Minding the gap in user activity monitoring

By Dan Velez, Senior Manager of Insider Threat Operations

Standing at the podium at a security leaders meeting, I saw his hand shoot up. “The Wells Fargo story – would your SureView Insider Threat have detected that problem?” The question makes me chuckle. I hear questions like this a lot at these events.

According to news reports, as far back as 2011 Wells Fargo employees purportedly fabricated millions of accounts in order to fraudulently achieve steep sales goals.  While thousands of employees were terminated for this conduct, that it went on so long undiscovered seems to indicate a more pervasive problem within the business no one was actively looking to detect.

While Forcepoint’s SureView Insider Threat (SVIT) can't monitor candor, it can detect when an employee is performing an account creation process on a bank’s internal application. SVIT has been doing screen scraping and collecting desktop video under these kinds of circumstances for many years. Unfortunately, it and other products can’t fix what no one can admit is broken. This is a key issue in cybersecurity.

In insider threat programs, many anomalies are detected though simple business intelligence practices. Take the case where an organization is concerned about privileged users who might be creating back doors into the network by creating unauthorized accounts on PC’s they can use later. Simple business intelligence analytics could compare the trouble tickets for new service requests to actual accounts being created by the privileged users to detect anomalies, or differences in the two streams. Business intelligence helps us identify when something is different, or anomalous, by comparing multiple streams of information and looking for differences and other outliers. There’s no user behavior analytics or machine learning algorithms required. A bank’s compliance or internal audit teams can detect fraudulent account activity with this kind of business intelligence. For instance, they might run a report of new accounts created in a given calendar year and check it against the telephone call records for the sales staff during the same time period. They might then discover a number of accounts created where there was no customer call to the sales team.   Would any of the affected Wells Fargo accounts created have appeared on such a list? I believe so.

What I do know is that SureView Insider Threat can cover gaps in user activity monitoring, but only if someone wants to look.

For more on the insider threat, click the below links:

• How CISOs Tackle Insider Threat Data Protection
• Privileged User Abuse and the Insider Threat
• 9 Steps To Build a Better Insider Threat Program
• 7 Profiles Of Highly Risky Insiders

For more on SureView Insider Threat click here.