All over the world, the biggest banks, insurance companies, telcos, and other private enterprises store the majority of their most critical and sensitive customer data and intellectual property on the mainframe. The reason is simple; the mainframe remains the most secure system around.
That’s why everything from credit card details to healthcare records and identity numbers, to insurance policy details are stored there; offering enterprises the greatest peace of mind that their private information and secrets will remain safely guarded from the outside world.
However, having a robust, highly securable system is not the same as being immune to cybersecurity threats. What happens, for example, if a malicious employee decides to abuse their privileges to access mainframe systems and data for their own ends? That happened a few years ago, when UBS trader Kweku Adoboli was able to make unauthorized transactions that cost his employer $2.3bn (£1.9bn). More recently, an employee of Sage was arrested last year on fraud charges, after unauthorized access using an internal log-in affected up to 300 business clients.
A monumental blind spot
So how significant is the insider threat? Because it involves trusted employees, such activity can be difficult to spot, so the true extent of the problem is still largely unknown. But it’s a growing concern. A study from Crowd Research Partners revealed three-quarters (74%) of firms feel vulnerable to insider threats, with less than half (42%) confident they have the right controls in place to identify them.
Despite the fact that most of their sensitive and most valuable data resides on the mainframe, the challenge in spotting insider threats in large part stems from the fact that many security teams still rely only on audit reports compiled from mainframe log and System Management Facility (SMF) data.
This approach is retrospective, so will only pick up on incidents once the damage has been done; with businesses left trying to shut the stable door after the horse has bolted. It also fails to provide the levels of granularity needed to spot malicious behavior effectively.
By only tracking activity at the system level, businesses don’t get the information needed to see if an insider has abused their access privileges. As such, it’s nearly impossible to know whether they accessed particularly sensitive data, or what they did with it. That has the potential to leave monumental blind spots in security monitoring.
This lack of clarity can also create a lot of false positives, with systems identifying potential threats where there isn’t one, thereby delaying investigations into genuine issues that do need addressing.
The inside outsider
These problems have been compounded even further by the activities of malicious outsiders, who have discovered that by tricking privileged users into handing over their log-ins, they can get the keys to the kingdom – full access to highly sensitive data. Spear-phishing tactics have become an increasingly adept way of doing just this.
Typically, they require a fair amount of prior research and reconnaissance work, often using LinkedIn and other publicly available information on an individual. With this, hackers target a specific member or members of the organization, crafting their approach to appear as authentic as possible. It might be an email containing malware or a simple phishing link designed to steal their log-ins, or even a more personalized approach by phone. But the end result is the same: outsiders become insiders once they gain those credentials.
Shining a light into the mainframe
Regardless of how those threats originate, the financial losses associated with the discovery of insider misuse can come from clean-up and remediation, legal costs, a falling share price, customer attrition and regulatory penalties. The latter could soon represent an even greater issue, with the introduction of the European General Data Protection Regulation (GDPR) in May 2018. Under the new regulation, if an organization’s data on European citizens is breached and it is found not to have taken adequate measures to secure it, fines of up to 4% of global annual turnover could result. That should be enough to get the attention of any board to start taking the risk of insider threats more seriously.
To address this risk, the focus needs to shift away from system-level logging, to application-level activity monitoring on the mainframe. This will help to give businesses that all-important insight into user behavior when it is fed into SIEM systems. It can help to answer questions such as; are users accessing specific data repeatedly? How long for, and what are they doing with it? Is this in line with normal behavior?
Removing the stones they’re hiding beneath
One of our clients used this approach to identify a potentially embarrassing insider threat when they spotted an individual repeatedly and illegally accessing information associated with a particular credit card. Following investigation, it transpired that the cards belonged to members of the Royal Family and politicians. The individual was passing on geolocation information from where the card was being used to the paparazzi, enabling them to follow their target with greater accuracy.
System-level logging and reporting wouldn’t have provided the level of granularity needed to spot any wrongdoing, because the employee had the right to access the card information. However, by capturing application-layer detail and feeding it into a SIEM tool, they were able to detect the insider abuse by picking up the anomalous behavioral pattern, which indicated something out of the ordinary was happening and warranted investigation.
There are innumerable measures available to help prevent intrusions by malicious third parties. But what happens if they do get in? Or if that malicious party is already inside, having been employed by the organization itself? Application-layer auditing, combined with SIEM systems and other security processes, can finally help to shine a light on this problem.
With the average cost of a data breach now around $4 million (£3.2m), organizations can’t afford to hang around putting this into practice. The stakes are simply too high to ignore any potential security blind spot.