Identity management systems (IDM) control user access to specific company information based on their identity, duty and responsibilities. Increasingly today's enterprises are turning also to the next level of security with the use of network access control systems (NAC) to verify the integrity of devices as they access the corporate network.

There is little doubt that IDM and NAC security systems are necessary for sound access control but they fail to address a potentially more dangerous threat. One that in recent months has loomed ever larger in the concerns of CIOs: the risk of data breach through inappropriate behaviour by someone who is authorised to access the network and its information.

Let's consider a situation where a user has been granted access to the network, applications and databases in order to undertake their normal business activity; but whose behaviour becomes mischievous after authorisation. Perhaps they are downloading entire customer databases to their laptop or seeking to email sensitive data to an address outside the company, or copy it to a removable medium such as a USB stick. Either way, they are abusing the access rights they have been granted and will need to be stopped urgently to protect against the loss of valuable company information assets.

Lars Davies, a lawyer and provider of compliance consultancy services, notes: "If an authorised individual, for example, has inappropriately accessed or copied company information then potentially an unauthorized access under the Computer Misuse Act has occurred; it could also be a breach of copyright law. If any personal data is involved, it could also constitute a breach of the Data Protection Act (DPA). This type of act by a senior employee could also result in a breach of their duty of confidence and a breach of their terms of employment."

The issue for the company, however, is more immediate; it needs to be able to identify the inappropriate use of company information and protect against its
‘The company can be
accused of having failed to put in sufficient safeguards in place to prevent a breach and the directors could be implicated for failure to protect company stakeholders’
loss. The main legal issue is again the DPA. The company can be accused of having failed to put in sufficient safeguards in place to prevent a breach and the directors could be implicated for failure in their fiduciary duties to protect company stakeholders from loss.

In response to this type of threat the information security industry has, in recent years, developed a flurry of so-called data leakage prevention (DLP) systems which seek to address this emerging exposure for companies.

While the goal of DLP systems is undoubtedly well intended, the effectiveness of these technologies relies upon the satisfactory matching of user-access authorisation levels with the classification of all corporate information assets according to their sensitivity and "value". The logic of such systems is clear but inflexibility and the administrative overheads of such systems is prohibitively high.

The bottom line is that the thief may be a disgruntled employee, an external contractor attempting to steal some of the company's intellectual property or even a trusted senior executive; there are no rules to predicting human behaviour. Inappropriate action of this type by anyone who has the authority to access sensitive company information can and still does occur. What is required is the means by which suspicious or unusual movement of sensitive data, irrespective of the initiator can be detected and assessed for legitimacy.

Behavioural Anomaly Detection uses intelligent analysis technology to inspect and immediately alert on inappropriate user or system behaviour as soon as it deviates from the norm. Without the need for complex access and asset prioritisation rules and the resulting configuration and management overheads the technology simply blocks and flags unusual system or user activity to security administrators and risk managers.

A lot of companies with inspection technology claim behavioural analysis capabilities yet limit themselves to looking at the data, network and transport layers (layers 2-4 of the OSI stack). This unfortunately is insufficient for effective data protection capabilities, which requires the monitoring of multiple layers. The fact is that few vendors provide sufficient visibility of anomalous events to enable meaningful risk alerting and protection against data loss.

Data breaches from unauthorized access and improper use are a growing problem, but they can be detected and prevented with appropriate security strategy and technology. Behavioural Anomaly Detection technology identifies when a legitimate user's behaviour begins to deviate from the norm, blocks it and systematically stores a copy of all access logs in forensic repository which can have evidential weight in any resulting action against an individual. Using smart technology Behavioural Anomaly Detection can automatically detect and prevent a potential data theft as it occurs rather than respond "after the horse (and its valuable information) has bolted".

Geoff Sweeney is co-founder and chief technology officer at Tier-3 Pty Ltd and will be speaking in the technical seminar programme at Infosecurity Europe on "WWIII has started: Shape shifting heuristic threats"

Infosecurity, 22nd-24th April 2008, Olympia, London, www.infosec.co.uk