blog_thumb-nsa-contractor

NSA Contractor Suspected for Stealing Classified Data

leslie_csooline

Beau Hutto, VP Federal
Oct 19, 2016

Harold Thomas Martin may have stolen NSA classified data five months after Edward Snowden left his contractor position with the same firm. What happened during 2013 will come out as the prosecution moves forward and the data is exposed online. Many articles cover the known details to date, however, what about the future?

Whether its stolen emails or classified data, the compromise and misuse of identity is at the core of modern attacks. Zero-day exploits are rare, expensive, and once exposed, they commoditize quickly. Account compromise and hijacking of access credentials via phishing emails and social attacks is much less expensive, quite effective and can be repeated with high degrees of success. In many cases the account hijacking leads to stealing more credentials in volume.

The attack surface area for identity includes employees, contractors, business partners and even customers when they have access credentials. The access rights provided and how these rights are being utilized is a ‘discovery gap’ we have today for identity access management to determine risk. Diving a layer deeper, there is an ‘awareness gap’ with privilege access risks beyond accounts at the entitlement level. The challenge is entitlements can number in the millions for a large organization, and human efforts to assess risks are futile.

A case in point is the reduction of excess accounts and entitlements. Using mature machine learning models with risk scoring and peer analysis, Gurucul customers have reduced excess access by more than 50% on average with some projects achieving 83% and 89% reductions. Identity access is plagued with manual processes, legacy rules and access cloning that results in over-privileged groups, accounts and entitlements. Cleaning up excess access with a risk-based approach to reduce the attack surface area is paramount.

Privileged access provides the “keys to the kingdom” and includes admin, super user (SU) and privileged accounts, however, it also includes hidden privileged entitlements in standard accounts and application entitlements. What industry experts see in the majority of environments is over 50% of privileged access risks are unknown, outside privilege management vaults. In one recent customer project we found over 70%. However, with less than 1 in 10 organizations leveraging privileged access management tools, the awareness of privilege access risks remains low.

So if Harold Thomas was an NSA contractor, what was his identity profile for accounts, access, activity and alerts? More importantly, what privilege access risks resided within his identity profile? Post analysis of one individual by forensic investigators is possible, however, being proactive for a larger group is not. Take an organization with 50,000 employees, contractors and business partners all with access rights. If they average 10 accounts each, and each account has 10 entitlements, you have 5 million entitlements to assess for risk. Which ones are privilege access risks?

Investment in declarative defenses based on rules, signatures and patterns defines the red zone of known bad, the green zone of good, however, it leaves an emerging gray zone undefined. We must assume we have insiders and compromised accounts in the gray zone. However, the reduction of the surface area for identity and uncovering privilege access risks should come first.

The Gurucul Risk Analytics platform is proven to reduce excess access risks, while detecting behavior anomalies that can help protect our nation’s most classified data. Our nation’s defense and sensitive secrets must be protected with the most advanced machine learning tool sets available today. Federal agency adoption and acquisition processes continue to evolve but must do so faster than our adversaries.

Previous
Next