||Protection Against Friendly Fire
||In this month’s Musing, I pick up on the thread that I left on at the end of the June Musing.
Mark Hoover, President, Acuitive, Inc.
As I discussed in June’s Musing, I believe that providing visibility into potential Friendly Fire incidents putting sensitive corporate information at risk is essential. Related to that need, and perhaps even more obvious and compelling, is the need to protect yourself against those who appear “friendly,” but are not. Let me continue my Battle of the Bulge analogy. In that offensive, Germany created a division of soldiers who dressed as American soldiers, drove captured American trucks and tanks, and used American weaponry. Their mission was to get behind American lines, disrupt communications, traffic control, and engineering efforts, and perhaps capture a general or two. It didn’t work out too well because of bungling by the Germans – too few soldiers who spoke even basic English, a mixture of American, German, and British equipment, and singing BrauHaus songs while wheeling down the highway.
If only we could count on electronic espionage attempts being so elementary…but we can’t. Stolen credentials are becoming more and more common. The potential economic disruption to individuals and corporations due to attackers operating under the guise of an authenticated customer is huge. Reportedly, organized crime has gotten into the game with highly organized “Phishing” attacks, where very formal and credible notifications are sent out to people who are directed to expose sensitive personal information in their response. Most recipients don’t fall for it, but the bad guys can make a lot of money on the 5% or 1% or even 0.1% who do.
What is needed is a tool that allows you to monitor Friendly Fire efficiently, while at the same time providing robust protection against many forms of Unfriendly Fire - both the relatively easy hacker attack and the much more challenging “seemingly authenticated user” attack. Intrusion Detection and Prevention devices and so-called Web Firewalls or Application Firewalls don’t service the need. Such devices are much more oriented towards defending against intruders that don’t pretend to be authenticated, and for applications where authentication isn’t viable, like external marketing-oriented web sites. Such applications are worth securing, but they aren’t the crown jewels. Different tools are needed to protect and track the crown jewels.
I think I’ve discovered a useful tool for this type of security protection, provided by a company called Covelight Systems (www.covelightsystems.com). The Covelight product, Percept, overlays your existing application delivery architecture, examining packets into and out of your web-enabled applications (usually off to the side, via a mirroring port of a switch). Percept cracks these packets and monitors all of the authentication, application, and data access processes for each user session. In the least, this provides granular time-and user-correlated visibility into who is using your applications to access sensitive information, and when. In addition, Covelight assesses the user, application, and data access behavior to discover out-of-norm patterns. These patterns are then “weighted” relative to the potential impact of the behavior, the probability that something unusual is actually happening, and other key analytical parameters. Some malicious behaviors – generally those exhibited by external users performing reconnaissance prior to an attack -- are easy to identify and stop. More impactful attacks that would normally go undetected by other methods - like credential or identify theft - can often be quickly detected by Percept. I can probably best give you a feel for the power of the technology by citing a few examples of the kind of situations it is designed to prevent:
A Phishing attack can result in the (apparently) same authenticated user accessing data from a wide range of geographic locations over a short period of time. Unless they’ve discovered something about accelerating the speed-of-light, there is some kind of issue here. That’s an easy anomaly for Percept to spot (but difficult to impossible for others) and is clearly a usage pattern far different from what one truly authenticated user would exhibit.
A former Verizon Wireless customer service representative allegedly activated $20M worth of pre-paid phone cards through a web-enabled, password-protected application in which the company kept a record of prepaid cell phone minutes. He allegedly continued to access the Web site and copy numbers even after he left the company in November 2003. Percept wasn’t deployed by Verizon to prevent this, but if it had been, they could have prevented being “newsworthy” in the wrong way.
A Florida man was indicted in an alleged scheme to steal vast amounts of personal information via Internet-facing web systems, and the Justice Department said it might be the largest illegal invasion and theft of personal data to date. Federal officials declared the theft of approximately 8.2 gigabytes of data resulted in losses of more than $7 million.
