It’s a fact: Today, lot of security incidents occur inside the security perimeter of companies or organizations. If security perimeters are generally correctly protected, what about the internal side?

Let’s imagine the following scenario: Sandra works for a big hospital. She’s a secretary. Her job requires to access a file share where are stored patient’s medical records. When she’s logged on her workstations with her credentials, she has access to the file share and can read the data. Due to a recent divorce, Sandra has financial problems and she received a proposition from a “cool” guy: to perform a copy of the medial records against some money. The temptation is too big and she starts a copy of all the medical records on her desktop.

On a technical point of view, the hospital uses the “least privilege” principle to grant access to the employees. Least privilege is a good practice to give access to the resources needed to somebody to perform his job. No more no less. But how to detect the copy of all the records by Sandra?

Using behavioral monitoring, it’s possible to detect the unusual behavior of Sandra while performing the copy of data. By granting access to a resource (in this case the file share), it’s not possible to detect suspicious activity like a copy of all files. But extra controls can be deployed:

Define a quota of operations

To process a patient file, Sandra needs 10 minutes. She opens the file, updates the information, print and archives the file. By limiting the number of operations per time period, we can avoid the data leakage. In fact not fully prevent the copy but greatly increase the time required to perform the operation. To achieve this, profiling Sandra’s job is a critical step.

Monitoring accesses to files

If Sandra starts a copy of files, there are chances that she will copy all the files in alphabetical order. By monitoring the access to files, this can generate an alert.

Increased or unusual network traffic

By copying the data, Sandra’s workstation will generate a lot of traffic with the file server. This can also generate an alert. Network monitoring tools like Ntop can also be diverted from their primary usage and help to detect suspicious activities. Ntop can draw network traffic matrix. It can be easy to detect a huge or unusual amount of traffic between some workstations and the file share.

Suspicious account usage

If Sandra shared her credentials with the “bad guy”, alerts can be generated if credentials are used on a different workstation (if credentials and hosts are linked together). If She tries to access files share during unusual period of time, this can be detected as a suspicious activity. Or if the session time is longer than expected.

To achieve behavioral monitoring like in the example above, specific tools are required and strong procedures must be defined. A SIEM (“Security Information and Event Management“) can be helpful to integrate logs and events generated by all the components used by Sandra.

Other control and solutions can be deployed to prevent information leakage. For critical operations, it’s a good practice to implement the principle of “separation of duties“: Do not assign critical operations to only one person. Adding more people in the loop will increase the detection of problems. And finally, deploy countermeasures to prevent the stolen data to be sent outside the security perimeter.

As a conclusion, we can say: “Know your users!”