A lot of articles are looking into the Morgan Stanley breachÂ case, which is definitely an interesting story all by itself. An employee illegally accesses information and stores it on his home server. Obviously not a very smart thing to do but initially it rested there. It would be interesting to understand what he planned to do with the data but this is not part of the discussion currently. Then his home server got hacked, which was either the “jackpot by accident” for the attacker or a targeted attack by a dedicated adversary, which seems unlikely as the data does not seem to have been abused so far.
But what are the lessons from this attack?
On the one hand side we learn that the insider threat is definitely real and something to take care of. Not new but a good reminder.
If you read certain blogs and news articles currently, a lot of them are calling for DLP-like technology – see Insider Lessons from Morgan Stanley Breach as an example:
This case clearly illustrates why companies should be doing more to monitor their employees’ access to sensitive information. Not just because of what the insiders might do with the data, but because of what outsiders can do to take advantage of the insiders’ access.
This kind of reminds me of the early days of Anti-Malware technology and today we know that by far not half of the viruses are caught by them. I guess you can catch the less knowledgeable attackers using DLP (or alike) but not others as these products are often way too static.
Behavior-based analytics seems to be promising currently and definitely a way forward. It will be interesting to see, how far the technology really keeps its promises.
But to me there is a big “BUT”. All these technologies fail the moment a company does not understand and really control its identities. If you do not really get your identities right, you can do whatever you want but you are on the losing end. Maybe there was a good reason, why this guy got access to the data but maybe there was just a process glitch. Do you really understand your joiner/mover/leaver-processes and do they really work (be honest, really?). That’s the basis to build any security technology upon.
Get this right and then fix the rest â€“ it won’t get any better. Internet of Things is just around the corner.