Friday, February 16, 2007

Combat Insider Threats with Nontechnical Means

I've written many posts on insider threats, like How Many Spies and Of Course Insiders Cause Fewer Security Incidents. Recently a former Coca-Cola employee was found guilty of trying to steal Coke's trade secrets, with an intent to sell them to Pepsi. According to this story, detection of the plot was decidedly non-technical:

In May, a letter appeared at Pepsi's New York headquarters offering to sell the trade secret. But that's how the beverage superpowers learned of common corporate priorities: Pepsi officials immediately notified Coke of the breach; in turn, Coke executives contacted the FBI and a sting operation was put into play.

Today I read Insider Tries to Steal $400 Million at DuPont. The story claims a technical detection method:

Computer security played a key role in the case. The chemist, Gary Min, was spotted when he began accessing an unusually high volume of abstracts and full-text PDF documents from DuPont's Electronic Data Library (EDL), a Delaware-based database server which is one of DuPont's primary storage repositories for confidential information.

Between Aug. 2005 and Dec. 12, 2005, Min downloaded some 22,000 abstracts and about 16,700 documents -- 15 times the number of abstracts and reports accessed by the next-highest user of the EDL, according to documents unsealed yesterday by Colm Connolly, U.S. Attorney for the District of Delaware...

Min began downloading the documentation about two months before he received an official job offer from Victrex, a DuPont competitor, in October 2005. The new job was slated to begin in January of 2006, but Min did not tell DuPont he was leaving until December 2005, according to the documents. It was after he announced his departure that DuPont's IT staff detected the high volume of downloads from Min's computer.

That demonstrates DuPont was unaware of the activity (which started in August) until December. That means DuPont only started looking for odd activity once Min announced his departure, so again we have another non-technical detection method. Something similar to the Coke case occurred based on this line from the same story:

Victrex was not accused of conspiring with Min. In fact, the company assisted authorities in collecting evidence against him, according to the documents.

So, in both cases nontechnical means identified and caught insider threats.

This follow-up story, 10 Signs an Employee Is About to Go Bad, lists only two technical means to identify insider threats -- the remaining eight are all decidedly analog or physical. I recommend reading this list. It represents one of the better arguments I've seen for "convergence" between physical and digital security staffs.

Unfortunately, many companies are spending lots of money on products to supposedly combat insider threats, when the best approach is nontechnical. Meanwhile, these same companies are completely 0wn3d by outsiders in .ro, .ru, .cn, etc., but little attention is paid because external threats are not the "hot topic" right now. The only saving grace is that some of the technical methods that might be helpful against insiders may work against outsiders who control company assets.


Rob Lewis said...

The insider can harm a company more because it might only be one document with the most critical trade secret that is sold. Insiders know where the crown jewels are and can hurt you the most. Policies and staff education may not stop a staff member who has been compromised or bent on revenge. Determining "who did it" will do little good if the IP is already in a foreign country and the perpetrator has gone on permanent vacation with his spoils.

If you read Dan Verton's book, the Insider, inside attacks cost the US over $300 Billion a year. That ain't chicken feed.

Extrusion detection companies find 100% rate of failure with internal policies on some level.

Certainly your downplaying of the severity of this issue goes against the views of Ira Winkler as well.

dre said...

A quote from Matasano for you, "On most internal networks, HR is the first and last line of defense".

soccer said...
This comment has been removed by a blog administrator.
Chris Rohlf said...
This comment has been removed by the author.
Zaara said...
This comment has been removed by a blog administrator.
Earl Crane said...

Any of you who saw the movie Breach that came out last weekend know (, Insider Threats are a real concern, and have been ever since we had trusted information. This is information other people want. Intelligence has long been a common target for espionage, ever since men had greed and went to war.

Carnegie Mellon University’s CERT has been looking at this problem for years ( and last week I had the opportunity to sit down with one of their lead researchers, Dawn Cappelli, and discuss some of her work. (

Ms. Cappelli has written several papers discussing insider threat and how to prevent it, one of the most applicable and fascinating is her Common Sense Guide to Prevention and Detection of Insider Threats. (