There is a lot of focus on the potential external threats to a business, but the “insider threat” could be the greater danger. TEISS catches up with Darktrace’s Justin Fier, Director for Cyber Intelligence and Analysis, in San Francisco, to inspect the problem from the inside out.
I meet Justin Fier in an elegant suite of the Four Seasons Hotel in San Francisco. Justin is not happy with how the cyber security industry is faring. “Are we actually learning from our mistakes? Not necessarily,” he ponders.
Justin spends a lot of time focusing on the “insider threat” - not necessarily the malicious, premeditated kind - but from unintentional intellectual property theft. “The sad truth is a lot of employees don't understand how intellectual property laws work and they think because they wrote a piece of code it's theirs and they can take it with them,” he explains.
Justin says the industry is so fixated on watching the perimeter and keeping the bad guys out that they miss what happens when the bad guys are already on the inside.
Also of interest: Can we collaborate better in cyber security by studying the dark side?
Why is a cyber attack from the inside easy?
The entry to market has changed, Justin points out. An attack from the inside was harder to accomplish a few years back when you had to purchase something online with a credit card and leave a paper trail. “Now it’s much easier, you can pay cash for a device and watch dozens of YouTube videos showing how to carry out the action,” he states.
Employees who’ve handed in their notice, Justin says, are more likely to try to steal data from a network. So he advises security teams to integrate and communicate more with their HR departments in order to spot disgruntled employees beforehand.
Much of the insider threat comes from people on the security team itself, Justin says. “It's people with privileged access and there are some common reasons why that's the case. First of all we tend to trust the privileged access users more than the average user. So we look in the other direction or we don't watch them so they can get away with a lot more. Additionally they have knowledge of how the network is configured so they can evade detection much easier than the average person,” he points out.
Justin emphasises that he doesn’t mean to paint a negative picture of all the privileged access users. “Typically when I find somebody on the security team or on the networking team violating a policy or doing something they shouldn't do, it's not because they're trying to be malicious, it's usually because they're trying to make their job easier; they're taking shortcuts and opening up the company to vulnerabilities,” he explains.
Also of interest: Uncontrolled blockchain adoption could blindsight IT security teams
The crypto-currency insider threat
Justin is seeing a significant rise in cryptocurrency-related insider incidents. He says that what's really fascinating is not the fact that people are picking up crypto-jacking malware as they browse websites or YouTube, it is that a lot of employees are intentionally using company resources to mine cryptocurrency. That becomes a huge problem because it affects the corporate network.
“I've talked numerous times already about how the IoT world will have a lot of processing power but when you put millions and hundreds of millions of them together it can become highly powerful, so I'm curious about when we're going to start to see our thermostats and our light bulbs become mining pools,” Justin states.
Also of interest: Podcast 5! Not Invisible: Women in Cyber Security
How to tackle the insider threat problem?
The answer, for Justin, lies in Machine Learning (ML). He describes today’s computer network as, “a very organic kind of living organism - it moves with us, it grows, it shrinks, it changes, it's highly complex.” Just as the human body has been successful at detecting when a virus gets introduced to us, why can't we apply the same methodology to our computer networks?
Justin’s main focus is on “unsupervised machine learning”; a system which essentially watches every single device on the network. He says that’s important to think about because most corporations are still blind to about a quarter of their network, even in this day and age. This is because it's a highly complex network and security teams are not taking into consideration all of the different devices on it. The unsupervised ML watches every device on the network which enables them to notice really subtle deviations.
The key, Justin says, is to look at the “abnormal” network activity. “By only looking for good or bad - I tend to get tunnel vision and I'm only looking for things that we've seen in the past; that doesn't help me with the next WannaCry, or zero day attack,” he states. By watching for abnormal activity, one can spread the net much wider.
“I believe that anomaly detection is the future of cyber security and every corporation should be putting some sort of anomaly detection into their security stack, especially as the attackers get better and better at hiding in the noise which is our networks,” he states.