Monitoring real-time network behavior

Blog originally published by FlowTraq™, authored by Dr. Vincent Berk.

Yesterday, Adobe Systems revealed it was the victim of sophisticated cyber attacks on its networks by hackers who accessed data belonging to 2.9 million customers along with the source code for at least two of its software titles.

Source code repositories are a typically bastions accessible only by a select few, and secured against any unwanted access. They hold some of the most valuable Intellectual Property in an organization, and access is often segmented by product, project and developer. One can only assume Adobe is no exception.

The network traffic access patterns of source code repositories are therefore very predictable. In terms of volume, access times, accessing clients and client location, repositories show very narrow profiles of behavior.  Any unauthorized access to large amounts of code should stand out to anyone who is looking.

Why then did Adobe fail to detect the breach of an estimated 40 gigabytes of code? And why did they not figure out this happened until the source code popped up in a total unexpected location?  And what other highly sensitive data went missing in the same compromise that was less well protected, but has not yet been found?

In today’s world, threats are evolving faster than ever before. Access logs, virus signatures and intrusion detection alerts are simply no longer sufficient to properly secure enterprise data. A strategic approach demands an ever-watchful eye, and a careful selection of defenses must be put in place to keep your business secrets secret.

This also means that simply ticking the compliance box is not enough. Data as valuable as source code requires a multi-faceted and broad defensive posture that keeps the many avenues of entry and exit in mind.  In addition to access logs and virus signatures, the modern Chief Information Security Officer (CISO) must consider building behavioral based defenses that alert him or her when things are simply “out of the ordinary.”

Training a tool such as FlowTraq on typical access volumes of clients, time-of-day of client access, and client location would almost certainly have prevented the widespread data breach from which Adobe is now reeling.  Any odd behavior, such as a large transfer of source code, would have immediately drawn attention, and could have been stopped before the horse had left the barn.

Today the truth is that in most organizations the value of network defense does not easily fit the ROI spreadsheet. A simple calculation of risk is impossible, as we simply cannot judge the probability of these unlikely events… Or can we? What if we set the probability to 100%, but we adjust our cost of compromise based on the cost of the defenses we have put in place? For instance, if you could reduce the cost of a data breach from $1,000 to $400, simply by spending $10, what would you do?

It is much easier to estimate the costs of a compromise in terms of the amount of data exfiltrated.  What is your cost when all your customer records leave your network?  What is your cost if you stop the breach after only 10% has left?  How about 1%? The ROI calculation becomes much simpler if we assume our data will be breached, and we make investments to limit the damage instead.