How to Prevent an Insider like Harold T. Martin III from Stealing Information
Companies spend an exorbitant amount of time trying to protect their data and systems from outsiders. Between firewalls and scanners, malware detection and prevention, employee education and other security protocols, organizations can dedicate countless resources to cybsecurity measures.
Think about this: Are you accounting for the people who are already inside? You must think about employees and contractors with access to the organization's systems when you consider the ways to protect the company's network and systems.Unfortunately, that’s not enough.
Insider threats are a huge problem: 90% of security incidents are caused by people, per the 2015 Verizon DBR. Additionally, 55% of attacks are originated by an insider (whether inadvertent or malicious), according to a 2015 IBM Cyber Security Intelligence Index.
So, how do you protect your enterprise from Insider Threat? Let’s look at the Insider Threat who caused the 2016 breach at the NSA:
Harold T Martin III is a former Navy reservist who has been in federal custody since end of August, 2016. It was within that timeframe that Federal agents executed several search warrants at his Maryland home. There, the FBI uncovered what they characterized as "overwhelming" proof that he mishandled classified information. Per the court filing, the materials found consisted of: the personal information of government employees and a top-secret document "regarding specific operational plans against a known enemy of the United States and its allies."
This incident with Harold T. Martin III, is a classic example of a worst-case scenario of Insider Threat. Not only was he caught, but Booz Allen Hamilton stock fell approximately 5% after the insider threat was reported in the news. Insider Threat expert and co-author of Insider Threat Program: Your 90-Day Plan, Shawn M. Thompson says, “While the stock price will likely recover, BAH also likely faces damage to its reputation and goodwill, which is incalculable.”
According to NPR, Federal Prosecutors stated in a court filing that, “The alleged theft of classified documents by a former NSA contractor was ‘breathtaking’ in its scope…”
NPR further reported that “Documents that Martin is alleged to have taken detail some of the country's most sensitive intelligence operations. Authorities have not said why he allegedly stole the documents, or whether they believe he planned to do anything with them.”
IDS news reported that: “…Martin allegedly gathered more than 50 terabytes of NSA documents since 1996, storing them on heavily encrypted devices. Some of what Martin stole were ‘hard-copy documents that were seized from various locations ... that comprise six full bankers’ boxes worth of documents’ according to official charges filed by the government.”
Update: It was just reported that Harold T. Martin III even took names of covert US agents. endangering their lives.
While we cannot tell you exactly how Harold T. Martin III stole the information, we do know there are many different ways that he could have stolen information. Appropriate controls in place to monitor large print jobs from a computer, USB data exfiltration, cloud Drive uploads, sending data to personal email addresses, or sending files via Instant Messenger can be monitored, but one has to wonder, did they have too many alerts and controls, therefore, trouble figuring out which alerts were more important? This is where a User Activity Monitoring solution like ObserveIT could have addressed these issues:
Scenario 1: Documents are copied to a USB Device—ObserveIT would alert security teams about the action and allow them to quickly investigate what was copied to the device with video playback (providing irrefutable evidence).
Scenario 2: Documents are sent to the printer—ObserveIT would alert security teams that a user printed an unusually large amount of data. Then they could quickly investigate what was printed by watching a video replay of the incident.
Scenario 3: Data is uploaded to a cloud storage application—Information uploaded to applications like DropBox, WeTransfer, Pastebin, or Google Drive, can be difficult to track with ordinary log files, therefore enabling insiders a prime exfiltration point for a large amount of data. If information were uploaded to cloud storage applications, ObserveIT would alert administrators about the event and administrators could quickly investigate what was uploaded by watching a video replay of the incident.
Scenario 4: Collusion—to get access to this kind of classified information in the first place, it could mean that other personnel or nefarious outsiders were involved. This kind of collusion can be identified – even after the fact - with ObserveIT’s records, especially in its ability to monitor business and personal chat logs and business and personal email.
Scenario 5: There are too many security tools in place and the security team has issues identifying which alerts to follow—it’s this scenario in which ObserveIT might shine most brightly. ObserveIT makes wading through the noise easier, by bringing other security tools to life! Teams can work within the dashboards of other security tools like: Splunk, Arcsight, IBM QRadar, CA Access Control, Citrix XenApp® and Citrix XenDesktop®, Lieberman Software, Tibco LogLogic, RSA enVision and ServiceNow IT ticketing system, so they don’t have to switch between applications.
With user activity monitoring and video playback, large print jobs from computers, USB data exfiltration, Cloud Drive uploads, sending data to personal email addresses, or sending files via Instant Messenger do not have to be investigated by combing through event logs. With just the simple push of a playback button, the monitoring of these exfiltration points is so much easier and investigations can occur that much more quickly.
Are you ready to protect your organization’s data and reputation from Insider Threats? Start today with your free 15-day trial of ObserveIT to see what you've been missing. Or, request a demo with one of our experts to learn more.← Back