Welcome to the Age of Zero Trust

Rules-based systems don't work, says Darktrace


Sponsored Feature What's highly valuable, often sensitive, and possibly dangerous when it trickles out of your business into the wrong hands? That's right – it's your workforce. Companies are struggling to retain employees and hire new ones as workers seek new opportunities elsewhere. That causes headaches for more than just the HR department. It should be keeping IT security teams awake at night too.

Where have all the workers gone?

The great resignation is real. In November, a Randstadt survey of 6,000 UK workers found almost seven in ten planning to change jobs within months. In the US, Bureau of Labor Statistics data shows the quit rate trending up, reaching a high in November and only backing off slightly to 4.3m in December. In short, people are voluntarily on the move.

Reasons for staff attrition will vary between sectors, but Toby Lewis, global head of threat analytics at UK security company Darktrace, is used to crunching numbers when things deviate from normal. He points to pent-up demand for career change as a driving factor for staff leaving across all sectors.

People wanted stability at the start of the pandemic, causing them to put job changes on hold, he posits. With the worst of the pandemic over, people are putting their original plans into action.

"As individuals become more comfortable, they feel safer to transition into different roles, so some of the floodgates open," he says.

Regular attrition rates have compounded this release of pent-up demand, along with employees' desire to maintain a more flexible working style. If their company wants them back at the office too often, they're likely to seek more easy-going employers elsewhere.

More attrition means more malicious insiders

This increased attrition has created skills shortages that companies are rushing to plug. The volatile recruitment conditions create more than financial problems; they also carry more security risks, warns Lewis.

These risks fall into two broad categories: untrustworthy people currently employed in the organization, and malicious usage of ghost accounts left by departed employees.

Companies have always had to cope with disgruntled employees who are still at the organization. IT employees with a history of irascibility have a habit of going rogue, for example. Now, they face an influx of new employees that could be willing accomplices in an attack. Ransomware thieves have been caught approaching employees to help infect their employer's systems, while some workers take it upon themselves to pilfer company data.

Insider threats also spike at the end of someone's employment, warns Lewis. "People are always the unknown," he says. "There's an element of not being clear whether someone is trustworthy when they first join, but also when they leave."

An employee might even use their account to pilfer valuable information after they move on, he warns. Companies often fail to close the circle by shutting down employees' accounts quickly after their departure. This leaves the door open for workers to plunder their former employer's data or for third-party intruders to find and co-opt unused accounts and fly under the radar.

Trust no one

This volatility creates an even stronger need for a security discipline that has gained traction since the beginning of the pandemic: zero-trust architectures. This concept, which extends back to the Jericho Forum's deperimeterization work in the early 2000s, focuses on moving security beyond a traditional network perimeter that is rapidly eroding.

"It's a cultural change," explains Lewis. In the past, companies viewed what was inside the network as trusted, and everything else as untrusted. Deperimeterization, which accelerated under the pandemic, muddied those waters. Today, devices that a company doesn't own might legitimately access its resources from networks that it doesn't control.

Add to this the notion that some legitimate users might be doing illegitimate things, or that malicious actors might be using legitimate accounts, and you create a nightmare for security teams.

Companies can't use traditional rules-based systems when protecting their applications and data in this more complex environment, Lewis warns: "It's very hard now to have an implicit definition of what good looks like and an implicit definition of what bad looks like".

Zero trust security leans into that environment by scrutinizing all activity. Basic architectures concentrate on verifying identity rather than relying on device security. But companies must implement it properly. Concentrating just on ID authentication leaves security teams blind to illegitimate uses of legitimate accounts.

Focusing on behavior, not just identity

Darktrace started out with a more sophisticated approach in 2013, using AI to dig deeper into what's happening in a company's infrastructure.

The company watched the security threat spread across multiple facets, including the cloud, SaaS, user, and the endpoint. It realized that businesses would need security technology that understood employee behavior across these different domains. It needed to learn about employee behaviors in context, understanding not just what they were doing at a specific time but what they had done before and whether this was unusual behavior across the organization as a whole. It also needed to adapt its understanding of context in a fast-evolving environment.

This is where Darktrace's AI-powered anomaly detection can help, explains Lewis. It abandoned rules-based detection in favor of comparing every action against what's normal. It uses machine learning to analyze network traffic over time, continuously updating its understanding of what is 'normal'. It can then check new traffic and online interactions against that evolving baseline, highlighting any behavior that steps outside what's expected.

Making security decisions based on what's normal rather than simple rules-based techniques makes it easier to spot insider threats, even when malicious employees try to cover their tracks. When a legitimate employee turns rogue they change how they behave, Lewis says, leaving telltale signs.

"They might gain access to services and systems that they've not used before, or start to hoard data that they've never done before," he says. "They might start to exfiltrate and upload data to third party sites as a way of storing all of this data. These actions might be perfectly legitimate as individual atomic events."

Follow the packets

Antigena builds its picture of normality by following activity at the network layer, getting visibility across all traffic by monitoring things at the core. "We can also deploy probes into part of the estate," explains Lewis. Darktrace can integrate with vendors to get telemetry from their products, adding to its corpus of data, and can also deploy on-host agents to gain more visibility at the endpoint.

Unlike conventional machine learning solutions that rely exclusively on labeled data examples, customers don't need mountains of historical data to watch for an abnormality, explains Darktrace. The system learns a company's network patterns over a week or two, and continually updates it as behavioral patterns change.

Autonomous response in action

Antigena can flag this abnormal activity for administrators. It also features an autonomous response capability that can take appropriate measures to stop that activity. The company has activated this capability for over 4,000 clients and counting.

Autonomous response technology has stopped several malicious and unwitting insider threats for Darktrace customers in the past. In one case, an employee at a manufacturer tried to send sensitive intellectual property to a third party by routing around the employer's firewall.

The employer's firewall would have blocked a direct connection to the external destination, so the employee connected their personal device to the company's network and established a rogue RDP session. Darktrace spotted the connection, which had never been seen on the company's network before. The use of an unknown device made it still more suspicious. It automatically blocked all outgoing traffic from the device and alerted the security team.

Using AI rather than simple rules-based systems when monitoring activities allows companies to automatically connect the dots between individual events that might not cause suspicion alone. This is how it thwarted one IT systems administrator, disgruntled after being fired from their job, who logged into their SaaS account and downloaded sensitive files including credit card numbers.

The rogue admin tried to transfer the information to their home server via the company's regular cloud-based data transfer service. Antigena spotted the file downloads, which were unusually large for that employee, and blocked the subsequent upload. When the employee switched to a VPN connection to bypass the cloud service, the Darktrace tool blocked that too.

The technology can also stop hapless employees from endangering the company by mistake. When an employee at battery manufacturer ZPower downloaded malicious software that put the company at risk. Darktrace detected the software in real time and contained it.

Companies are often extra paranoid about physical security when letting staff go. How many movie scenes have shown an employee immediately escorted from the building, box of belongings in hand, as soon as a manager has let them go? They think they've stopped the employee stealing valuable information, but they often forget about a disgruntled worker's access to online resources.

Online tools and remote access create more opportunity than ever for employees to steal sensitive information while on the job. After all, if it can happen to the NSA, it can happen to you. As staff attrition continues to create information risks, maybe AI can stop the great resignation from transforming into the great data heist.

Sponsored by Darktrace


Biting the hand that feeds IT © 1998–2022