Bill Boni and Ira Winkler on Insider Threats and the Death by 1,000 Cuts

Security veterans Boni and Winkler talk about protecting intellectual property from insiders and snoops.

By Derek Slater

Page 2

So you [should try to] capture and synthesize a significant portion of those loss events, using HR, the physical security groups and other branches of the company as sensing mechanisms.

A lot of talk right now in IS is about the software consoles that do event analysis and correlation. I'm talking about creating an analog of that at the corporate level that correlates the technical aspects of security with everything else—HR, legal, all these different areas. Now management can make better-informed decisions with data, not just anecdotes.

A lot of practitioners will take advantage of a breach to say, "Aha, see, we need to protect our IP." But the counterargument is, "This was a onetime event." But if you have a process in place that allows you to prove that, no, it happened three times in the last quarter alone....

The next important question is, What's the source [of the vulnerability]? Is it technology? A legal loophole? A cultural blind spot in employees or management?

Even if you know your intellectual property is leaking out, how do you make that connection between what's been lost and where the loophole is?

Boni: This is where you go back to the fundamentals of counterintelligence. Information security can make its best contributions when you use the whole suite of tools and techniques with a counterintelligence mind-set.

Another example. If someone is scanning the internal network, your internal intrusion detection system goes off, and typically somebody from IT calls the employee who's doing the scanning and says, "Stop doing that." And he replies, "Oh, I was just testing this thing for my college class on IT management. I won't do that again."

He offers you a plausible explanation, and that's the end of it. Throughout the history of IP theft, this is how it always goes. HR sees one thing, physical security sees the guy "accidentally" carrying out documents ("Oops...I didn't realize that got into my briefcase"), and the IT people see the scanning incident. But nobody puts them all together to realize it's the same guy!

With IP theft, you can't always determine that it was Professor Plum in the library with the lead pipe. But [by adopting] a counterintelligence mind-set you can identify gaps in your protection scheme. Sometimes it [really] is accidental; I've worked cases where they did high-level internal product announcements at a ritzy offsite and left copies of printouts lying around. Sometimes it's not accidental. People in other countries—Ira has seen this—send in "dummies" who get jobs in the payroll department, and [once] they're there for several months there's very good likelihood they'll be able to access valuable documents.