Watching the enemy within
Too many organisations are ignoring the threat posed by their own employees, argues Geoff Sweeney
Recent figures from the Department of Trade and Industry show that more than half of the most serious threats affecting large organisations originated from within the company.
Two-thirds of large organisations suffered from staff misusing their systems, and four out of 10 companies were the victims of theft or fraud involving computers. Despite this, most firms still focus their security spending on protection from outside attacks. These systems perform a necessary job, but they can only do so much because they only react to the threats they recognise. They will do nothing to stop the wrongdoer on the inside who decides they would like to sell private information from your customer files.
It is time to re-examine the security landscape and apply some basic risk-management principles so that investment on security is more tightly targeted against the real dangers. So how do we do it? We can use the IT equivalent of CCTV footage to record everything that happens on our networks. By logging everything that occurs we can pull it all together and build a complete history of who did what on all our systems.
With the basic recording in place, you can begin to build models of what is – and what is not – normal or accepted behaviour. So when unusual behaviour occurs, the system can immediately send out an automatic alert and take remedial action.
By monitoring every piece of communication on the network, you can help an organisation decide on a baseline for every aspect of normal operational behaviour. And it can also learn from experience to fine tune the baseline as time goes by.
Instead of being reactive and only responding to attacks it has seen before, the system can apply more intelligence in detecting anomalous behaviour at an early stage and respond quickly. It does not replace anti-virus software or intrusion-detection systems, but it adds a vital new dimension to risk management by co-ordinating the various defensive measures to contextualise events as they occur and provide a proper strategic view of IT activity.
And there is another benefit: the stored record provides a complete audit trail of events, which is of growing importance in our increasingly regulated commercial world. In this way, organisations can start to tackle the unknown and previously unseen dangers as they occur, rather than reacting only to easy targets.
Geoff Sweeney is the chief technical officer at Tier-3.