Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Anna Chiang
Anna Chiang

Code Theft: Protecting IP At The Source

Your corporate assets are at risk and every day that you avoid taking action shortens the time until your IP will be leaked. Here are six steps toward better data security.

The security world is awash with various malware-centric cyber kill chain models and advanced styles of threat defense that focus on network traffic, payload, and endpoint analyses. But if you step back and look at what most security tools and frameworks are trying to accomplish at a very high level, it boils down to:

  • Detecting and/or blocking adversaries as they try to get inside your organization to steal your valuable data and intellectual property (IP)
  • Detecting and/or blocking adversaries as they try to exfiltrate that IP and data to use for their own purposes.

With absolute intrusion prevention no longer possible and the new security mantra of fast detection and response, one could argue that disproportionate time and effort are spent watching the perimeter doors and too little time is spent guarding the internal resource vault that holds the company’s most sensitive IP. Privileged insiders who already have the keys to the kingdom may pose an immediate threat.

The Source of the Crime
IP theft isn’t a new problem. In 2003, gaming company Valve Corp. suffered losses estimated at hundreds of millions of dollars when source code of its Half-Life 2 game (five years in the making) was stolen and posted on the Internet. More recently, Wall Street traders from Goldman Sachs and Flow Traders BV were accused of taking proprietary computer source code used to make high-speed stock and commodity trades that earn millions of dollars in profits each year. In 2013, the IP Commission Report put the costs of intellectual property theft in excess of $300 billion in the United States alone.

To understand how best to protect such critical assets, it’s important to consider where they are stored. For companies that build commercial software products or implement internal software apps and platforms, their IP consists of source code and related assets stored in version control/source control management (SCM) systems. These systems not only store the assets, but also facilitate the collaboration across all the product contributors, who access the SCM system to update their work and share it with others.

Typical Behaviors of a Data Thief
The conclusion of this year’s RSA conference, one of the security industry’s biggest events of the year, was that “at the end of the day, the bad guys are still getting in.” Once they’re in, they usually take time to wander about the organization searching for valuable digital assets (e.g., source code, design specifications, strategic business plans, product road maps, formulas, or industry ”secret sauce”). They often look at these assets at odd hours of the day, take from inactive projects or hoard information (that is, take more information than they contribute back).

While some security tools focus on monitoring and correlating network log data or endpoint data (watching the perimeter doors) to spot anomalous behavior, this approach may require time-consuming manual rules and threshold setting, and often results in security teams being inundated with false positive alerts. Some tools may lack context-specific information (e.g., who, when, how and where) that typifies the behavior of a data thief and don’t compare his or her actions to a baseline of “normal behavior.” Many tools just give a simple count of how many files were downloaded but don’t specify exactly which files were downloaded or which critical projects were affected.

For example, a worker who takes small amounts of software code (or other assets) every week won’t necessarily be detected if a threshold has been set to trigger an alert at an arbitrary fixed value. But if the worker’s access patterns were compared in a cluster map to a baseline of peers who don’t steal assets, this slow data leak could be detected.

When a bad guy starts exploring the corporate IP vault, you’d be well served to detect unusual high-risk behavior and provide actionable insights to your security teams. Certainly, this approach is preferable to watching the doors for everything and drowning in the security alert noise.

Solution: Behavioral Analytics Applied to SCM Audit Logs
Software development projects in large corporations typically involve thousands of software developers working on thousands of projects over the span of many years. The projects also involve other contributors for assets such as video, graphics, or audio elements. SCM tools manage those complex development workflows by meticulously tracking all access to project repositories and files. This means they can generate detailed audit logs. A month of log data from an SCM system might yield millions of different interactions with files and projects; for the purpose of detecting anomalies, the more granular the log data, the better.

The focus of security teams is quickly moving toward where the data and critical IP reside. A new class of security tools uses machine learning and applies behavioral analytics models to detailed audit logs and other data sources to identify and prioritize threats. These tools enable organizations to take necessary actions to prevent data exfiltration by individuals who have gained access to the source of mission-critical IP.

Your corporate assets are at risk, and every day that you avoid taking action shortens the time until your IP will be leaked. Here are six steps toward better data security:

  1. Identify the most important IP in your organization and choose which groups and/or individuals should have access.
  2. Use multi-factor and/or continuous authentication and fine-grained access control. And enforce strong passwords and different levels of security controls based on asset type.
  3. Provide the ability to encrypt data at rest and in transit.
  4. Continuously monitor data access and make sure that detailed audit logs are implemented in a secure SCM repository.
  5. Implement a security platform that can apply behavioral analytics models to audit logs and quickly identify high-risk anomalous data access.
  6. Integrate your SIEM and other log data with a flexible security platform that can provide detailed context-rich actionable data to identify high-risk threats to your most important projects and files. 

Anna Chiang leads go-to-market activities for application security products. Prior to Synopsys, she worked at WhiteHat Security, Perforce Software, and BlackBerry, where she drove product marketing efforts for AppSec and UEBA security products, as well as platform product ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ulf Mattsson
Ulf Mattsson,
User Rank: Moderator
7/30/2015 | 2:38:08 PM
The perimeter is gone
I agree that some security tools are "watching the perimeter doors." I think that this is a general problem with many IT Security deployments. The perimeter is gone and Ponemon Institute published an interesting survey related to the recent spate of high-profile cyber attacks.

According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security.

Ponemon concluded that "This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification."

Ulf Mattsson, CTO Protegrity
User Rank: Apprentice
7/30/2015 | 11:47:01 AM
Very Interesting read..
My company does this.  Very effective defense against insider threats finding the Snowden sneaking around my source code and IP.

Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.