Organizations have increasingly beefed up network and software security, but their employees may be the weakest link, according to the IBM Global Business Security Index released last month. The report called "insider attacks" an
According to the CSI/FBI 2005 Computer Crime and Security Survey, 56% of organizations reported some level of security breach from within their organization, up from 53% the previous year. And the percentage of survey respondents who said that there was no unauthorized use of their organizations' computer systems decreased from 35% to 31%. Additionally, the survey respondents said breaches from the inside occurred about as often as from the outside.
In addition to the threat of disgruntled employees, a potential new trend is that of criminals targeting end users within an organization and persuading them to execute an attack, according to the IBM Global Business Security Index.
To help address this issue of insider attacks, IBM has introduced a new component to its Identity Management Services that monitors users' online behavior. The IBM Identity Risk and Investigation Solution analyzes users' behavior to determine whether their use of data is valid. If a legitimate user runs a legitimate application, but in an inappropriate way, it may be an indication of an insider security attack, according to William Pulleyblank, vice president of the IBM Center for Business Optimization, which developed the component.
"There have been a lot of things done to secure data and identify people, like passwords, etc." Pulleyblank said. "But this is a new phenomenon, where somebody entitled to use the system begins to use it outside of the parameters. Say a person is entitled to look up social security numbers and do a credit check as part of mortgage application, then all of a sudden this person decides to run 500 people through in the after hours." This type of transaction may normally run 9 a.m. to 5 p.m., he explained, so the behavior -- the time the transactions are occurring as well as the quantity of transactions -- would raise a red flag.
According to IBM, the Identity Risk and Investigation component will be able to "learn" and update what is considered normal and suspicious behavior to adapt to changing business needs. "The system will analyze the parameters around the ways people use a system and identify when people get outside of the norm for a particular transaction," Pulleyblank said. And, he added, "Patterns of transaction do vary over time. There may be a case when mortgage rates hit an all-time low, so then there is burst of activity. So the system will update and retrain itself on what is normal behavior."
The analysis can be done historically, tracking users' past activity, or by comparing realtime behavior to normal patterns of activity. "You may discover patterns over time to find out what that person is up to," Pulleyblank said. If a suspicious activity is flagged, he said, the system can be configured so that a preset trigger immediately shuts down a user, or a notification could be sent to the user or to the user's supervisor.
The Identity Risk and Investigation Solution is preconfigured to integrate with Tivoli Identity Manager and Tivoli Access Manager.
IBM's solution "is a really good step," said Sally Hudson, a research manager within IDC's Security Products and Services group at IDC in Framingham, Mass. "But there is no one single solution to any security problem. This is a single piece [of the insider problem] to track usage patters."
No single solution for insider threats
According to The Insider Threat Benchmark Report from the Aberdeen Group, businesses are addressing insider threats by using technologies associated with identity management, such as access control lists, data classification and federated identity. Among the Aberdeen survey respondents, 67% utilize strong passwords, 66% utilize access control lists, 42% utilize data classification and 38% use single signon.
"What this tells us is there is not a single solution that addresses the problem," said Stacy Quandt, research director for security solutions and services at Aberdeen, and the author of the report. "Many companies are trying to use what they have. With the increase in regulatory compliance, [insider threats] are getting increasing attention. It's an emerging market."
Despite that, only 41% of organizations have implemented technology to address insider threats, according to Aberdeen Group. When organizations did use technical solutions specifically to address insider threats, the primary challenges respondents cited were limited IT resources (44%) and software complexity (40%).
Organizations can't afford not to address insider threats by protecting their data, particularly in light of growing regulatory demands such as Sarbanes-Oxley and HIPAA. The Aberdeen study found that 78% of respondents cite data protection as their key driver for addressing insider threats.
More and more, part of data protection will involve monitoring of employees. "I think it will be the way it is in future," Hudson said. "Also, since a huge threat does come from insiders, companies are going to be lot more careful about who they're hiring, and their screening processes will get more granular."
"Companies are going to have to do something to [know] what employees are doing if they want any chance of dealing with insider threats," Pulleyblank said.