Dan's Take

Fortscale and the Enemy Inside

It's often an unethical employee that causes the biggest security headaches for organizations.

• By Dan Kusnetzky
• 02/12/2015

Fortscale's Idan Tendler, CEO and co-founder, came by to discuss what his company has been doing since our last conversation at the Splunk user group conference roughly a year ago. Each time I have the opportunity to speak with him, I learn something more about how analysis of the organization's operational and machine logs can help.

This time Tendler pointed out that many of today's security breaches or thefts of customer data can be attributed either to malicious staff behavior, or staff not following the enterprise's data governance or security policies.

Staffers are typically given access to many of the organization's data assets. They're trusted to use them appropriately and follow the organization's guidelines and policies. Unfortunately, a few take advantage of the access granted them to gather data either for their own benefit or to sell to others.

The organization's operational or machine logs have information that could help them understand when and if applications or data were accessed at inappropriate times or places; or, perhaps, from an individual posing as a staff member through misuse of that staff member's credentials.

Tendler believes that many IT and business decision-makers are thinking about today's security issues in the wrong way. They're thinking about blunting a specific attack, rather than understanding that the danger lies in a long-term, slow, deliberate, campaign that  results in "burrowing and harvesting" data deep within the network. If Fortscale's data is correct, these campaigns can be underway for months or even years before they're detected. The company says the average attack lasts 356 days.

Fortscale says that covert campaigns of this type often employ legitimate user identities, so the typical password protection schemes won't be effective. The attackers have learned how to use sophisticated combinations of technology and sociological tools as part of their attacks.

Fortscale believes that a new approach is needed to secure enterprise networks and protect their intellectual property. And the key to that approach is producing proactive intelligence using Big Data Security Analytics as a foundation of the enterprise's approach to security.

Fortscale describes the use of Big Data for security analytics this way:

Big Data Analytics for Security refers to a process of analyzing massive amounts of structured and unstructured data from hundreds of sources – including system logs, network devices, IP addresses, emails, conclusive information derived from other attack investigations, third party research and more – in order to recognize patterns or anomalies, analyze trends, verify alerts and security events, and ultimately help organizations discover and neutralize advanced cyber attacks or under the radar threats.

Dan's Take: Forensic Analysis Is Now a Business Requirement
The only practical way to address today's threats is the careful analysis of both current and historical data. This means rapidly sifting through huge amounts of operational and log data to ferret out the evidence of individual attacks, long-term campaigns and the malicious use of a staff member's security credentials.

The challenge Fortscale has addressed itself to is more than finding a needle in a haystack. It is finding the right needle in a huge mound of other needles. Each point of data is likely to be only marginally useful all by itself. When the data points looking for patterns of user behavior are analyzed, the "norm" can be defined and anomalous behavior then be detected.

Having seen several Fortscale demonstrations, I was really impressed by the company's ability to put all the pieces of the puzzle together to make it possible for the enterprise's IT staff to discover problems while they're still very small, and prevent future issues.