In all the mysteries surrounding the Edward Snowden affair, there’s one that hasn’t received much attention: Why didn’t the NSA, one of the most technologically sophisticated organizations on the planet, have a way to detect that Snowden was downloading thousands of documents?
The corollary question every chief executive should ask of his or her top security officer: “Does our organization have a way to detect unauthorized access to our data?” According to the recent SANS 2013 Critical Security Controls survey, less than 10 percent of companies actually have proactive monitoring of security controls, the area that governs unauthorized access.
Employees and contractors with boundless privilege to access sensitive data present greater risk of intentionally, accidentally, or indirectly misusing that privilege and potentially stealing, deleting, or modifying data. Human nature is the weakest link when it comes to the intersection of people, process, and technology—the three tenants of security—and the Edward Snowden blunder is a perfect example.
According to Michael Hayden, former director of the NSA and the CIA, no more than 22 personnel at NSA were to have access to the highly classified data, which included about 1 billion-plus records per day. One can assume that these individuals should be internal analysts who have gone through extensive background checks, who are very experienced in dealing with highly confidential data, and who are employees of NSA. We can also assume that these individuals have special privileges to access these data in a highly secure manner.
I have no special knowledge of the NSA’s internal workings, but it appears that somehow this protocol was not followed, and Snowden, a contractor, was given access to this information with no mandatory monitoring, a clear violation of controls and a breakdown of process.
While technologies do exist to enforce access rights, privileges, and policies, the technology is only as good as the people and processes that are put into place. If people who manage these technologies decide to circumvent the technology’s ability to enforce policies, or make an exception, or ignore violations, or do not instill sufficient supervisory mechanisms, then the technology will fail.
Another issue to be looked at from a technological perspective is the complete lack of continuous monitoring and auditing of the users, process, and security controls in a unified fashion by the NSA.
If someone at the NSA were monitoring, analyzing, and auditing all network, user, and system activity, policy enforcements, etc., to identify abnormal behavior and usage patterns, most likely Snowden’s access to sensitive data, the connection of removable media and copying of these data would have drawn red flags. It is possible that the data and signals from individual products, such as a USB monitoring solution or a database activity monitoring system, would have captured these data, but the individual administrators who were looking at each data point in isolation were not able to connect the dots. If the NSA had adopted technology that pulled all information into a single database and automatically correlated the data in a unified fashion, it would have detected a potential breach or policy violation.
Unfortunately the Snowden situation of privileged access to sensitive data with lack of sufficient checks and balances is an all too familiar story in the private sector. Executive management tends to have a checkbox mentality when it comes to security (i.e. do what is absolutely necessary to pass a government or industry mandate) or lack the knowledge to realize that their intellectual property and business is at risk for lack of sufficient security controls.
With traditional network perimeters becoming increasingly porous with the introduction of BYOD, mobile devices, and cloud infrastructure, organizations need to implement security best practices, such as SANS 20 Critical Security Controls, to protect against cyberattacks and espionage. This requires resources and budget commitment from C-level management.
The Snowden debacle should be a wake-up call in both the public and private sectors to adopt an approach that provides complete awareness and continuous, automated monitoring of critical security controls to reduce real risk and real threats to their business.