CEO, Bay Dynamics
Seeing Threats in Context, With Reflections on the IRS Breach
June 1, 2015— Seeing Through the Outsider's Insider Mask: Reflections on the IRS Breach. We spoke with Bay Dynamics CEO Feris Rifai on the lessons he thinks we can draw from the breach of the US Internal Revenue Service's "Get Transcript" service.
The CyberWire: Start by telling us what you think the big lessons are in the recent IRS breach.
Rifai: What's interesting is that these breaches have a far-reaching effect. We're seeing hackers being creative in leveraging information they've already stolen. When you've got hackers looking like legitimate users, it's very hard to pin them down. This is really an evolution in cyber security: you don't need malware to inflict damage.
What we need are systems in place to contextualize the attackers. They look just like insiders. They're making a secondary use of primary compromised assets, and that's what happened at the IRS. If you look at recent examples of this kind of compromise, you'll find that the IRS case isn't unique, and that this problem is going to get worse. Look back to April and the State Department breach, which in turn led to a breach of the White House.
You need to be able to contextualize behavior, detect bad behavior, and stop the bleeding. You need to be able to identify high-risk user behavior, know where your high-value assets are, and know to act to protect them.
The CyberWire: What do we know about the data used to compromised the IRS "Get Transcript" service?
Rifai: There's been lots of speculation, but the fact is we don't know. We do know that once you've gained access to that kind of information, you can leverage it. Everyone needs to look at how the modern threat has evolved. Protecting your perimeter is clearly no longer enough. You've got to call out high-risk behavior in a predictive way by recognizing it in context.
The CyberWire: When you talk about context, does that include an attacker's motivation? Do we care about motivation? Or do we care about attribution in cases like this?
Rifai: To be candid, we have to recognize that motivation can vary. The point is not to allow the dangerous activity to occur in the first place—get your house in order to defend it against the threats that are out there, whatever their motivation may be. Ask how you can get better. Be able to prioritize your actions to take care of the most pressing weaknesses. Today we spend a ton of time on discovery. We should ask how we can take cyber security practitioners and make them more effective. We need to move from discovery to prioritized action.
The CyberWire: So then you wouldn't include motivation in the behavioral context you advocate considering?
Rifai: Look, I'll put it this way: if you look at legitimate users, and see that those users' behavior is an outlier, then, yes, you consider motivation. But if you're looking at an outsider attacker, it's important to recognize them. We're not just worried about malicious insiders, but about compromised insiders—that is, outsiders using compromised credentials to pose successfully as insiders.
The CyberWire: Is the distinction between the insider and outsider threat collapsing?
Rifai: Part of our reality today is that, if you're an outsider who's successfully compromised a legitimate user's credentials, then you look like an insider. Anomalous behavior will reveal you as a threat, and you need machine learning to call out the anomalies. If you've got an insider whose endpoint's been attacked, and then you see their behavior becoming anomalous, then maybe you've got a compromise. The context gives you the necessary perspective.
The CyberWire: Many enterprises have undertaken various kinds of continuous monitoring against the possibility of insider threats. Some forms of continuous monitoring seem legally problematic—too intrusive, too free with an employee's privacy. Others may just be unacceptable in a given corporate culture—your employees (and your prospective employees) just won't put up with it. Do you see a way around these issues?
Rifai: Monitoring is about letting the data tell the story. Apply machine learning to a universe of data, and then look at the subset of those that exhibit anomalies. Some of our clients have contractors who receive considerable access to their systems. Some of these people have the keys to the kingdom, and you see some of them behaving anomalously. You may see some activity you need to blacklist immediately.
You're trying to distinguish a legitimate user from a compromised user being impersonated by an outsider. Sometimes they'll reveal themselves through high-risk behavior, sometimes through anomalous behavior.
Their security measures have typically evolved over time to deal with a shifting array of threats, and now the typical organization can easily suffer from data overload. Looking at behavior in context can help organizations do a lot to connect the dots.
The CyberWire: You recommend that enterprises identify their most valuable assets and organize to protect these first?
Rifai: You want the security practitioner to walk in the door in the morning and, instead of staying in discovery mode, to have a priority list of the assets most likely to be exploited. Take the practitioner from discovery to action. Throwing more people at the problem just won't scale, and it won't help you take action before it's too late to protect the most important assets.
The CyberWire: When you look at a problem like the one the IRS suffered, what's the right mix of education or training, and policy, and technical means of defense?
Rifai: It depends on where you are, and in particular on your organization's maturity with respect to security. We've had clients who've dropped incidents by 70% with just-in-time training. And we’ve seen clients drop second-time violations by 85%.
The CyberWire: So to be clear, you recommend detecting anomalous user behavior, stopping that user's behavior, and then administering just-in-time training?
Rifai: Yes. Be able to detect the anomaly, and also be able to look at it so you can determine that it's not just anomalous, but that it's also bad—two related but distinct things. We, for example, provide an intraday list of priority threats. Education is particularly important for the well-intentioned legitimate user who's engaging in risky behavior. The number of well-intended but risky activities you see is dumb-founding. The reality is you can't change a culture by simply asking. Instead, you have to educate and empower the well-intentioned person to do the right thing and not expose the organization.
And you also need to be able to help the responders. Make it easier for them. You no longer want them to look through hundreds of thousands of events, event by event. You have to enable responders to see patterns and bulk remediate issues, ultimately fixing broken business practices.
The CyberWire: A lot of observers think the IRS problems will occur elsewhere in the US Government. Any advice for the Government in particular?
Rifai: Not beyond the advice I've already offered.
The CyberWire: Do you see identity management as a way of, in the future, perhaps, preventing the sort of cascading breach we've seen here?
Rifai: The key is solutions that look at behavior to represent a useful perspective. I'd recommend that organizations harden their defenses around their crown jewels. That's the future: early, predictive detection and prioritized protection.
The CyberWire: Any final lessons you'd draw from the IRS incident?
Rifai: : I think it comes down to understanding behaviors. If the Social Security Numbers were obtained elsewhere, without IRS negligence, it's not about the IRS, but about all of us. In a connected world, there's inevitable interdependency. Don't close things down, but be smart about how you collect, protect, and handle information. And always look at user behavior in context.
The CyberWire: Thank you, Mr. Rifai.