Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Could Behavioral Analytics Have Stopped Edward Snowden?

Kerry_Matre ‎01-24-2014 01:58 PM - edited ‎06-09-2015 11:36 AM

When Edward Snowden revealed that he had stolen secret documents from the National Security Agency and published them to mainstream media, the security world stopped and asked, “How could this have been prevented?”  This was a massive breach of a US government agency, but Snowden wasn’t the typical outside attacker.  He was a privileged insider.


Snowden was a contractor for the NSA and had authorized access to sensitive internal systems. Traditional security systems are set up to protect the perimeter.  This means that they monitor firewall and network activity and deploy systems such as intrusion detection and prevention sensors. These systems are very effective at blocking external threats and malware but if the attacker is inside your perimeter, then what?


While hindsight is 20/20 in this instance, behavioral analytics could have been used to detect anomalous behavior before the system was fully exploited and all the data had been stolen.  Behavioral analytics is not a silver bullet for putting a stop to the insider threat, but is a tactic to add to your toolset to help identify malicious insiders.


The “tripwire” approach is insufficient


Security systems can be set up with “tripwires” that can alert to threatening events on internal systems.  These systems can be configured with signatures to match a user’s attempt to access data beyond their permission level or misuse a system in a predefined way.  These signatures are easy to setup but the fact that they are pre-defined means that they are predictable and therefore easy to circumvent. In fact, Snowden used social engineering to circumvent these controls.


Enforcement in “tripwire” systems is like enforcing traffic laws.  The laws are posted, everyone knows them, and most choose to obey them.  Occasionally, well-intentioned people exceed the speed limit and are pulled over by law enforcement.  However, traffics laws are less effective at catching specific criminal behavior.  Unsophisticated criminals may get pulled over for a minor offense (e.g. expired vehicle inspection, speeding) and then later identified as the perpetrator of a larger crime.  That happens, but it does not happen regularly.  Sophisticated criminals are another story.  They know the laws and  they know law enforcement. 


Sophisticated criminals avoid breaking the obvious laws, but they also mitigate the risk of getting caught by putting measures in place that limit the effectiveness of law enforcement.  Do you think that Edward Snowden drove the speed limit all the way from his home to Honolulu’s International Airport?  Actually, he took a cab, another way to mitigate the risk of random observation and ensure that he didn’t leave his car at the airport where someone might notice.  He knew there were tripwires in place and knew that his actions would be compared against criminal “signatures.” As long as he carefully managed his activities, carefully avoiding the “tripwires,” he would be able to move freely with little concern for getting caught. Most successful insider attackers have a good understanding of the target environment and know where the tripwires lie.


In order to move from reactive “tripwire” approach to proactive monitoring, privileged users must be compared against their individual behavioral baselines. The ability to conduct real-time monitoring of each individual user and their activity, relative to all objects they interact with, requires a basic paradigm shift from comparing user actions against external threat patterns to comparing users against their own baseline behavior. 


What is Behavioral Analytics?


Imagine if you provided an online retailer (Amazon, for example) with all your company logs, and asked them to tell you which employees were likely to buy a certain product.  Amazon would most likely be able to tell you which employees would buy the product, but also when, how often, at what price, other employees they might recommend the product to, and other products the employee might like.  All of this with data you have already collected.  Think about that for a moment.  You collect a lot of metadata on your own people, but chances are, it’s not all in one place.  System log in/out, application usage, Internet usage, mobile device usage, badge in/out, message traffic, file access, and file manipulation are all examples of metadata being collected.  This can tell a fairly complete picture of employee behavior, whether on or off premises.  With the right team looking at the data, you can identify insider threats before they manifest into intellectual property theft or data loss.


Let’s take a look a Mr. Snowden. He was a new employee at the NSA and a contractor.  These personal attributes should have put him on a high-risk user watch list for any insider threat monitoring system.  He complained about the ethics of his work to his supervisors, he complained to friends, he blogged against systems using a pseudonym.  He accessed classified information that presumably had nothing to do with his role. Network analysts or administrators in a classified environment have no reason to access databases and read documents containing the details of intelligence collection programs, a violation of role and need-to-know. A behavior analytics-based approach could have identified that Mr. Snowden was conducting activities outside the norm for his job role.


User-based anomaly detection establishes a baseline frequency for each user against all objects he or she touches, and over time, this sets a trend line for that user, thus creating a user-oriented baseline.  This allows for the baseline user activity to adjust with the changes in activities of the user and does not rely on an external set of conditions.  Individuals are then compared with their own previous patterns of behavior.  If the behavior crosses a specified threshold, then the user’s activities warrant further investigation.


Insider threats are not just a government concern.  Kweku Adoboli was a trader from UBS, a large investment bank.  He was the “rogue trader” whose unsupported trades cost the company approximately $2.3 billion in losses in 2011.  Chances are Adoboli wasn’t trying to lose money, he was trying to creatively, and aggressively, outshine his peers.  This prompted him to circumvent policies and ignore ethical guidelines in order to act in his own perceived best interest.  Behavioral analytics would have alerted on Adoboli’s behavior.  Even in the frantic world of investment banking, traders have normal sets of behavior patterns unique to each.  One trader cannot be compared to another as each person approaches their work in a different manner and that is manifested in the order and number of logs generated by each different person. If a baseline of Adoboli’s behavior was established when he began working at UBS, his sudden shift and deviation from his patterns would have been identified and indicated further scrutiny was needed. Using a behavior analytics based approach, it is highly likely that his malicious activities would have been identified and stopped shy of the $2.3 billion in losses.


Look Above, Below and Across


One of the most important considerations when using behavior analytics to monitor for insider threats is to not only monitor those events that are above the user’s baseline, but also those that are below. If a user is doing something less frequently than normal, this could be an indicator that attention is diverted, either as a result of tasking from his or her boss, or due to personal interest to get at other objects.


It is always easier to look back at a data breach, such as the recent NSA leaks, and point out the security holes and weak spots.  With behavior analytics we can begin to move from reactive to proactive monitoring and look forward to identifying anomalous usage patterns.  Behavioral analytics allows users to be monitored against normal behavior baselines specific to the network they operate on.  Hopefully, behavioral analytics will help us identify malicious insiders before it is too late.


Thanks to  David Beabout and Jesse Hughes for their contributions to this article.


About HP


Old-fashioned approaches to protecting your data against IP theft, fraud and espionage are necessary but not sufficient to stop targeted, sophisticated insider attacks.  Behavioral analytics identifies individual’s patterns of behavior and detects anomalies in those patterns.  You already have the data; chances are, you already have the tools.  It’s time to start using them in a new way.   We can help.


HP recommends that companies collaborate with their internal Privacy personnel when designing and performing Insider Threat monitoring so as to ensure individual Privacy and Civil Liberty issues are avoided.


HP Enterprise Security Products has deployed behavior analytics for customers to address insider threats.  Learn more at:


0 Kudos
About the Author


27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all