Watch the (Privileged) Watcher

On my way to a conference last week, I sat next to a kid playing “Where’s Waldo?” And I thought to myself… if only the security analyst’s life was as easy as finding Waldo.

In reality, however, what if it is the “regular” person standing in plain sight right next to Waldo that I’m actually after, and I’m spending all my time on a goose chase for the wrong person?! Think about it for a minute, I can easily write a rule locating a guy wearing a white and red stripe shirt, a silly hat, and blue pants. I would find Waldo with no false positives. However, there is NO rule I can write to identify anything else in the image surrounding our friend Waldo:

  • Compared to Waldo they all look different in every scenario they are featured in, and
  • Everyone else (excluding Waldo) in that image all looks the same!

This is the reality security operation centers (SOC) face daily as they fight the uprising of internal threats. By internal I’m referring to insider threats as well as external threats that already have a footprint in the environment (e.g. leveraging compromised credentials).

Let’s take the recent Tesla Saboteur case where an employee messed with source code and exfiltrated data. This case highlights the challenges and complexity organizations deal with on a daily basis when trying to identify, not to mention predict, malicious users and their actions.

Even mature SOCs with all the right tools in place (Read more...)

*** This is a Security Bloggers Network syndicated blog from RSA Blog authored by Maor Franco. Read the original post at: http://www.rsa.com/en-us/blog/2018-07/watch-the-privileged-watcher.html