A briefing earlier this week on Varonis adding proactive analytics and predictive threat models to its User Behavior Analytics (UBA) solution took me back to my days at IBM as an internal auditor. Much of what Varonis does automatically is superior to how we were doing audits of email IT systems back then. But one thing an auditor could do that a system couldn’t was see unusual things that the audit forms didn’t direct us to. With these enhancements to UBA, that may no longer be the case. It also got me thinking about the big problems with internal audit that have led to so many problems this last decade and how a system like this could better address them.
The Internal Audit Problem
One of the big problems with internal audit is that it can become a dead-end job that gets staffed by folks who have messed up but are too well liked or connected to fire. The reason is that, much like Internal Affairs in the police department, the job is to assess compliance with folks far more powerful and if you find them wanting but don’t have enough to fire them, they tend to want to strike back. That means your career path out of audit, given that they generally can’t touch you there, becomes ever more limited.
This makes it very difficult for a good auditor to have a career and for bad auditors to cover up problems rather than report them in order to preserve a career path out of audit. This likely speaks to why so many security problems seem to get discovered as a result of a breach rather than as a result of an audit. The auditors not only likely aren’t looking that hard, they are tossing out embarrassing things they discover or privately reporting them to the folks who are misacting so they don’t put their own careers at risk.
To be fair, no one should be in a position where they have to choose between doing what is right and their career. Doing what is right, whether you are in law enforcement or audit, should be consistent with career growth. When it isn’t, we have problems.
Varonis is a product that is designed to prevent problems when employees or external hostile forces are getting access to information they have no right to. The Sony breach, which cost $15M to clean up and had an adverse annualized impact of $35M, likely would not have occurred had the product been in place. But the issue with any product like this is that all of the rules need to be hard coded into the offering. With new employees and temps going in and out, and lots of changes in organizational structure, setting this up, let alone keeping it all up to date, can be problematic. Things could get dropped through the cracks.
UBA starts by setting a threshold of activity it believes is normal, but that baseline itself can’t be compromised. For instance, if a crime is ongoing when a UBA product is installed, it likely will accept that criminal activity as normal and not flag it, which is why you can’t just have UBA, at least not at first.
Once the baseline is set it, then it looks for unusual activity based on both observations of the company and information that has come in from other implementations that have been connected to theft. The actual data is never shared but the heuristics of past crimes and illicit events are so much like a human auditor who has lots of experience auditing lots of firms; the AI in a UBA offering learns from all of the engagements the platform has had, potentially gaining insight far faster than a human could.
Identification is one thing but a human auditor can also take corrective action if they find a problem, though still at human speed. The Varonis enhancement being announced this week provides for the same kind of capability, but it is initially script based. For instance, if it discovers a
CryptoLocker exploit, it can immediately disable the related user, stopping the extortion attempt. (CryptoLocker is a ransomware Trojan that encrypts files and then alerts the attacker so they can extort money from you for the key to unlock those files.)
Wrapping Up: Making Internal Audit and Whistleblowers Obsolete
A system doesn’t worry about its career path and it can look at all of the records, not just a sample. You can build in automatic responses that not only identify the attack and the attacker but immediately move to block it at machine speeds, significantly reducing the damage. And if a top executive is directly involved, the system will alert regardless of repercussions. Granted, the person getting the alert will still have to make a decision, but there is no “personal” aspect to it. It is simply sharing an unbiased system report so it is less likely that the identified executive will take it seriously.
In the end, systems like Varonis, which only do a part of the internal audit job, will likely combine to replace it. I think that will be a good thing as no one should ever have to choose between doing what is right and protecting their career. Or, put another way, the concept of a whistleblower should be made obsolete, not by killing them off, as often seems to be the case, but by making sure there are systems that make that role redundant. This idea kind of implies where automation should likely go next. I think that is something that even Edward Snowden could get behind.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+