Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/11/2016
12:30 PM
Brian White
Brian White
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

What The TSA Teaches Us About IP Protection

Data loss prevention solutions are no longer effective. Today's security teams have to keep context and human data in mind, as the TSA does.

Every day, U.S. companies are targeted by foreign nations trying to steal their intellectual property (IP). But today’s spies aren’t trained outsiders; they’re folks working in accounting or programmers in the back office. In the modern world, espionage takes place online, using user accounts that have been compromised via phishing or even blackmail. News headlines scream about consumer passwords and customer data that end up in hackers’ hands in data breaches. But source code, product road maps, and customer lists are being stolen behind the scenes as well.  

Data loss prevention (DLP) solutions are commonly used to attempt to solve this problem. But because they’re based on static rules and don’t consider context, DLP isn’t effective these days. The technology can’t determine when it’s acceptable for information to leave the enterprise or when such activity indicates theft or data exfiltration. For example, when businesses use DLP to stop potentially malicious outbound emails in transit, users can be frustrated by delays caused when the technology returns false positives -- such as erroneously stopping an email with a large, compressed attachment. When infosec tools become too cumbersome, people look for ways around them, making the tools entirely ineffective.

Let’s compare DLP solutions, which scan hundreds of gigabytes of a business’s data per hour, to the Transportation Security Administration (TSA), whose agents screened 449 million travelers nationwide during the first five months of 2016. Having previously served as Counselor of the Office of the Deputy Secretary at the Department of Homeland Security, I know firsthand that TSA agents in airport security checkpoints are a main line of defense for keeping contraband and terrorists off of airplanes. Agents look at scanner machines for outlines of guns, knives, and other banned items. (The TSA Instagram account shows a fascinating array of prohibited items that passengers have tried to take onto planes.)

Agents also check the passenger’s flight ticket and passport or driver’s license. But the agents don’t know much about a person’s behavior and they don’t have visibility into a traveler’s patterns. This forces the TSA to treat all passengers the same, based on a list of static rules, much like DLP solutions. Because agents also lack full context about each passenger, just like DLP, the result is many false positives, forcing agents to flag passengers for extra security screening based solely on their appearance or because they’ve packed liquids over the three-ounce rule, failing to account for items needed for health reasons, for example.

It’s equally important for airports to monitor for the threat from within -- with deep context and no static set of rules. TSA agents and airport employees can also pose a risk because they’re granted privileged access as part of their jobs. A recent example involving a lapse in airport security illustrates the risk of relying on rote security rules rather than factoring in situational context. Workers at John F. Kennedy International Airport were caught on security cameras entering restricted areas without proper TSA authorization, according to CBS News. Clearly, the airport needs to tighten security so employees can access only the areas necessary for their jobs. Key-card entry points should be programmed so that only those who are expected in their normal workday to be within a certain perimeter have permission and accessibility to do so. This principle of least privilege minimizes insider risk and discourages the normalization of deviance.

Whether at an airport or in the enterprise, how can an organization spot a problem person once he is already on the “inside”? Organizations need to analyze data sources that truly deliver rich context -- that is, the seemingly unimportant pieces of information about individual human behavior, sentiment, and relationships to provide situational awareness about the malicious actor.

Fortunately for businesses, there are indicators in network traffic that can signal this. Whether we like it or not, we signal intentions and expose our risks as potential insiders with the little things we do and our patterns of behavior. For example, before some employees give notice, they start storing information on thumb drives or downloading it to online services and outside email accounts, which results in bursts of email activity -- much of it after work hours.

The key to stopping IP theft is having a broad view of the organization, employees, and normal business operations, and being able to spot even the minutest discrepancies that don’t fit into the context of business as usual. One company I work with found that an employee embedded sensitive information into a compressed file along with his vacation photos to avoid detection by the firm’s DLP software. The company caught him only after it added security analytics software on top of its existing DLP. Another company discovered that some of its employees were being blackmailed in exchange for inside information. DLP products completely missed these cases.

What’s At Stake?

At least 70% of a company’s value is in its intangible assets, and the Intellectual Property Commission Report estimates that IP loss costs U.S. companies $300 billion a year or more. Yet organizations have no idea how much IP is being siphoned off, either intentionally by thieves, spies, and disgruntled employees, or unintentionally by compromised insiders or misuse of outside file-sharing services, or even careless use of social media. The risk of IP theft isn’t limited to source code and nation-state espionage; it can often be valuable information about pending mergers and acquisition activity that could be used to buy and sell stock before a deal, or sensitive corporate information that could benefit a competitor.

Many companies rely on DLP to safeguard against IP loss and theft, but that technology is ineffective on its own because it’s limited in scope. It requires accurate rules to generate accurate alerts, which means you have to know exactly what you’re looking for or it will get overlooked. However, people are fallible and unpredictable, and human data is the hardest thing to secure in an organization. Content inspection technologies such as DLP often to fail to consider unexpected events and the unpredictability of human behavior.  

While airport security is a separate issue from IP theft at corporations, similar rules apply with regard to having appropriate protections in place to detect and stop threats. In both cases, context and human data are critical to spotting risks.

Related Content:

 

Brian White serves as the chief operating officer of RedOwl, an insider threat analytics firm focused on both information security and regulatory surveillance. Previously, Brian served as a principal at the Chertoff Group, a senior official at the Department of Homeland ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lorraine89
50%
50%
lorraine89,
User Rank: Ninja
9/19/2016 | 9:39:23 AM
Hacking attempts
Great article. I always take extra caution in maintaining my online privacy and security. I deploy vpn server, purevpn, to maintain my online integrity and to avoid any type of scams and phishy threats. 
ANON1251610972481
50%
50%
ANON1251610972481,
User Rank: Apprentice
8/12/2016 | 12:43:20 PM
Pretty Bad DLP Smear
It is pretty sad that the author is actually not really savvy as it relates to DLP capabilities.  The author must be aware of the ability of many DLP systems to detect data based on content fingerprinting, especially the ability to detect multi data values such as Last_name and SSN or Last_name and Driver License etc...  GTB Technologies, as an example, can support more than 20 Billion fields without network degradation.  Such DLP policies would detect and prevent many breaches including the ones mentioned in this article.  Unfortunately the TSA and Homeland Security are using advisors that have no clue.

Uzi Yair

CEO 

GTB Technologies.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
Capital One Breach: What Security Teams Can Do Now
Dr. Richard Gold, Head of Security Engineering at Digital Shadows,  8/23/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.