CYBER SECURITY SOFTWARE TARGET SAMSONOVS / WEBSPARK / SHUTTERSTOCK Cyber security covers a wide range of emerging and evolving threats. Here, Mark Warren explores the risks surrounding software-based intellectual property A s highlighted in a recent IRM guidance document, cyber-risk is an increasing area of concern and focus for risk professionals, whether data breaches are caused by external attackers or from within the organisation (the insider threat) by malicious or careless employees. While information exposed by security breaches can be used in multiple ways for instance, to extract money or bring down a computer network there is the very real risk of software-based intellectual property (IP) theft. Organisations of all kinds are dependent on software not just for operational functions but as a competitive advantage, such as: supporting in-car electronics; communications systems; banking products; computer games; and retail systems. Market-beating software can contribute substantially to an organisations success, so protecting these assets is clearly important. However, the IP Commission Report puts the cost of IP theft (of all kinds) in excess of US$300bn. Financial losses from cyber-theft could cause as many as 150,000 Europeans to lose their jobs, according to a Cybercrime report by Intel Security/McAfee in 2014. There are other potential implications from failing to protect software IP, such as increased insurance costs and even industry fines. Start with software development The software development process is at the heart of this challenge. Whether it is for a new piece of consumer electronics, a new financial services product or an upgrade to a mobile phone, software is centre stage in the product evolution process. Each product cycle generates vast amounts of mission-critical IP, which can include initial product requirements; detailed engineering (hardware or software) specifications; industrial designs; source code; media; early prototypes; finished product; and business documents to help market and sell that product. The problem for the cyber security industry has been that all these development assets are typically held in different repositories usually on several different computer servers or even in a shared public cloud service making it hard for traditional software security tools to track and protect. These tools are typically not designed to protect source code, plus its not unusual for a company to receive in excess of 100,000 alerts a day from such tools, which can quickly become overwhelming, not to mention making it hard to analyse what is a real threat. This is why more organisations are turning to techniques such as behavioural analytics in the fight against software IP theft, detecting and surfacing anomalies, such as unusual activities, and applying algorithms that sort through all the noise. Understanding who the perpetrators of an IP theft are and how they operate is a vital first step. IP theft perpetrators Internal hacktivists get media attention, but in reality, these type of attacks are rare. More common are organised criminal groups, which operate underground marketplaces where cyber criminals can buy and sell stolen information and identities. State-sponsored espionage is another area of global risk: Chinas Peoples Liberation Army (PLA) has developed a combat strategy called integrated network electronic warfare, which guides computer network operations and cyber warfare tools with the goal of seizing control of an opponents information flow and establishing information dominance. More everyday but just as risky are careless employees who, for instance, may move data to an insecure location in order to make their working processes easier and, in doing so, expose that data to external hackers or colleagues with malicious intent. A Cisco study entitled Data Leakage Worldwide: the high cost of insider threats found that 44 per cent of employees share work devices with others, 46 per cent of remote workers admitted to transferring work files to home computers, and 18 per cent admitted to sharing passwords. Finally, employees leaving an organisation may take sensitive data with them. In September 2014, the FBI put out an alert that it was seeing a significant increase in attacks of this category, which can cost businesses up to US$3m per incident. Understanding attack behaviour Types of attack vary, too. The impulsive attack is typical of leaving employees and insider hacktivists, usually occurring in hours or just a few days. The belowthe-radar slow attack may go on for years, and are typically found in the arena of government or corporate espionage. The outside or targeted attack often called an advanced persistent attack (APT) can be very sophisticated and takes place over time. Less common are malware-based outside attacks, which are hard to defend against because they are constantly changing. The threat landscape is also evolving, with combinations of orchestrated inside/ outside attacks; the insider introduces the malware and then relinquishes control to an anonymous command-and-control (C&C) mechanism. With the malware present and obfuscated, the C&C server quietly and continuously extracts data from the organisation. Sifting through the security noise Concerns around the insider threat and software IP theft has spurred growth in use of behavioural analytics tools, to help organisations understand the context of an attack and rate the risk priority accurately. The key is detection of anomalous IP access behaviour and identifying the users, machines and projects involved. Using advanced algorithms, these tools observe, measure and even predict outcomes from human decision-making processes, based on each persons unique decision-making patterns and risk-tolerance levels. Modern threat detection identifies that a pattern of behaviour has deviated from its norm, but also whether that behaviour is likely to be risky. For instance, someone accessing a single important source code project more often than they have historically accessed it is interesting, but not as interesting or potentially as risky as someone accessing 10 important source code files that they have never accessed before. The experience of a US$20bn manufacturer illustrates how well behavioural analytics can work. It had spent more than US$1m over 12 months trying to confirm the source of software IP theft. By using log data from 20,000 global developers from 30 days of activity totalling more than nine billion events and applying machine learning and analytics, the internal threats were uncovered in less than two weeks. Not only did it identify the two known rogue engineers, but it also identified 11 other previously unknown thieves. Mark Warren is European marketing director of Perforce Software, with additional responsibility for solutions marketing. www.perforce.com Conclusion Software will continue to take centre stage in the operations and intrinsic value of most organisations and, therefore, will increasingly come under the risk professionals remit. Cyber security is a multi-faceted challenge but, with emergence of behavioural analytics science and tools, organisations can at least be better equipped to identify anomalous internal behaviour to help them address the potential threat of software IP theft. Understanding who the perpetrators of an IP theft are and how they operate is a vital first step