Removable Storage and the Temporal Value of Data

There are a lot of ways for determined insiders to exfiltrate appropriated documents and data but by far the preferred method is good old tried and true removable media.  Edward Snowden was a SysAdmin, so in spite of a general policy against USB flash drives, he was completely comfortable making use of one to capture classified and restricted data and walk out the door with it.  Bradley Manning, as an analyst rather than an IT employee, felt the need to employ a slightly higher level of tradecraft, labeling a recordable CD as if it was a Lady Gaga audio CD and using it to carry the thousands of State Department messages out the door.  It’s an interesting by-product of the broad adoption of filtering, monitoring and packet-level inspection at the network periphery that data thieves often no longer even attempt to upload documents and files to external internet storage and servers, or send them off as email attachments, but rather recognize that it is much safer for them to take the data out of the network locally and walk out the door with it in their pocket or briefcase.

From a security intelligence standpoint, the fascinating part of all this is how much detailed information we have about what documents were taken and how they were smuggled out. Our network monitoring, security and identity systems are capturing those events and storing the entire sordid history as an archive, ready to be accessed and analyzed once we realize that something very bad has happened.  The reason we can forensically reconstruct the precise digital trail is that we have data that was collected in real time sitting in various silos, logs and transaction records.  But with no way to integrate and analyze that data, and no way to detect the behaviors of the guilty as suspicious or malicious without already knowing what to look for, forensic reconstruction is all that data is good for.

To security professionals and business-side executives both, this state of affairs should be cause for overwhelming frustration and anguish.  It might be one thing there was simply no record of the access events – if the entire process was a complete mystery.  If the data was stolen and used maliciously and there was no fingerprints, nothing that could indicate the who or the how, we could shrug our shoulders and try to strengthen our preventive defenses.  But that’s far from the case – in the Ed Snowden/NSA matter, there is a great deal of information about what he took, when he took it and how he got it out of the network, and out of the building.  The security failure is in the integration and data analysis process – essentially both prevention and detection failed.

This should serve as the ultimate wakeup call to CISOs and security architects all over the world. You need a comprehensive, robust security intelligence solution in place, analyzing network use, access and transactions, determining the risk of various outlier and suspicious behaviors and sending real-time actionable alerts to an incident response team that can respond immediately, before a theft becomes a catastrophe.  As much or more than any other IT discipline, security professionals need to be ice cold realists.  You have to accept, however reluctantly, that people will find ingenious ways to compromise existing security measures, and no matter how effective your prevention posture is, there are attacks that will be successful.

If the NSA information security team could go back 12 months and install Securonix, it seems very likely they wouldn’t hesitate to do so.  THAT is the lesson to be learned here.