IT staff need to be alerted to unauthorised activity when it happens, not after the event has occurred. Monitoring the network behaviour characteristics of users plays a critical role in the battle against data loss and security breaches, writes Stuart Hodkinson.

Security is one of the few areas of IT investment that would appear to be insulated from the woes of the economy. Regardless of how good or bad the economy is doing, investment in security has to continue, as the threats to public and private sector IT systems continue to grow and evolve.

However, the state of the economy can have a direct impact on the threats posed. For example, in the current climate we are seeing many companies forced to make significant headcount reductions, often in one bulk movement.

This can result in numerous potentially disgruntled staff leaving the company in one go and leaving an already stretched IT department with numerous - at times hundreds or thousands of - IT accounts to deactivate.

When handled manually, this sudden jump in workload results in a significant lag between the individuals leaving and their account access being disabled, exposing the company to risk of unauthorised access while those accounts remain active and exploitable.

Of course, the threat of a network breach does not always sit with a disgruntled former employee. It can just as easily sit with a current employee or even someone completely disconnected from the organisation, the so-called opportunistic hacker.

According to the most recent Identity Theft Resource Center (ITRC) data breach report, a shocking 656 data breaches were reported in 2008 in the US alone, a 47 per cent increase from the 2007 figure of 446 data breaches. Financial services companies reported more than 18 million records breached last year. Overall, more than 35 million records were compromised in 2008, according to the ITRC.

For the IT department, it is key to head off any breach or attack as early as possible. Ideally, you would want to be alerted to an issue while it is happening, rather than spotting an anomaly in a log file days later, or when confidential data falls into the hands of a national newspaper.

Taking inspiration from the anti-virus technology community, where the analysis of abnormal system behaviour is key to detecting new viruses, network behaviour analysis (NBA) is an approach to bolster the overall security measures and alerting systems in use within a given organisation. It works by analysing and mapping normal day-to-day activity such as:

  • who accesses which servers and when;
  • data transfer peaks;
  • authorised external access;
  • which network services and applications are used and when;
  • the use of removable storage devices.

This kind of NBA needs to be performed on an on-going basis in order to build an accurate profile of what is 'normal' for the organisation, as well as to enable IT staff to spot anomalies as they happen.

According to the ITRC, insider theft has more than doubled between 2007 and 2008, accounting for 15.7 per cent of all reported breaches.

The most recent example of this was the attempted data theft from investment bank Goldman Sachs in early July 2009.  While working for the company, a computer programmer is alleged to have downloaded copies of the source code from a proprietary trading system and taken them off-site without authorisation. Code was downloaded to his home computer, as well as to removable memory sticks to allow it to be passed on.

This data theft was detected while it was taking place, not after the event, when IT staff at Goldman were alerted to a surge of data leaving Goldman’s servers that did not match the normal network body language profile. From there it was a simple process to determine where that surge was heading.

The result of this detection was that the offending programmer was arrested and charged with stealing top-secret application code relating to Goldman's high-speed financial trading platform, a competitive differentiator that earns the bank millions of dollars each year.

Part of the advantage of NBA is that the measure actively works with other security protocols that are already in place on the network, it is non-invasive and will not create conflicts or false-positive readings. Security measures built into applications and appliances will continue to operate as normal, or any security protocols that are inherent to any servers in use on the network.

Interaction between hosts and clients are scanned and routinely processed as being clear or as having some aspect that is out of the ordinary. Such scanning will also log any unusual changes in the use of bandwidth or any attempts to modify system protocols that appear to be somewhat severe in nature.

The most important element of any NBA project is analysing the normal and abnormal behaviour of access. NBA will help an organisation build up a profile of normal access activities, allowing the IT department, along with line mangers and compliance officers, to see who is accessing what systems and which credentials they are using to achieve that access. With this profile in place and with it continuing to evolve, organisations can then quickly see incidents of unusual and blatant unauthorised access.

Anomalies can include:

  • users logging in with credentials of other current or former employees;
  • users accessing systems with credentials they should not have been assigned;
  • users accessing systems and sensitive data remotely.

The use of NBA, in conjunction with the consistent enforcement of a comprehensive identity and access management (IAM) strategy, can help to limit the amount of time and resources required to maintain a high level of security and access compliance in the operation of a network.

In order for NBA to be truly effective, a baseline of normal network or user behaviour must be established. However, this takes time, so any NBA activity must be undertaken as part of a longer-term project and must take place over a period.

Once the key parameters have been defined, such as normal access, activity peaks and remote access levels, any departure from one or more of them is flagged as anomalous and other security systems can then come into play to take preventative action and shut down access as needed.

About the author

Stuart Hodkinson is the UK general manager of Identity and Access Management specialist Courion.