by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : September 2014
Dealing with insider threats, as in dealing with any threat to your network, requires a plan for incident response. An e ective response includes forensics, and forensics and storage go hand in hand. When a breach is discovered investigators need data to determine what happened, when it happened and how it happened, said Claire Giordano, senior director of emerging storage markets at Quantum Corp. There s no option of going back in time to gather the data after the fact. With the window of time between a compromise and its discovery widening, the amount of storage needed to accommodate this data is becoming greater. "It s not unusual for our customers to store petabytes," Giordano said. "They are making decisions about the trade-o between risk and costs," and the decisions now are tipping in favor of security even when it means paying for more storage. According to the latest Verizon Data Breach Investigation Report, 85 percent of breaches investigated over the last 10 years were accomplished in a few days or less, while their discovery often took months. In cases of insider misuse, 22 percent of incidents took weeks to discover, 11 percent took months and 2 percent took a year or more. That adds up to a lot of data that must be combed through to discover what happened. A single 10-gigabit bidirectional link can generate up to 200 terabytes of data a day. There are compromises that can be made to help reduce the cost of storing all of this data for forensics investigation. Storage technologies that are fast, such as flash and traditional high-performance spinning disks, also tend to be the most expensive. Less speedy options, such as object-based storage and tape, are more a ordable. One size does not fit all, and Giordano recommends a tiered storage plan that takes advantage of di erent technologies according to needs. During an investigation, data should be accessible with a minimum of latency, which favors the use of faster, more expensive systems. But long- term storage of data that is not being actively used can be done with less expensive systems. The data still is there; when and if it is needed, it can be moved to a faster system for use by forensic tools. Forensics will not prevent a breach. A determined insider is particularly di cult to protect against. But timely and e ective response can help to mitigate the impact of a compromise, and knowing how it happened can help defend against it in the future. --- William Jackson With cyberspace now recognized as a military domain alongside land, sea, air and space, nations are gearing up to wage war and defend themselves with equal demonstrations of power and technology against enemies in the cyber domain. With cyberwar comes the threat of new forms of espionage, as well as sabotage conducted within both the information systems and control systems that form the interface between the physical and cyber worlds. Security, both physical and cyber, tra- ditionally has been outward facing. But espionage and sabotage often are the domains of the trusted insider, the agent operating from within. Recent years have produced front-page examples of both types of activity. Edward Snowden, working as a contractor within the National Security Agen- cy, used his position to gather and export sensi- tive data from the agency. Before that, the Stuxnet worm worked quietly within the control systems of an Iranian industrial facility to physically damage equipment. In 2012, a cyberattack on the Saudi Ar- amco oil company erased data on corporate com- puters. This insider threat, coupled with the blurring of the network perimeter by ubiquitous Internet ac- cess, requires a new type of defense. "That barrier is gone," said Ken Ammon, chief strategy officer for the access security company Xceedium. "Identity is the new perimeter." For both government and private sector organi- zations, the tools for protecting information and control systems must have the visibility to see, iden- tify, track and understand the behavior of those in- side its networks. IT AND DATA SYSTEMS The growing insider threat has been recognized in recent years in a series of presidential executive or- ders. EO 13467, signed in 2008 by President George W. Bush, created a unified security clearance struc- ture for workers and contractors with access to clas- sified information and sensitive facilities. EO 13549, signed by President Obama in 2010, safeguards classified information shared by the fed- eral government with state, local and tribal part- ners as well as with the private sector. This recognition has helped put the government in the lead in the battle against insiders, said Mi- chael Crouse, director of insider threat strategies for Raytheon. "They are starting to put budget against this threat," he said. "If you don't have a budget, nothing gets done." The insider threat includes not only malicious be- havior but also bad judgment. "Sometimes people GCN SEPTEMBER 2014 • GCN.COM 15 Do you risk security to save money on storage? When a breach is discovered, there's no option of going back in time to gather the data. Investigators need data to determine what happened, when it happened and how it happened. ?