The recent arrest of a retired State Department worker and his wife accused of spying for Cuba for 30 years brings into focus one of the other great capabilities of Triumfant’s technology. Because Triumfant can see all of the changes on an endpoint machine as well as the work done to cover up those changes, Triumfant Resolution Manager is uniquely capable of detecting the work of the maliciously intended insider.
In this case, as well as the case for others like Robert Hanssen, the methods for transferring information was very “old school” and did not represent a deep grasp of technology. Walter Kendall Myers and his wife, Gwendolyn Steingraber Myers, often relayed information to their Cuban handlers by exchanging shopping carts at the grocery store and Robert Hanssen was arrested after leaving a package under a wooden footbridge in a Northern Virginia park. Such techniques do not lead one to believe either party was terribly computer savvy, but begs the question of the amount of damage done if they had cyber expertise. It also, unfortunately, begs the question of what activity is potentially being done by those with cyber expertise that is going undetected.
Maliciously intended insiders are a real threat to organizations because the majority of defensive software and endpoint protection is created to prevent intrusions from outside the organizational walls and based on previous knowledge of the attack. But malicious insiders work from a position of trust and introduce the human factor that normally takes their work outside of the paths of known attacks. They may directly pull information from confidential or sensitive sources and directly funnel that information out. Or they may place maliciously intended programs on machines such as key loggers to collect information. Or they may make subtle changes to machines to make them vulnerable to the eventual installation of malware.
The common factor in this activity is change. The maliciously intended insider must make changes, even subtle ones, to an endpoint machine to perform their activity. Triumfant can of course detect change, as well as detect the attempts to cover up the evidence of change. The fact is, there is almost no way (not that anyone can tell us, anyway) of making changes to a machine without us being able to see those changes. And because the work of the insider would change an endpoint machine into a state that would be anomalous in comparison to other machines, Triumfant would not only detect the change, but would flag it as a problem and then do the analysis to look for other changes that it could logically associate with the detected change to provide a complete picture of the activity.
Only a tool with the depth and breadth of scan scope and the ability to quickly identify changes can perform these functions. Which narrows the list of tools that fit that requirement to one: Triumfant. We talk a lot about the ability of Triumfant to see the malicious attacks that other signature based tools miss, and we have also discussed the ability of Triumfant to protect the endpoint environment from acts of ignorance and incompetence by continuously enforcing security policies and configurations. But the protection of your company or government agency from threats on the inside is also a critical functionality that Triumfant brings to the table. I would also add that the President’s new cyber czar needs to ensure that this topic is front and center as he or she begins to address the issues in the White House Cyberspace Policy Review.
Click here to subscribe
