Whether you call Edward Snowden a traitor or a whistle-blower, he earned one label about which there’s no debate: insider threat.
Guarding against such risks is an expanding niche in the security industry, with at least 20 companies marketing software tools for tracking and analyzing employee behavior. “The bad guys helped us,” says Idan Tendler, the founder and chief executive officer of Fortscale Security in San Francisco. “It started with Snowden, and people said, ‘Wow, if that happened in the NSA, it could happen to us.’ ”
The problem predates the Internet: the salesman who takes the entire customer list with him when he quits, or the engineer who makes off with key product designs. But technology has only made it easier; now the salesman e-mails the data to his Gmail account, and the engineer can put product designs on a USB drive. In an embarrassing episode for Morgan Stanley, the bank dismissed an employee earlier this year for taking information about an estimated 350,000 clients of its wealth-management division.
Companies are also realizing that tracking insiders may improve their odds of catching outside hackers. While investigations into the breaches at Sony and Anthem are ongoing, it’s likely that attackers hijacked employee passwords and logins, then used them to navigate the companies’ computer systems to find and steal data. These methods are the reason it takes a business more than 200 days, on average, to detect breaches, according to FireEye, a cybersecurity company. “Hackers become employees when they get inside,” says Avivah Litan, an analyst at research firm Gartner. “So the name of the game is constant surveillance.”
Fortscale and competitors such as Securonix, based in Los Angeles, sell software that pulls data from a company’s computer systems and feeds it through algorithms to create a profile of each employee. The software constructs a base line showing what’s normal behavior for that user: where and when he logs in, which programs he uses, which company databases he accesses regularly, and which external websites he browses. It also generates a risk score for users based on what danger they may pose to the organization. With “normal” established, it becomes much easier to spot suspicious activity—for example, a worker downloading thousands of documents from a database she has permission to use but never has before. “What we’re trying to do is get this situational awareness,” says Igor Baikalov, a former security executive at Bank of America and chief scientist at Securonix. “The next step is predictive analytics: How can we detect the small changes and stop the bad thing from happening?”
Dtex Systems, a security company based in San Jose, monitors insider threats by placing software on desktops as well as company-issued laptops. CEO Mohan Koo says that in the first 30 days of surveillance at a financial exchange, the system identified six people who were getting ready to leave with highly sensitive data. Employees heading for the exit start doing things they hadn’t before, such as changing their e-mail habits, Koo explains.
Other approaches delve more deeply into psychology. Stroz Friedberg, a New York-based consulting firm that specializes in digital forensics, is rolling out software called Scout, which evaluates users through the content of their e-mails and other communications using linguistic and behavioral analysis techniques developed by the FBI. The software establishes a base line and then scans for variations that may signal that an employee presents a growing risk to the company. Red flags could include a spike in references to financial stresses such as “late rent” and “medical bills.”
Edward Stroz, the firm’s founder and a former FBI agent, says that while companies may have found this idea too intrusive in the past, he’s seen a change in perception in the past year. He’s still careful when discussing the software, describing it as a way to help employers build a “caring workplace.” He offers the scenario of a star trader at a bank who’s disappointed with the size of her annual bonus. Instead of being blindsided when she defects to a rival, a bank using Scout could identify her discontent early and make sure she doesn’t take sensitive data or other team members with her.
Looming in the background is the question of how to balance employees’ privacy with more intensive monitoring. Dtex says it makes user data anonymous, replacing names with codes and matching names to activity only when necessary for an investigation. That helps companies monitor effectively and comply with privacy laws in countries such as Germany and Switzerland, Koo says. Randy Trzeciak, a cybersecurity specialist at Carnegie Mellon, says it’s important for companies to keep their lawyers in the loop and to outline a clear, well-communicated, and consistently enforced policy, so there’s no perception of selective monitoring.
Some of the methods at companies that hire Securonix make even Baikalov wonder how much is too much. He cites the practice of matching information on user behavior online with feeds from video cameras and other systems that monitor physical locations. Some companies, he says, have created ticket systems so employees can report suspicious behavior by colleagues. “Is it too much, or is it actually the right amount of diligence?” he says. “I’m really curious how much we will get out of it. It’s really the extreme in kind of Orwell-like monitoring.”
The bottom line: About 20 companies sell tools to monitor employee behavior—from e-mail habits to database access—and flag risks.