What We Can All Learn from the Bradley Manning Debacle
Written by Todd Swensen
In early June of 2010, the clock on U.S. Army intelligence analyst Bradley Manning's 15 minutes of fame officially started when he was arrested for stealing Afghan war logs and other highly classified government documents and turning them over to controversial Wikileaks founder Julian Assange. Since then, the information this low-level, thoroughly unremarkable government functionary managed to download from secure government servers, copy onto CD-ROMs and easily remove from protected facilities has made international headlines and thoroughly embarrassed a number of prominent world leaders.
This unprecedented incident has raised obvious and uncomfortable questions among government and private sector security experts around the world. Why did Bradley Manning, a Private First Class in the U.S. Army, have access to so much sensitive and damaging information that was totally unrelated to his job? How was he able to access, download and copy that information over such a long period of time—more than 7 months—without attracting any attention? And most important, how can public and private organizations stop this kind of data theft before, rather than months after, the damage has been done?
Why did Bradley Manning have access to so much sensitive and damaging information that was totally unrelated to his job? How was he able to access, download and copy that information over such a long period of time—more than 7 months—without attracting any attention? And most important, how can public and private organizations stop this kind of data theft before, rather than months after, the damage has been done?
Striking the Right Balance between Productivity and Control
Asking these types of questions is easy. Answering them is not. Stopping future Bradley Mannings—along with the thousands of silent, low-profile data thieves who will do tremendous damage without ever making headlines—is a difficult, complex proposition. You can't simply lock down every machine in your organization. People need access to sensitive information to do their jobs and stay productive. And you can't put all your eggs in the data loss prevention (DLP) basket. A good DLP solution obviously plays an invaluable role in preventing (mostly accidental) data leakage, but if dishonest, determined people have access to information, they will find a way to take it with them.
Ultimately, the Bradley Manning incident—and countless other examples of corporate data theft—are not caused by technology failures alone. They represent a fundamental inability to either establish or enforce sound information access and governance policies. As a result, successful efforts to prevent data theft have to start with thorough access and governance policies that are supported by effective enterprise-wide enforcement solutions. Ideally, these solutions should feature a sophisticated, intelligent combination of different technologies working together to enforce and monitor policies—including identity and access management (IAM), security information and event management (SIEM), advanced user activity monitoring, and access and governance certification. If this type of comprehensive policy enforcement solution had been working properly in the Bradley Manning example, his access to sensitive information would have been more appropriately restricted to what he needed to do his job. Systems would have been in place to automatically monitor how he was using that information. And his inappropriate use of sensitive information would have raised immediate, automatic alarms. In other words, his illicit activities would have been caught long before he started copying classified information onto CD-ROMs and sticking them in his briefcase.
So what specific components and capabilities need to be put in place to make this kind of complete, enterprise-wide compliance enforcement solution a practical reality? Here are a few important concepts to consider:
Integrating IAM and SIEM
Many enterprises have tried to deploy both identity and access management (IAM) and security information and event management (SIEM) solutions. But far fewer have successfully integrated these two technologies. Without this integration, IAM systems can control which users should have access to particular systems and applications, but they can't tell who is actually using those applications, when they're using them, or what they're doing with the information. SIEM systems, on the other hand, can monitor and provide information about what users are doing with the access they have, but they can't provide the level of detail needed for an enterprise-wide view of a single user's activities. This often creates dangerous blind spots where users' activities in one system are not correlated with activities in other systems. In many cases, this correlation is a critical factor in determining whether or not a user's behavior is malicious. In fact, according to Verizon's 2010 Data Breach Investigation Report, a full 70 percent of data breaches go undetected for months or more. Integrating IAM and SIEM systems makes it possible to create a more security-conscious system that not only monitors potentially problematic activities—but also has the ability to immediately tie those activities back to specific users and take immediate, automatic, and policy-based actions to resolve them.
Adding Advanced User Activity Monitoring Capabilities
Of course, it takes more than simply integrating SIEM and IAM systems to monitor user activity effectively. Organizations must also be able to track user activity 24/7, make sense of the volumes of user activity data their systems generate, and identify potential problems quickly and accurately. In today's extremely complex enterprise environments, this has to include the ability to quickly detect and draw attention to anomalies that indicate potential problems. For example, an effective user activity monitoring solution should be able to automatically spot trend lines that fall outside of normal parameters, identify sudden deviations from normal levels of user activity, and provide sophisticated contextual analysis that places user activity in the context of their normal daily work habits and routines.
Streamlining Access Certification and Governance
Finding a more efficient and automated way to make sure all the users in your organization only have access to the systems and applications they need to do their jobs is another critical piece of the policy enforcement puzzle. In many organizations, these access certification and governance activities revolve around messy, manual, error-prone processes where line of business managers are forced to pore over endless spreadsheets to determine and change user access—and IT administrators spend hours manually re-provisioning users. By streamlining and automating the process of gathering, reviewing and certifying user access data from across the enterprise—and then tying that information directly to broader role-based identity management, provisioning and compliance systems—you can dramatically simplify the process of making sure users only have access to appropriate systems and information. This type of comprehensive access certification and governance solution would have almost certainly stopped Bradley Manning's escapades before they started by dramatically limiting his access to inappropriate information.
Solving the Problem with Compliance Management Solutions from Novell
Ultimately, the Bradley Manning Wikileaks story offers a clear, compelling and uncomfortably high-profile case study of what can happen when policy compliance and enforcement fails. Novell has helped hundreds of organizations like yours develop compliance management and enforcement solutions that directly address the challenges and failures highlighted by this well publicized cautionary tale. This includes advanced, tightly integrated IAM, SIEM and user activity monitoring capabilities with Novell Identity Manager and Novell Sentinel—along with a complete Novell Access Governance Suite that provides complete compliance certification and governance capabilities. Together, these solutions make it practical and affordable to implement a comprehensive, streamlined approach to compliance management and enforcement that strikes exactly the right balance between keeping your users productive and making your enterprise compliant and safe.