Bill Boni and Ira Winkler on Insider Threats and the Death by 1,000 Cuts

Security veterans Boni and Winkler talk about protecting intellectual property from insiders and snoops.

The protection mechanisms are too disjointed. Just as in infosec, we have challenges putting together the big picture. The challenge [in IP loss prevention] is how to pull together all those other sensory mechanisms: access cards, legal policies, areas where product models and mockups are done. You have to consider those as sensing devices or places where you can potentially detect behaviors. But they don't [usually] get correlated in any meaningful way in most organizations.

Winkler: It's hard to put a dollar figure on data or IP loss. When it happens and they talk about prosecuting hackers, they'll say I've lost millions of dollars to this. In fact, there was the recent case [involving] Lockheed Martin and Boeing where they were talking billions of dollars. However, I don't think Lockheed Martin took a billion-dollar loss on its balance sheet. Very rarely do they declare the loss in an accounting procedure. And if you don't do that, your executives aren't going to think, "We can protect ourselves against IP theft and save ourselves millions of dollars a year!"

So again, what security managers and CIOs should do is add up the little losses, which will add up to a big loss, and then put their security programs in place by adjusting for the little things.

You touch on the intersection of corporate or operational security issues and info security. Ira, you have a story where you were doing penetration tests at a client company and were able to walk out with critical engineering documents that you found—not in the engineering department but in the graphics department.

Winkler: Right. The CEO has the graphic arts department at his beck and call, and its responsibility is to make documents look pretty. Now, the graphic arts people think of themselves as artists; they're not thinking about, "Hey, I have some of the most valuable documents in the company on my server." Obviously, if you go to the financial group and say, "I want to see your financial data," they'll laugh you out of the office. But if you go to the graphic artists and say, "Can I take a look at your computers for a minute?"&mash;they'll say, "Sure, why not." So people have to understand that there are many places where valuable data goes. And, ironically, some of the most valuable data gets sent to places where they think the data's irrelevant.

That makes an argument for active cooperation of all security groups. It also makes a case for the concept of Defense in Depth: Deemphasize the perimeter-oriented approach to security and start thinking in terms of layers of internal defense.