The Lord of the Rings trilogy ends in suitably spectacular fashion with a battle scene following the retreat of all the good people to “Helms Deep,” a tall stone fortress built into the recess of a massive rock mountain. Seemingly impregnable, the thick wall facing the invaders contains a small flaw: a drainage outlet about five feet high, large enough to pile in some spiny medieval bombs. That done, one of the bad guys in heavy armor but inexplicably looking just like the Olympic torch carrier, glides between lines of his cheering comrades and dives in with the flame to blow a hole big enough for the army to pour in.
“We have met the enemy, and he is us.” – Pogo
Now, immediately shift your mind’s eye from New Zealand to New York: you are watching the scene from The Big Short where Ryan Gosling’s character overhears at a bar a secret trading strategy to bet against the subprime housing market (you know how that one turned out) and then proliferates it by making a call to a wrong number. And for something too improbable to qualify as a movie idea, consider this real-life drama from 2010: Apple, a company infinitely obsessive about the secrecy of unreleased products, finds out that an employee left an iPhone 4 prototype in a bar. Then (this is true) the same thing happens the next year with an iPhone 5 prototype, with a different employee, in a different bar.
Protect the Perimeter, or Guard the Core?
The managers of most companies see information security as a Lord of the Rings problem, with the focus on protecting the perimeter. This reflects the popular view. Indeed, from reading headlines about hackers, you might think that cybercrime–malign attacks from evil outsiders–represents the most common way that commercial information is lost. And you would be wrong. It’s not the overlooked vulnerability in the company’s firewall that gets exploited by determined external enemies. Instead, it’s the careless employee who overshares on social media, brags at parties, or leaves a sensitive document in an airport lounge. (Remember traveling on planes?)
According to a 2013 study by Symantec, over half of departing employees believe it’s entirely acceptable to take company data when they go, and they tend to act on that belief. Forty percent have plans to use the information in their new position. This is not necessarily malicious behavior. Many (68 percent) just think the organization doesn’t care, given a lack of any apparent enforcement. Anyway, if the information is software, 44 percent believe that because they wrote it, it belongs to them. From my work with clients, I’d say the situation hasn’t changed.
So it shouldn’t be surprising how often information is lost just because someone sends a sensitive email to the wrong person, or a group text instead of a private exchange, or decides that the company’s VPN is just too much trouble.
When corporate managers think about information security, the first place they look at is the ramparts, when it’s what’s happening behind the walls that should keep them up at night. According to a 2017 Gartner report, businesses spend 62% of their security budgets on defending the network, compared to 18% for the “endpoint” devices in the hands of users.
All of this is not to say that we shouldn’t be guarding the perimeter against hackers, who are everywhere and apparently never sleep. Fortunately, the tools available to detect and react to cyber espionage are constantly improving, and despite the occasional disasters (most of which can be traced back to–ahem–human error), we seem to be staying slightly ahead in the cybersecurity arms race.
Forced to Trust Employees with Secret Data
But clearly the more serious and pervasive threat is from insiders. Unlike the hackers who are trying to break into our systems, these are people that we trust with access to sensitive information, because we have to. Given the complexities of the globalized, digital economy, we have no choice but to share our secret data with employees, not to mention the anonymous employees of supply chain partners, all of whom stay connected remotely through multiple devices, and being human can get easily fatigued or distracted.
Naturally these risks are amplified as we have shifted to mostly remote work, where insider threats are dispersed and managers can’t always see them, including the subtle cues of individual behavior that might flag a problem. But increasingly, some of the same kinds of technologies that protect us against malicious outsiders are being developed to address the internal threat.
As we have observed before, trade secret problems come in many different dimensions and circumstances, but all of them share a common feature: somebody did something stupid. Try as we might to create policy frameworks, management structures and training programs, the supply of human folly seems inexhaustible.
Machine Learning and Artificial Intelligence as a Possible Solution
The current hope is that machines will be the match for our failings. Artificial Intelligence (AI) has developed a reputation as aspirational, having fallen short of previous predictions. But it’s certainly much improved, and its ability to recognize patterns and make nuanced judgments provides reason for hope that it can be applied to predicting and managing human behavior.
That said, to deploy intelligence you have to first know some facts. And this is where Machine Learning (ML) comes in. While humans constantly demonstrate an inability to learn from their mistakes, for example by continuing to build houses in flood zones and forests, machines are terrific at it. They don’t get defensive when criticized, and like your dog, they just want to know what makes you happy.
So combining ML’s talent for education with AI’s capacity for analytics and executive thinking seems an ideal way forward. And indeed, the industry has stepped up and created some interesting possibilities. Perhaps inevitably, the security vendors seem to innovate mainly in new acronyms and other jargon designed to reinforce how much you don’t know. But stay with me for a moment, and I think you’ll get a sense of where we’re headed.
An Alphabet of Defenses
Once upon a time, there was plain old Data Loss Prevention (DLP) software, which sort of did it all and had a nice generic name. Now we have UAM, which stands for User Activity Monitoring, tools that gather data at its most granular, like individual screen captures, text messages, and even keystrokes. UAM also sucks up data from DLP applications, as well as from systems engaged in Security Information and Event Management (SIEM) and User and Entity Behavioral Analytics (UEBA–which, wait, is now called SIEM 2.0). Got all that? No?
Okay, here’s a simpler explanation, through an example. We all deal with authentication by passwords, and the more annoying two-factor authentication, in which we wait for a code to be delivered to another device. With a process called Risk-Based Authentication (RBA, sorry), the system verifies not only identity. Using a combination of AI and ML to create a baseline understanding of user behavior, it also examines context to search for anomalies and create warnings or blocks against dangerous behavior. It can examine emails from supposedly trusted sources to see if they align with previous messages, looking for very subtle differences in syntax and diction that might show a phishing scam.
So while we’re sitting in front of our computer at home, far away from the office, we have the comfort of knowing that we’re not really on our own, that we have someone watching over us, protecting us against ourselves, and preserving the information assets that make this job possible.
In the final moments of The Lord of the Rings, despite the breach of its fortifications. Helms Deep was saved by the extreme heroics of its defenders. In business, the workforce may look a bit more like the careless traders in The Big Short. They could use some reinforcements.
by James Pooley, A Professional Law Corporation
This article first appeared on IP Watchdog under the title: “Trade Secrets and the Insider Threat: Protection Beyond the Perimeter“.