Identity Access Management: Lessons From JPMorgan’s Insider Breaches

Uploaded on 2015-08-04 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-Financial

Another former JPMorgan Chase & Co. (JPMC) employee was recently arrested by the FBI on charges of stealing customer data and trying to sell it to an undercover informant for tens of thousands of dollars.
    
Similar incidents have occurred multiple times at JPMC over the past few years. Upon closer inspection a common thread emerges from each of these incidents, JPMC’s inability to account for insider threats.  

Look For Clues

JPMC wants to trust their employees and they want them to perform their jobs with the utmost integrity. Regardless of industry, every organization must grant some employees access to its most sensitive data – such as intellectual property or information that customer’s expect will remain confidential. These include systems administrators with privileged access rights, or account representatives with access to customer data.

Monitor Identities

It’s well documented that JPMC spends over $250M a year on the cybersecurity personnel, tools and services to protect their digital assets. So while JPMC’s IT perimeter may be hardened (but not impenetrable, see 2014 mega breach), insiders must have access to privileged information to do their jobs. Hardening an organization’s external perimeter poses is a very different set of challenges than hardening the internal network. Primarily because internal networks can be configured in countless ways, with endless combinations of who has access to what systems, applications and data.

Given these challenges, the most reliable way to keep track of what insiders are doing and their movements inside the network, is to manage identities and maintain visibility into their activities.

Follow The Threat Crumbs

Containing the damage, once insiders have stolen confidential company or customer information, is extremely difficult, if not impossible. Insider threats, whether in the form of malicious employees abusing their access credentials, or simple negligence, must be detected and rooted out as quickly as possible. Monitoring activity inside the network using identities provides organizations the opportunity to discover anomalous behavior early in the kill chain.

To be successful, this approach requires a robust and well-managed identity and access management (IAM) system (disclosure: I work for a User and Entity Behavior Analytics vendor). Next, actions and behaviors of each identity must be monitored using the following contextual filters:

Who - what is user or entity’s role or the role they are emulating?
What - are they looking to access?
Where - what location are they accessing systems/data from, and what is the location are they accessing?
When - what time of day, what date, what week, month, etc.?
How – what means or technology are they using to access the network -- company-issued or personal device, public kiosk, 

Using this contextual knowledge, controlling access to information can be managed via rules-based risk scoring. This intelligence can also be used for predictive risk analysis of insiders’ behavior to detect trends and activity that require further investigation.

The JPMC breaches serve as a valuable reminder that identity-based data sources and metrics must be integrated into the threat management cycle of monitoring, detecting, analyzing and responding.

Computerworld

 

 

« Disclosure: Internet companies Face UK Tax Crackdown
Google Gives Customers Control of Encryption Keys »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Fredda Stanza

Fredda Stanza

Fredda Stanza specialize in Information Security and Forensics Consulting.

Tendo Solutions

Tendo Solutions

Tendo Solutions provides intelligence, security, forensics and risk solutions to clients across different sectors and jurisdictions.

Teneo

Teneo

Teneo is a Solutions Provider focused on reducing complexity. We combine leading technology with deep expertise to create new ideas on how to simplify IT operations.

evoila

evoila

evoila GmbH is one of the leading providers in consulting, analysis, implementation and management of cloud infrastructure.

Cyjax

Cyjax

Cyjax monitors the Internet to identify the digital risks to your organisation, including cyber threats, reputational risks and the Darknet.

Commonwealth Cybercrime Initiative (CCI)

Commonwealth Cybercrime Initiative (CCI)

The CCI unites 35 international organisations contributing to multidisciplinary programmes in Commonwealth countries. These organisations form the CCI Consortium.

AXA XL

AXA XL

AXA XL is the P&C and Specialty Risk Division of AXA. Professional insurance products include Cyber Insurance.

Veracity Industrial Networks

Veracity Industrial Networks

Veracity provides an innovative industrial network platform that improves the reliability, efficiency, and security of industrial networks and devices.

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum (GCF)

Global Cybersecurity Forum is a catalyst platform designed to create a more resilient and better cyberworld for all.

senhasegura

senhasegura

senhasegura is a global Privileged Access Management vendor. Our mission is to eliminate privilege abuse in organizations around the globe and build digital sovereignty.

Truly Secure

Truly Secure

Truly Secure is an IT Service Provider that ensures greater efficiency and security within a company's technological environment.

Josef Ressel Centre for Intelligent & Secure Industrial Automation

Josef Ressel Centre for Intelligent & Secure Industrial Automation

The Josef Ressel Centre for Intelligent and Secure Industrial Automation investigates the fundamentals of digital assistants for industrial machines that enable intelligent and secure operation.

Darktrace

Darktrace

Darktrace is a global leader in cybersecurity AI, delivering complete AI-powered solutions in its mission to free the world of cyber disruption.

FluidOne

FluidOne

FluidOne are an award-winning Connected Cloud Solutions provider. We design tailored solutions to help customers and partners digitally transform their IT and communications.

Knostic

Knostic

Knostic is an early stage startup developing a risk management and governance platform designed for enterprise large language models (LLM).

Secur-Serv

Secur-Serv

Secur-Serv is a security-first managed services provider. We provides Managed IT, Managed Print, Managed Device, and Cybersecurity services to companies of every size.