Would you be surprised if I told you that chances are your friend working as an engineer at Facebook can read your messages, see through your personally identifiable information (PII), location history, and profiles you visited?
Well, this recent Facebook post had the world of social media abuzz:
Apparently, Paavo saw how a Facebook engineer logged into his account without any password, which made him legitimately worried about how many people at Facebook have similar access and what Facebook is doing to monitor and control that.
This fantastic example coming from a concerned consumer hits exactly on what keeps CISOs up at night: Crown Jewel applications, a company’s most sensitive data. Organizations, like Facebook, are centrally collecting Personally Identifiable Information (PII) on their users. This information can reflect personal interests, location history, billing information, medical information and more. It’s not just consumer Internet companies, but large enterprises as well. Analysts believe that the Anthem breach discovered in January 2015 was a targeted attack: “the attackers were likely looking for a needle in a haystack — searching for data on a few individuals.” The CISO of one of Fortscale’s customers recently stated that their own Crown Jewel application is “mission critical… It’s the number one target for attacks on our company.”
For that protagonist CISO, the problem is greater than simply the impact on business continuity. It became for him a major security threat after realizing that those applications cannot be secured by off-the-shelf solutions, given those are highly customized (e.g. SAP), context specific and based on proprietary protocols. That’s where the challenge lies: once an attacker is inside the network and is operating with a compromised set of credentials, it is very hard to follow an infiltrator’s moves and understand the content of the attacker’s actions. The attackers that infiltrated Anthem back in April 2014 were discovered only post-exfiltration 9 months later. I assume that Anthem has a solid security architecture, however once the attacker is already “in” and starts using legitimate credentials to log into one of those internal enterprise applications, the target really has no visibility into what is happening inside the application.
Here’s an example. Think of a similar scenario to what Paavo was mentioning about Facebook, an Internet company that has a customer support application that supports hundreds of millions of users. At some point, a “curious” employee logs into the application and starts snooping around, looking into his ex-wife’s records or other records based on his own personal interests. In a different case, an attacker is using compromised credentials to log in and automatically scans the system to find information on specific targets. Many other examples exist: violation of procedures and sequences when accessing user data, time and location-based changes or activity without a pre-existing business association between the person accessing and the accessed record. The challenge of identifying those highly-targeted attacks is real, however I believe it may be the missing piece for uncovering sophisticated external attackers and risky insiders.
The solution to obtaining that “missing piece” that may lead to those hard-to-identify attacks is what I would call context-aware security analytics. This approach can help organizations deal with the non-standard nature of Crown Jewel applications while enabling good visibility into user activity within those apps based on 3 tiers:
- Logging of access events within Crown Jewel applications
- Analyzing the logged data centrally and systematically by building behavioral profiles
- Contextualizing the behavioral profile and monitored activities given the specific purpose of the application, the role of the user within that application and the environment in which it’s deployed.
Lastly, with the growth of devices and consumer applications for traditional and nontraditional industries, assets including large-scale PII (Personal Identifiable Information) are becoming more critical for business continuity and are becoming a key target for insiders and external attackers. The challenge of getting an “off-the-shelf” security solution to protect homegrown Crown Jewel applications can be met by adopting an integrative approach of logging the access events and continuously analyzing the user behavior given the unique context of each application.