A software engineer working for America Online was arrested on charges that he broke into the ISP's information systems and stole 92 million customer e-mail addresses which were later sold to spammers. He used the identification code belonging to another AOL employee to access the data he stole. His employment duties did not give him access to the customer data. Percept could have quickly picked up on the changing access pattern of the employee whose identification code was stolen and flagged the issue.
Percept is currently in use by an electronics manufacturer to protect their engineering document management system from intellectual property theft. Percept detected several engineering contractors sharing their user credentials to gain access to each others' engineering projects.
Other Friendly Fire attack behaviors can be much more subtle and take longer to identify out of the noise of normal usage patterns. In those cases, Percept (or any other tool) can’t stop the attack dead in its tracks, but it can provide the earliest possible warning of such an attack. Even if such warning comes after-the-fact, Percept can replay for you the sequence of what data was accessed when and by whom so that you can minimize damage by rolling back to your last known uncompromised state. This enables you to notify specific compromised users or partners with detailed information about the nature and scope of the attack (rather than issue a general warning which usually attracts undesired publicity) and create forensic and historical information in support of subsequent investigations and disciplinary or legal actions. As I project enterprise deployment, Percept could become an important driving element of your whole risk/threat incident management process.
I like the Covelight story so much and am such a big fan of their CEO (Dave Logan, an ex-partner at Acuitive), I am exhibiting some unusual behavior for me. For the first time, I have accepted an invitation to join the Board of Directors of a company as an outside Board member. I’ve been a Board Observer, Advisor, Technical Advisor, presenter, defender, and lunch gopher many times, but I’ve never actually joined a Board before.
I can now pretend to be Elliot Ness, with Covelight as the Untouchables, casting a “Phish Net” out to capture the bad guys. What fun for a boy named Hoover.
Covelight does face some challenges. So far, at least on the surface, it seems like protecting against Friendly Fire is not a priority issue for enterprises. But that is not logical. I don’t see how that can really be true. It is more likely that the responsibility for it falls between organizational boundaries. Or maybe it is viewed as more of a Human Resources issue or a Legal issue than an IT issue. The main mission for Covelight right now is to identify and gain access to the right people to sell the product to since the “usual IT suspects’ may not be chartered to deal with such issues.
The company also faces a complex competitive and messaging challenge to address:
Some real competition (e.g. see www.oversighttech.com)
Confusion with vendors in the “content inspection” segment providing a similar (but complementary) value proposition for e-mail, IM, and other messaging and document exchange types of traffic (e.g. Vontu, Fidelus, Vericept, among others).
Perceived overlapping capability with a whole slew of other devices – app-aware firewalls, web firewalls, network and host-based intrusion detection/prevention devices, application front ends (aka SLBs), zero day attack prevention devices (worm burners), authentication products, etc, all of which are more oriented towards keeping external attacks to a minimum, as opposed to protecting against Friendly and Pseudo-Friendly Fire.
So the company has some work to do to de-confuse the world at large. Covelight focuses on the behavior monitoring, misuse detection, and audit functions related to the usage of sensitive corporate information via Web-based applications. The need is there. Almost everyone Covelight talks to expresses admiration for the product. But creating or drafting the urgency that leads to fast buying decisions has proven elusive so far. If Percept were a “worm-burner” or a “spam smasher” it would be getting a lot more attention from IT, even though the stakes at the business level are not nearly as high as Friendly Fire or Phishing. To me, this is actually a pretty scary observation. It would help a lot if a rogue employee, consultant, partner, or employee pretender would infiltrate target customers a week or two before Covelight met with them. But so far they haven’t benefited from such providential timing.
Covelight also needs to determine what partnerships in the overall ecosystem would help augment their technical advantage and accelerate market penetration. Finally, as with any young company transitioning through the early customer acquisition and growth stages, the team needs to grow in a well managed manner, continuing to add “A” players to the team (with outside Board Members being the exception).
I look forward to helping Dave Logan, the rest of the Covelight team, and the other Board members, to help navigate through these challenges and hopefully become an important contributor to the overall business community.
Copyright © 2004 Acuitive, Inc.
Back to Portfolio News