It's time for a sea-change in how large companies think about network security. Current approaches involve stitching together many point solutions, which ends up being as effective as boiling the entire ocean in a bunch of small pots.

There's been a rash of insider breaches over the past year, from DuPont employee Gary Min stealing $400 million of information from the company to the Veterans Affair laptop theft, which disclosed the personal information of 26.5 million veterans and active-duty personnel. Insiders have caused significant damage to various organizations, yet billions of dollars are spent on mechanisms such as firewalls, IDS, and NAC systems which are implemented primarily to defend against external cyber threats, and fail to complete the job.

This approach doesn't make sense, especially when malicious intrusions by hackers make up a minority of the 550 confirmed security incidents that have occurred over the past 25 years. According to a March 2007 University of Washington study, 60 percent of these incidents were attributable to insiders.

Insiders present such a danger not only because they are aware of the practices, procedures, and technologies used in their organizations, but they are also aware of the vulnerabilities, such as loosely enforced policies or exploitable technical flaws. And though not all insider breaches are malicious in intent, the financial and reputation ramifications are just as great when an accidental incident, such as accessing the wrong data or mistakenly exposing data online (such as the July 2006 AOL case in which users' SSNs, credit card numbers, and other pieces of sensitive information were exposed), occurs.

It's time to turn security strategy on its side. Knowing what your users are doing with networks and systems should become a priority and to do this. Companies should focus on a comprehensive framework to prevent and detect insider risk. One such framework involves "Security ABCs"-- access plus behavior plus content.

A: ACCESS

Access control is an important component of security as it provides protection against unauthenticated users and prevents them from connecting to the network. To secure the way a user accesses the network and systems, network access control (NAC) or identity and access management (IAM) technologies are often implemented.

NAC devices offer the elements of authentication, end-point security assessment, and gauging the connections to your network environment. For authentication, NAC answers the questions, "who are you?" and "what is your role?" For end-point security assessment, it makes sure you're following a lifecycle approach, starting with assessment, then remediation, followed by enforcement integration. As for the environment, NAC helps decipher if your user is connecting through a wireless or VPN, in the office or in another country.

IAM is a vital ingredient in helping to meet compliance mandates. With the ability to credential, provision, de-provision and declare access status in an automated manner, IAM systems answer the auditor's call for tighter controls. IAM can also enhance operational efficiencies by reducing help desk hours and getting workers back on the job faster, all while helping to reduce the effort to manage the credentials of all the various parties involved in today's extended business.

While NAC and IAM devices answer the "who are you?" portion of security, they don't give a clear enough picture of what users are doing as they only ensure that the right identities are authorized and authenticated on the network. What about tracking these identities or users after they are already on the network? What about the activities some users should be permitted to do, but not others? What about the activities anyone can do, but only under certain conditions? For this, you need the next step of the ABCs--behavior.

B: BEHAVIOR

Enterprises and government agencies need to know who is doing what with critical business data and where it's being done, especially as businesses continue to grow organically or through mergers and acquisitions. To add to the complexity, there are contractors, partners and sometimes customers who often need access to your network, shrouding your view into certain activities.

The lack of visibility creates critical gaps that lead to access control compliance issues and audit findings. CERT has reported that 50 percent of misuse occurs between the time a user is terminated and the time his or her privileges are revoked.

Having a monitoring tool in place can help fill those gaps and makes sure users are doing what they should with your business data, in the correct role he or she was assigned. Products such as IAM systems answer the auditor's call for tighter controls, but do not provide deep visibility, with clarity or authority, into the appropriate behaviors that every single entity on the network should be exhibiting. While Joe in accounting should access file X, only the CFO should access files X, Y and Z. You need behavioral monitoring to see, with certainty, Joe isn't bypassing the system and opening a database he shouldn't, and you need the proper controls in place so he's unable to get that far in the first place.

C: CONTENT

Technologies such as encryption, content monitoring and filtering (CMF) and secure sockets layer (SSL) provide layered protection against the inappropriate or unauthorized transfer of sensitive data. Encryption encodes at the access layer in such a way that only the person (or computer) with the key can decode it. CMF tags assets in one fashion or another as sensitive, and then manages, at the asset level, where they go across the network. For example, if an employee e-mails financial results before they are officially announced, a CMF tool will flag that email. SSL creates a secure connection at the network level between a client and a server, over which any amount of data can be sent securely.

Each of these technologies is an important component of security, but Encryption, CMF and SSL are purely focused on watching the data, not the user activities or how the user is retrieving the data. And, a malicious user can often bypass this type of filtering, or even steal crypto keys along with data, rendering encryption useless.

THE SUM OF THE ABCS

As standalone solutions, access technologies, behavioral monitoring and content protection are each just a piece of the puzzle. Instead of focusing on point solutions to solve discrete security issues, companies should focus on developing a framework that provides a comprehensive blanket of protection. To verify and control what insiders are doing with critical information, achieving the sum of ABC is crucial. Access and Content are fundamental areas that most organizations have already deployed or are currently deploying. However, this combination leaves an organization blind to what is truly important - visibility into every user's behavior.

As the number of users on the network continues to grow with mergers and acquisitions, contractors and partners, a security strategy that doesn't monitor behavior leaves an organization susceptible to insider threats, both ignorant and malicious. Without the sum of the ABCs, organizations are susceptible to a tsunami and may not ever know it until they're deep under water. ENS