There have been some frightening stats recently reporting how almost 50% of information security breaches involve internal users. We’re used to protecting against external threats, but now it looks like enterprises are being attacked from all sides.
How do we defend against an enemy that is already inside the gates? How do we keep a close eye on our own users, the vast majority of whom are have no ill intent?
This problem isn’t new, and there have been many interesting solutions over the centuries, most of them involving some form of surveillance.
In 1791, the social theorist Jeremiah Bentham came up with a revolutionary idea to ensure complete surveillance of prison inmates with a minimum of prison guards.
His innovation involved building all of the prison cells in an array around a central guard tower. The cells had open aspects to the tower, meaning that the inside of each cell was visible to the guard tower. The tower itself used opaque glass, meaning that guards could see all of the inmates’ activities, but the inmates couldn’t see the guards.
He called his design ‘The Panopticon‘.
British prisons in the 18th and 19th centuries were grim places. The prevailing sentiment was that prison was for punishment and deterrence, rather than rehabilitation. This meant that inmates were not inclined to behave themselves, and quite often prison facilities were dangerous places for both inmates and guards.
The Panopticon therefore provided two main benefits. Firstly, it allowed the monitoring of the prison population with many fewer guards than a traditional prison. Secondly, inmates would behave as if they were under constant observation, as they wouldn’t be able to tell where the guards were looking.
The traditional view
The traditional way of thinking about IT security is to view the network and resources as a castle with strong outer walls and many layers of defence. However, a castle’s main job is to prevent enemies from gaining access to the riches stored inside.
Castle walls aren’t going to do much good if the enemy is already inside the gates. What’s the solution?
This is where we need to start thinking like a prison guard. Prison guards have a completely different perspective to sentries standing on the castle walls. Rather than watching to see if someone is trying to get in, they need to understand the people on the inside and know intimately what their usual behaviours and interactions look like.
Let’s look at the example of a major UK supermarket information security breach in 2014. In that instance, the payroll details of 100,000 users were uploaded to news agencies and sharing sites. The culprit had not done something that would have triggered traditional SIEM systems. He was a Senior Auditor, and therefore had full access to the systems he stole data from. A user accessing authorised systems isn’t going to trigger most security systems. This is evident from the fact that this activity was ongoing for four months!
However, let’s say that there was a central system that had visibility of his system access, along with an understanding of his usual habits and interactions. In that case, that system could flag up instantly that he was downloading 50GB of data, rather than the usual 50MB of data daily.
A new approach
Gartner has recently created a new category of information security it calls User and Entity Behaviour Analytics (UEBA). By base lining user actions over a period of time, a UEBA-based solution can learn what normal behaviour for a user looks like. If the user then does something out of the ordinary, it will send an alert.
This is from Gartner:
UEBA solutions use analytics to build the standard profiles and behaviors of users and entities (hosts, applications, network traffic and data repositories) across time and peer group horizons. Activity that is anomalous to these standard baselines is presented as suspicious, and packaged analytics applied on these anomalies can help discover threats and potential incidents. The most common use cases sought by enterprises are detecting malicious insiders and external attackers infiltrating their organizations (compromised insiders).
Where should a UEBA solution sit if it is to have maximum access to user activity? This is where we come back to the idea of Bentham’s Panopticon. The real innovation of this design was that the central tower had visibility of each inmate. The cells they were in was not an important factor. Indeed, an inmate could be in any cell, and this wouldn’t impact the functioning of the central tower.
How a modern workspace helps
All of this leads nicely to the idea of a modern workspace (sometimes called a Digital Workspace) solution. With a true Digital Workspace solution, all application access is controlled via a single entity, usually an identity management solution. Once a user is authenticated against the identity manager, they are then granted onward access to other authorised systems. The applications delivered could be traditional Windows desktops or apps, mobile apps or SaaS apps. A record is then kept of that access.
User authentication and access in an important data point, but then so is their activity across various devices. For instance, a user may use mobile or desktop devices to access applications. They may use these devices in certain locations or at certain times. A Digital Workspace solution should be able to take all of these information points and build a model of the user. Any activity that doesn’t fit this model can then be flagged for further investigation.
Imagine if a UEBA solution had been in place during the supermarket incident. Potentially, the miscreant could have been caught and identified within minutes, meaning that the activity could have been stopped before any information policies were breached.
The secure workspace
Apart from an aborted attempt in Cuba, the Panopticon as designed by Jeremiah Bentham was never built. It’s concepts though can be seen today with the ubiquitous use of CCTV.
Big data analytics and AI are giving us new ways to understand human psychology and motivations. I believe that EUC is becoming the most important security play in an enterprise, and the future of human / technology interactions will be about ensuring intuitive access with transparent security. The Digital Workspace is how these concepts are being brought together.
Stay tuned for the next exciting episode.