Data loss prevention solutions are no longer effective. Today’s security teams have to keep context and human data in mind, as the TSA does.
Every day, U.S. companies are targeted by foreign nations trying to steal their intellectual property (IP). But today’s spies aren’t trained outsiders; they’re folks working in accounting or programmers in the back office. In the modern world, espionage takes place online, using user accounts that have been compromised via phishing or even blackmail. News headlines scream about consumer passwords and customer data that end up in hackers’ hands in data breaches. But source code, product road maps, and customer lists are being stolen behind the scenes as well.
Data loss prevention (DLP) solutions are commonly used to attempt to solve this problem. But because they’re based on static rules and don’t consider context, DLP isn’t effective these days. The technology can’t determine when it’s acceptable for information to leave the enterprise or when such activity indicates theft or data exfiltration. For example, when businesses use DLP to stop potentially malicious outbound emails in transit, users can be frustrated by delays caused when the technology returns false positives — such as erroneously stopping an email with a large, compressed attachment. When infosec tools become too cumbersome, people look for ways around them, making the tools entirely ineffective.
Let’s compare DLP solutions, which scan hundreds of gigabytes of a business’s data per hour, to the Transportation Security Administration (TSA), whose agents screened 449 million travelers nationwide during the first five months of 2016. Having previously served as Counselor of the Office of the Deputy Secretary at the Department of Homeland Security, I know firsthand that TSA agents in airport security checkpoints are a main line of defense for keeping contraband and terrorists off of airplanes. Agents look at scanner machines for outlines of guns, knives, and other banned items. (The TSA Instagram account shows a fascinating array of prohibited items that passengers have tried to take onto planes.)
Agents also check the passenger’s flight ticket and passport or driver’s license. But the agents don’t know much about a person’s behavior and they don’t have visibility into a traveler’s patterns. This forces the TSA to treat all passengers the same, based on a list of static rules, much like DLP solutions. Because agents also lack full context about each passenger, just like DLP, the result is many false positives, forcing agents to flag passengers for extra security screening based solely on their appearance or because they’ve packed liquids over the three-ounce rule, failing to account for items needed for health reasons, for example.
It’s equally important for airports to monitor for the threat from within — with deep context and no static set of rules. TSA agents and airport employees can also pose a risk because they’re granted privileged access as part of their jobs. A recent example involving a lapse in airport security illustrates the risk of relying on rote security rules rather than factoring in situational context. Workers at John F. Kennedy International Airport were caught on security cameras entering restricted areas without proper TSA authorization, according to CBS News. Clearly, the airport needs to tighten security so employees can access only the areas necessary for their jobs. Key-card entry points should be programmed so that only those who are expected in their normal workday to be within a certain perimeter have permission and accessibility to do so. This principle of least privilege minimizes insider risk and discourages the normalization of deviance.
Whether at an airport or in the enterprise, how can an organization spot a problem person once he is already on the “inside”? Organizations need to analyze data sources that truly deliver rich context — that is, the seemingly unimportant pieces of information about individual human behavior, sentiment, and relationships to provide situational awareness about the malicious actor.
Fortunately for businesses, there are indicators in network traffic that can signal this. Whether we like it or not, we signal intentions and expose our risks as potential insiders with the little things we do and our patterns of behavior. For example, before some employees give notice, they start storing information on thumb drives or downloading it to online services and outside email accounts, which results in bursts of email activity — much of it after work hours.
The key to stopping IP theft is having a broad view of the organization, employees, and normal business operations, and being able to spot even the minutest discrepancies that don’t fit into the context of business as usual. One company I work with found that an employee embedded sensitive information into a compressed file along with his vacation photos to avoid detection by the firm’s DLP software. The company caught him only after it added security analytics software on top of its existing DLP. Another company discovered that some of its employees were being blackmailed in exchange for inside information. DLP products completely missed these cases.
What’s At Stake?
At least 70% of a company’s value is in its intangible assets, and the Intellectual Property Commission Report estimates that IP loss costs U.S. companies $300 billion a year or more. Yet organizations have no idea how much IP is being siphoned off, either intentionally by thieves, spies, and disgruntled employees, or unintentionally by compromised insiders or misuse of outside file-sharing services, or even careless use of social media. The risk of IP theft isn’t limited to source code and nation-state espionage; it can often be valuable information about pending mergers and acquisition activity that could be used to buy and sell stock before a deal, or sensitive corporate information that could benefit a competitor.
Many companies rely on DLP to safeguard against IP loss and theft, but that technology is ineffective on its own because it’s limited in scope. It requires accurate rules to generate accurate alerts, which means you have to know exactly what you’re looking for or it will get overlooked. However, people are fallible and unpredictable, and human data is the hardest thing to secure in an organization. Content inspection technologies such as DLP often to fail to consider unexpected events and the unpredictability of human behavior.
While airport security is a separate issue from IP theft at corporations, similar rules apply with regard to having appropriate protections in place to detect and stop threats. In both cases, context and human data are critical to spotting risks.
Brian White serves as the chief operating officer of RedOwl, an insider threat analytics firm focused on both information security and regulatory surveillance. Previously, Brian served as a principal at the Chertoff Group, a senior official at the Department of Homeland … View Full Bio