system to learn what normal behaviour for a particular organisation looks like,” he said.
But that typically means that, at some point, a user is going to be denied access to something which they legitimately need to do their job.
“Typically, it is the chief executive or someone in upper management, and so there is often friction while behaviour-based systems are bedding in – and this can make businesses wary of deploying them,” said Kearns.
Kearns is to discuss the Anthem breach and how it could have been avoided in more detail at the European Identity & Cloud Conference 2015 in Munich from 5 – 8 May 2015.