Earlier today news broke that financial services firm Morgan Stanley had experienced an insider breach, which resulted in customer data being posted online. The breach was initially detected when data related to a portion of the firm’s wealth management clients was observed on Pastebin. Pastebin is a popular site for sharing text-based data, and while it is widely used for sharing code between developers, it has also long been a thriving marketplace for advertising and selling stolen data for everything from compromised user accounts, cracked passwords, credit card numbers, and in this case account data.
Once the data was detected in the wild, Morgan Stanley was able to trace the breach back to a single financial planner who had downloaded data on up to 10% of the firm’s wealth management clients. The responsible employee was quickly terminated and the breach disclosed to the public.
However in spite of the quick action taken by Morgan Stanley, this incident once again confirms one of the troubling trends related to insider threats and data breaches in general. In short, a large number of data breaches are only detected once stolen assets are observed in the wild. Security reporters such as Brian Krebs and other researchers are regularly the first to detect breaches simply by monitoring online forms where stolen data is advertised. Once the breach is detected, an investigation is triggered to determine what happened and to identify those responsible.
While it’s certainly important to monitor these forums, it’s also obvious that far too much of the industry’s approach to data breaches and insider threats is performed in hindsight. At Vectra Networks we are focused on revealing an active breach or insider threat in real-time so that security can take action before data ends up in the wild. By directly monitoring internal network traffic and using data science to reveal the patterns of data theft, Vectra can enable security teams to regain a proactive approach to dealing with breaches.
This can include proactively identifying users or devices that are aggregating large amounts of data, as was the case in the Morgan Stanley breach. Likewise, the recently released Community Threat Analysis automatically learns the normal communities of users based on observing their network traffic, and likewise provides security teams with ability to see users who may be connecting to critical assets or operating outside of the normal communities. Of course, the solution also provides visibility into a wide variety of malicious actions related to targeted attacks such as internal reconnaissance, internal spreading of malware, data accumulation, and hidden exfiltration methods. However the important point is to be able to gain all of this insight and take action while a threat is still active and not after the fact. Ultimately, this allows you to spend your time protecting your customers instead of apologizing to them.