Skip to content

Wikileaks Redux: Authentication Is a Good Start, But…

March 11, 2011

Yesterday, U.S. Department of Defense (DoD) CISO Teresa Takei testified before the Senate Homeland Security Committee, laying out the DoD’s plan for defending against Wikileaks-style data exfiltration.  The goal of the DoD is to have a solution in place by 2013 — given the size and scope of the many different DoD components (Army, Air Force, Navy, et. al.), I think that’s a fairly reasonable schedule.

Much of Ms. Takei’s testimony focused on two key facts: (1) the federal goverment needs to share information between agencies (including between military and civilian); and (2) improved authentication and access controls are needed to ensure that another Wikileaks-stype event doesn’t occur.  Certainly, both of these are reasonable statements: as our readers in the intelligence or DoD communities likely know, ever since 9/11 the federal government has opened the proverbial floodgates on shared intelligence between agencies, and it’s likely that this has led to prevention of one or more very bad things occuring to U.S. citizens and interests.  Coupled with that increase in communication, however, has been a significant lack of oversight with respect to authentication and access control over exactly who has access to all these pieces of newly-shared information.

Certainly, the classification of data into levels (e.g., “Unclassified”, “Secret”, “Top Secret”) coupled with the partitioning of this information into separate networks (in the DoD’s case, NIPRNet and the classified SIPRnet) provides a good start, but that’s not a particularly granular level of demarcation.  To augment this, Ms. Takei suggested that PKI-based authentication at the application layer, coupled with proper access controls, will be the foundation of the DoD’s solution to this problem.

I agree that authentication (coupled with good access control management) is a great start to this problem… but I propose that, by themselves, authentication and access control will do nothing to solve the problem of Wikileaks-style data exfiltration. Why?  Well, the answer to that lies in the Wikileaks event itself.  In the most publicized case, Pvt. Bradley Manning is alleged to have exfiltrated over 200,000 files, which were then provided to Wikileaks.  Therein lies the problem: Private Manning already had access. Perhaps the access controls in place were not appropriate, but that belies the point: even when access controls and authentication are configured properly, rogue users will still be able to send information they have access to, anywhere they like.

There are, of course, other technologies that are designed to monitor for this kind of user-based activity, usually by monitoring at the content layer: DLP (which monitors on data exfiltration), DAM (which monitors database activity), and NAC (which monitors and enforces connectivity) are all designed to prevent users from doing things they shouldn’t (whether intentional or not).  But what happens when a user is allowed to read records in a database table, but instead of reading 10 records — which is what they actually need to do their job – they instead run a SELECT statement on 100,000 records?  What happens when that same user is allowed to read a directory of classified files, but does so on the weekend, outside of normal business hours?

These are all examples of the other piece of data — in conjunction with authentication and access control – that is required to detect Wikileaks-style events: user behavioral analysis. An energing discipline with information security (and — shameless plug time – yes, SecureVue from eIQnetworks does it already today), user behavioral analysis gives organizations unprecendented visibility into what is normal for a given user, and informs appropriate personnel when that behavior deviates from the norm.  Most importantly, user behavioral analysis allows organizations to detect these variations without having to create endless permutations of policies and rules; the tools that do this will “baseline” user activity over time, and tell you when users are behaving strangely based on a broad range of parameters: abnormal quantities, abnormal times, abonormal locations, and many others.

The real solution to the Wikileaks problem — for the DoD and everyone else – is a combination of authentication and access control, plus user behavioral analysis.  Without understanding what users do on a daily basis — and automatically identifying when the behavior of those users deviates from what is normal – the DoD (and everyone else) is still at risk of unauthorized (and undetected) exfiltration of classified, confidential, or just plain-old embarassing data.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: