Identity Access Management: Lessons From JPMorgan’s Insider Breaches

Uploaded on 2015-08-04 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-Financial

Another former JPMorgan Chase & Co. (JPMC) employee was recently arrested by the FBI on charges of stealing customer data and trying to sell it to an undercover informant for tens of thousands of dollars.
    
Similar incidents have occurred multiple times at JPMC over the past few years. Upon closer inspection a common thread emerges from each of these incidents, JPMC’s inability to account for insider threats.  

Look For Clues

JPMC wants to trust their employees and they want them to perform their jobs with the utmost integrity. Regardless of industry, every organization must grant some employees access to its most sensitive data – such as intellectual property or information that customer’s expect will remain confidential. These include systems administrators with privileged access rights, or account representatives with access to customer data.

Monitor Identities

It’s well documented that JPMC spends over $250M a year on the cybersecurity personnel, tools and services to protect their digital assets. So while JPMC’s IT perimeter may be hardened (but not impenetrable, see 2014 mega breach), insiders must have access to privileged information to do their jobs. Hardening an organization’s external perimeter poses is a very different set of challenges than hardening the internal network. Primarily because internal networks can be configured in countless ways, with endless combinations of who has access to what systems, applications and data.

Given these challenges, the most reliable way to keep track of what insiders are doing and their movements inside the network, is to manage identities and maintain visibility into their activities.

Follow The Threat Crumbs

Containing the damage, once insiders have stolen confidential company or customer information, is extremely difficult, if not impossible. Insider threats, whether in the form of malicious employees abusing their access credentials, or simple negligence, must be detected and rooted out as quickly as possible. Monitoring activity inside the network using identities provides organizations the opportunity to discover anomalous behavior early in the kill chain.

To be successful, this approach requires a robust and well-managed identity and access management (IAM) system (disclosure: I work for a User and Entity Behavior Analytics vendor). Next, actions and behaviors of each identity must be monitored using the following contextual filters:

Who - what is user or entity’s role or the role they are emulating?
What - are they looking to access?
Where - what location are they accessing systems/data from, and what is the location are they accessing?
When - what time of day, what date, what week, month, etc.?
How – what means or technology are they using to access the network -- company-issued or personal device, public kiosk, 

Using this contextual knowledge, controlling access to information can be managed via rules-based risk scoring. This intelligence can also be used for predictive risk analysis of insiders’ behavior to detect trends and activity that require further investigation.

The JPMC breaches serve as a valuable reminder that identity-based data sources and metrics must be integrated into the threat management cycle of monitoring, detecting, analyzing and responding.

Computerworld

 

 

« Disclosure: Internet companies Face UK Tax Crackdown
Google Gives Customers Control of Encryption Keys »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

We Watch Your Website

We Watch Your Website

We Watch Your Website provide website monitoring, protection, malware removal and root cause analysis services to help you keep your website secure.

CionSystems

CionSystems

CionSystems provides identity, access and authentication solutions to improve security and streamline IT infrastructure management.

IDnext

IDnext

IDnext is the open and independent platform to support innovative approaches in the world of the Digital identity.

Ikerlan

Ikerlan

Ikerlan is an R&D technology centre specialising in areas including embedded systems, industrial automation and industrial cybersecurity.

RKH Specialty

RKH Specialty

RKH Specialty, part of the Hyperion Insurance Group, is a provider of specialty insurance services including Cyber Risk cover.

PerimeterX

PerimeterX

PerimeterX is the leading provider of solutions that secure digital businesses against automated fraud and client-side attacks.

Prove & Run

Prove & Run

Prove & Run provides a patented software development toolchain that is specifically forged to deal with the complex security properties of sensitive software components.

ERMProtect

ERMProtect

ERMProtect is a leading Information Security & Training Company that helps businesses improve their cybersecurity posture and comply with regulations.

OGiTiX

OGiTiX

OGiTiX Software AG is a German software manufacturer specializing in Identity and Access Management.

Certis

Certis

Certis is a leading advanced integrated security organisation that develops and delivers multi-disciplinary security and integrated services.

Zuratrust

Zuratrust

Zuratrust provide protection for all kinds of email related cyber attacks.

Innovent Recycling

Innovent Recycling

Innovent Recycling provides a secure IT recycling & data destruction service to all types of organizations across the UK.

DivvyCloud

DivvyCloud

DivvyCloud protects your cloud and container environments from misconfigurations, policy violations, threats, and IAM challenges.

Improsec

Improsec

Improsec is a fully independent Cyber Security advisory company - we provide knowledge, experience and both strategic and deep technical expertise to our clients.

Saffron Networks

Saffron Networks

Saffron Networks is an ISO-certified company. We assure our clients of reliable solutions, specifically with the Security landscape and Enterprise Networking.

Epic Machines

Epic Machines

Epic Machines is a Value Added Reseller and Managed Security Services provider offering Security Transformation using Cloud-native solutions to commercial and government markets.