Trust no one: A better way to close the security gap?
- By Paul McCloskey
- Aug 19, 2015
Agencies are increasingly turning to predictive analytics to root out fraud, but those aren’t the only tools being used to spot and control anomalous behavior. New identity security tools are emerging to help enterprises that might be victimized in fraud schemes enabled by insiders or attackers using insider credentials. Those users have been at the center of several recent high-profile attacks. Their privileges were exploited as the result of sophisticated spear-phishing attacks, including the one on health insurer Anthem earlier this year in which 80 million records were stolen.
“These are privileged users with access to everything in the database — not just their records; they have the ability to go from system to system inside a corporate or government infrastructure,” said Ken Ammon, chief strategy officer at Xceedium.
“What happens is criminals target those individuals because they know their roles or their accounts are extremely powerful in the organization,” Ammon said. “If they can send them an email that they might click on, it installs as a super user who now can download the entire corporate database from network to network.”
To help defend against that vulnerability, Xceedium has embraced a policy of “zero trust,” whereby access is extended only for a specific reason and for a specific amount of time.
“It’s a method in which you are now managing the enablement rather than trying to curtail certain transactions on the network,” Ammon said. It gives network managers “a very small subset of items [that] an individual has credentials and capabilities to do.”
The company’s Xsuite is built around that policy. “A big component that has been missed in authentication — which the government is really in a game-changing position to demonstrate the value of — is around tying a unique identity to the authorization process,” Ammon said. Without that capability, security managers “really have no idea who you are.”
Xsuite denies network access to all systems and applications except those that are expressly allowed. The product also monitors, records and audits privileged access to systems in legacy IT, cloud or hybrid configurations and provides DVR-like recordings of privileged user sessions, which eases continuous monitoring and forensic activities.
“If you have 10,000 people in an organization, you might have 700 people or less that you might consider privileged,” Ammon said. The tool gives those high-level users “the equivalent of a video camera watching their screen for everything that they do. And we will enforce a policy while they’re doing the job.”
Identity security is behind another application designed to flag the activities of agency employees who might be involved in or subjected to fraud. InfoZen’s IDentrix continuously monitors personnel data, starting with prehire background checks, to alert organizations to potential internal threats.
The software checks more than 65 public identity attributes, including criminal and court records, to keep employees’ risk profiles continuously updated and correlated through their entire work history.
“The concept of continuous monitoring is what everyone is now waking up to,” InfoZen CEO Raj Ananthanpillai said. An individual whose security status is not updated “can do significant damage in 10 years. If you had alerts set up saying, ‘If anything in these categories happens to that individual,’ you could investigate and take preemptive action.”
However, he added, “I’m not saying this is going to solve problems, but at least you would mitigate a big chunk of the problem.”
Partial fixes to big threats might ultimately cut the fraud problem down to size, but unfortunately anti-fraud developers don’t see fail-safe solutions in the near future.
Paul McCloskey is senior editor of GCN. A former editor-in-chief of both GCN and FCW, McCloskey was part of Federal Computer Week's founding editorial staff.