Catching the authorised hacker

A threat looming ever larger in the minds of IT leaders is the risk of data loss through inappropriate behaviour or...

A threat looming ever larger in the minds of IT leaders is the risk of data loss through inappropriate behaviour or misuse by someone who is authorised to access the network and its information, writes Geoff Sweeney, CTO of Tier-3.

Consider a situation where an individual has been granted access to the network, applications and databases so they can perform their normal business activity, but whose behaviour becomes mischievous after authorisation. Perhaps they are downloading entire customer databases to their laptop or looking to e-mail sensitive data to an address outside the company, or copy it to a removable medium such as a USB stick. They are abusing the access rights they have been granted and need to be stopped to protect against the loss of valuable information assets.

Lars Davies, a compliance specialist at Kalypton, says, "If an authorised individual has inappropriately accessed or copied company information, then potentially an unauthorised access under the Computer Misuse Act has occurred it could also be a breach of copyright law.

"If any personal data is involved, it could also constitute a breach of the Data Protection Act.

"This is not just a breach of trust. More immediate for the company is the loss of valuable information and the remediation costs. It may also stand accused of having failed to put sufficient safeguards in place to prevent a breach, and the directors could be implicated for failure in their fiduciary duties to protect company stakeholders from loss."

No rules for behaviour

The thief may be a disgruntled employee, a contractor attempting to steal some of the company's intellectual property or even a trusted senior executive: there are no rules to predicting human behaviour. Inappropriate action of this type by anyone who has the authority to access sensitive company information can and still does occur.

What is required is the means by which suspicious or unusual access or movement of sensitive data, irrespective of the initiator, can be detected and assessed for legitimacy.

Behavioural anomaly detection uses intelligent real-time analysis to inspect and alert security managers to inappropriate user or system behaviour as soon as it deviates from the norm. Inappropriate data access can be spotted immediately without the need for complex access and asset prioritisation rules with all their management overheads. The intelligent technology simply blocks unusual system or user activity and flags it to security and risk managers for their response.

Data breaches from unauthorised access and improper use are a growing problem, but they can be detected and prevented with appropriate security strategies and technology before they result in loss.

Behavioural anomaly detection technology identifies when a legitimate user's behaviour is non-compliant, blocks it and systematically stores a copy of all access logs in a forensic repository as evidence.

The smart technology can automatically detect and protect valuable company information assets from misuse or theft as it occurs, rather than respond after the horse (and its valuable information) has bolted.

Geoff Sweeney is co-founder and chief technology officer of Tier-3 and will be speaking in the technical seminar programme at Infosecurity Europe on "WWIII has started: Shape-shifting heuristic threats"

Access management comes first >>

How do you prevent employee wrongdoing? >>

Read more on IT risk management