We're in the midst of our annual survey of our customers -- leaders in automotive, financial services, aerospace, insurance, oil & gas, healthcare, entertainment, manufacturing and technology. We specialize in privileged user monitoring and control to stop IP theft. And we know from two years of survey data that our customers thwart malicious insider attacks at least once or twice every year. This number is typical at almost all mid-size and large organizations – but most of the time the theft goes unnoticed by security teams unless alerted by a third party or an employee.
Case in point - Bloomberg reports: "Three Charged With Stealing Flow Traders Trading Software." In the Flow Traders case, two employees were charged with stealing the firm’s electronic trading software by emailing it to themselves from their work accounts or by using Dropbox. The thefts were reported by an employee well after the event occurred. The complaint accuses two men of planning to use the software to start their own company.
Now investigators are trying to piece together exactly what was stolen, obtaining search warrants and presenting to a grand jury. Sadly, this is not a new story – see our post from back in January when the same thing happened at AMD. The key to preventing these types of attacks lies in understanding the context of the events and recognizing when the line has been crossed from legitimate business operation to risky behavior to insider attack.
To define real behavior that sets off alerts, we must have context. In the Flow Traders case, the context involves the users, their roles and actions. Here, traders had proper access to sensitive trading algorithms. But using corporate email to send trading algorithms to home email is never a normal business activity. Posting that data to an unsecured Dropbox account is even more abnormal.
Clearly, the security team at this company did not know any of these actions were occurring and were completely blind to the risk it posed. The investigators and prosecutors will likely spend years collecting data and working through the trial process. The costs will be high for Flow Traders in terms of legal expenses and lost business. And, at least one start-up competitor is now well-armed to compete with the firm using its (formerly) secret intellectual property that it spent millions and years developing.
Why are companies still paying the high price for living in darkness, rather than deploy proactive technology to catch thieves and create forensically sound data in real-time to keep the story out of the headlines? Our survey results show our customers have visibility into the context of their business.
In a similar case, our customer, a global manufacturer, was able to determine exactly which documents were copied to which devices at what time, and determine that the downloaded information was clearly labeled as "trade secrets.” There were no headlines here because the employee was caught before data could be compromised -- and, the forensic data was so complete the employee pled guilty, avoiding publicity and a costly trial.
If you have sensitive data and you are not catching insiders doing something risky at least once or twice a year, the chances are very good that you are blind to these events. If you're in any of the industries that our customers are, it's a good time to ask the question: “What am I waiting for?”
