Sunday, March 04, 2012

Keep CIRT and Internal Investigations Separate

A recent issue of the Economist featured an article titled Corporate fraud: Mind your language -- How linguistic software helps companies catch crooks. It offered the following excerpts:

To spot staff with the incentive to steal (over and above the obvious fact that money is quite useful), anti-fraud software scans e-mails for evidence of money troubles...

Ernst & Young (E&Y), a consultancy, offers software that purports to show an employee’s emotional state over time: spikes in trend-lines reading “confused”, “secretive” or “angry” help investigators know whose e-mail to check, and when. Other software can help firms find potential malefactors moronic enough to gripe online, says Jean-Fran├žois Legault of Deloitte, another consultancy...

Dick Oehrle, the chief linguist on the project, explains how it works. First, the algorithm digests a big bundle of e-mails to get used to employees’ language. Then human lawyers code the same e-mails, sorting things as irrelevant, relevant or serious. The human feedback and the computers’ results are then reconciled, so the system gets smarter. Mr Oehrle says the lawyers also learn from the computers (presumably such things as empathy and the difference between right and wrong).

To find employees with the opportunity to steal, the software looks for what snoops call “out of band” events: messages such as “call my mobile” or “come by my office” suggest a desire to talk without being overheard. E-mails between an employee and an outsider that contain the words “beer”, “Facebook” or “evening” can suggest a personal relationship...

Employers without such technology are “operating blind”, says Alton Sizemore, a former fraud detective at America’s FBI... [N]early all giant financial firms now run anti-fraud linguistic software, but fewer than half of medium-sized or small financial firms do...

Prospective users typically pay for a single “snapshot” search of 12 months of company records, according to APEX Analytix, a developer of the software in Greensboro, North Carolina. For a company with 10,000 employees, this costs about $45,000. Unless a company is very small, evidence of fraud almost always surfaces, convincing clients to sign up for a yearly package that costs three or four times as much as a spot-check, says John Brocar of APEX Analytix.

Why spend the money... If a company shows it has systems in place to detect this kind of thing, and starts investigating before outsiders do, it may have an easier time in court.

When I read this story it reminded me of my advice to keep CIRT and Internal Investigations separate. Notice the repeated mention of "lawyers" in the Economist story. There is no reason for this sort of technology or responsibility to reside in the Computer Incident Response Team. CIRTs should focus on external threats. Internal Investigations should focus on internal threats, e.g. employees, contractors, and other authorized parties who may perform unauthorized activities. II should collaborate closely with legal and human resources and should not use CIRT tools or techniques. This separation of duties was invaluable when I ran GE-CIRT because we could reassure constituents that our analysts focused on bad guys outside the company, not our own users.

2 comments:

Bill Frank said...

I am not sure it’s so easy or even practical to keep external and internal investigations separate. While surely the type of linguistic analysis software you describe can be kept separate, the trend, for several years now, in Firewalls, Flow products, and SIEMs has been to associate user names with IP addresses because IP address correlation is not reliable. A person’s IP address can change several times a day as the person works from home, then Starbucks, and then the office.

In addition, some SIEMs are making it fairly easy to integrate and correlate internal line-of-business applications. Furthermore, external attacks start to resemble internal attacks when the attacker’s initial goal is to steal an internal user’s credentials.

Anonymous said...

From the article:
"Then human lawyers code the same e-mails..."

Lawyers are HUMAN now?