As a data scientist and security expert, Stephan Jou, CTO at Ottawa-based cyber-security firm Interset, works to protect companies of all sizes from internal and external cyber attacks seeking to destroy or steal intellectual property, trade secrets and classified files. The first step to protecting your business, he says, is to step back and think about what you cannot afford to lose.
CIM: Tell me about Interset and what you do there.
Jou: I run the engineering, data science and quality assurance teams. At Interset, it’s basically our job to catch bad guys with math. When you have a large organization, it’s almost like an organism, an ecosystem of machines and users, with users logging into accounts, so there’s a little heart beat signature that happens within that organization. There’s a way in which machines talk to each other, there’s a way accounts interact with applications. That pattern can be learned through statistical models, and that’s important when someone logs in and is masquerading as someone else, and then causing destruction or stealing. This shows up as an aberration in that signature. So we mathematically detect those, and we provide solutions to prevent these attacks.
|Terms of the trade
|Phishing refers to a wide variety of cyber attacks that target
a large number of people where a malicious party
tricks victims into providing personal information (e.g.,
login passwords or a credit card number) by impersonating
a legitimate company via email.
Spear phishing uses a similar technique and has a similar
aim, but is a more sophisticated, personalized attack
against specific individuals, such as a corporation’s executives
CIM: What kinds of cyber attacks are Canadian companies seeing in 2015?
Jou: There’s a lot of concern right now over spear phishing and phishing attacks (see sidebar). So for example, someone is logging in as an employee named Christopher, but they are not Christopher. These are hard to deal with, especially when you think of things like firewalls and access control, which do a great job, but if an unauthorized user is running authorized applications and accessing authorized data, then all of those firewall methods don’t help. So there’s a large category of compromised accounts-related abuse cases. By some estimates, over 90 per cent of all attacks at some point will involve a compromised user.
The other common type of attack involves an insider threat, when someone on the inside is responsible for the attack. Disgruntled employees might steal trade secrets, leaking them to a competitor. And as scary as it sounds, it can be government sanctioned. There are nation states, China is unfortunately one of them, that are known to be part of this, and they are stealing intellectual property from competitor companies. Those are the main ones, and they are rising in volume, especially this year.
CIM: Are there certain kinds of attacks that a mining or resource extraction company might be more vulnerable to, or are they roughly the same across the board?
Jou: The types of attacks are pretty much the same. I will say that certain mining companies are more vulnerable than, say, banks and financial sector companies, because in my experience, these companies are often less mature on the IT security side. Why that is, I’m not sure. Usually a [dedicated job overseeing “Internet security”] is not created unless a company has already suffered a breach, or is aware of the dangers. But a big part of the problem with this is that breaches often go unreported, especially insider threats, because no one wants to publicize that one of their own employees stole from them. So companies often want to be very quiet about that.
CIM: So because of under-reporting, other companies may not know they are at risk?
Jou: Yes. We only hear about the really big breaches, especially if it is discovered by the FBI or RCMP. In certain cases, such as when a cyber attack involves personally identifiable data (e.g., credit card numbers), or a certain amount of financial loss, then the company is required by law to report it. Other than those circumstances, they go unreported.
CIM: Can you cite any recent examples of mining or resource companies being attacked, including the modus operandi of the attackers?
Jou: Yes. It was an engineering firm, one of the largest companies in North America. They had a massive breach over a seven-week period. The attackers were able to get inside the firewall. Once they got in, they spent a lot of time probing the network, seeing what other machines they could connect to. Once they were connected with as many machines as they could, the attackers would then have access to things like financial records, databases, customer records, employee records, credit card numbers, process documents, whatever they wanted.
They want that time window when the data is actually leaving to be as small as possible, so that the firewall team doesn’t have enough time to see it. To do that they moved all that data onto a single server, and compressed it into a file and uploaded it back to their command centre, where they had a server set up to receive the data. It was very quiet, and the company was unable to discover it in time.
CIM: How does a company prevent this situation?
Jou: It’s so important to be looking for these suspicious anonymous movements inside before it’s too late. To make a house analogy – if someone is breaking in, you can try to catch them when they are entering a door, or when they are leaving in their van. But the best time is when they are in your house moving stuff. The time window associated with breaking in and leaving is very small. Firewalls are looking for suspicious log-ins and looking for stuff leaving the system. But we’ve realized that the best way to detect these guys is when they are spending those 240 days inside your “house.” Because they are spending a lot of time moving data around, running zips using someone else’s account who has never run zips before, collecting gigs of data on a hard drive, and that’s very unusual. Someone logged in under an HR account but suddenly they’re reading credit card data? That makes no sense, right? In the case of the retail giant Target [which in 2013 sustained a massive cyber theft of millions of customer credit card numbers and personal information], there was a refrigeration vendor whose account was hacked, so [to the company’s eyes] this vendor was retrieving thousands of credit card records from the financial database. This is all stuff that is easy to find, if we look in the right places.
CIM: What is the starting point for a company that recognizes the need to protect itself?
Jou: No matter what the size of the company, there is usually some notion of where the most valuable intellectual property is. Whether it’s process documents related to how your mining is different from somebody else’s, employee records, customer records or financial information. What I usually recommend is to step back and build a list. Where is your most valuable stuff? What is it that absolutely cannot leak to a competitor, or be destroyed, or be stolen? Then you can do a cost-benefit evaluation of how much it will cost to protect that data. The solution could be technology, it could be people or it could be a process. It’s not necessarily all about software. I’ve never met a company, no matter how small, that didn’t have something it wanted to protect.
Watch Stephan Jou explain the methods behind guarding company data: