All Tech Considered
2:43 pm
Mon June 16, 2014

Software That Sees Employees, Not Outsiders, As The Real Threat

Originally published on Mon June 16, 2014 6:20 pm

A growing number of companies are under pressure to protect sensitive data — and not just from hackers lurking outside the digital walls. They're also looking to protect it from insiders — employees who may want to swipe information such as customer bank account numbers or electronic medical records.

A new breed of security software is hitting the market to help with insider threat detection. And it raises some real labor-relations issues.

Monitoring To Find Bad Intent

Michael Crouse, the director of Insider Threat Strategies at Raytheon, gives me a virtual tour of a product called SureView.

Lots of security software tracks files when they move between computers and servers. But SureView is a way to zoom into the employee's desktop and follow every keystroke.

Crouse points to an imaginary employee desktop, with a file called "Familynotes.txt."

The content could be personal notes about one's family. Or it could be company secrets. If the employee copies it to a USB stick, the software sets off a red alert, grabs that same file and displays its contents in real-time.

Managers can't predict when an alleged violation might happen. SureView lets them rewind to the minutes or hour before the red alert, and watch like a slow-motion film. Crouse says the software records four frames per second and "it's very compressed video, but it's very readable by an investigator."

SureView also tracks employee emails and the websites they visit and pairs that data with this new stream to try to pinpoint malicious intent. "You can kind of by watching the video determine that," Crouse says.

Tapping A New Market

Raytheon is a leading military contractor in the U.S. But here, the company is selling to a new market: the small business with sensitive data.

In an infomercial, the company reframes the security problem: "When most people think of cyberthreats, they picture criminals or hackers trying to break into a network. What they don't realize is some of the biggest threats are already inside."

Companies currently use software to block an employee from copying or emailing an unauthorized document. But according to a study by the research group Gartner, only 5 percent of that software traces every move, looking for bad actors. By 2018, the study projects, it'll be 80 percent.

Behind this new technology is a new management philosophy that assigns a risk level to every employee. Like the infomercial says, "100 percent of companies are at risk. But risk can be minimized."

Unintended Consequences

What's hard to minimize is the false alarm. "It really is the limiting factor ... to insider threat detection," computer scientist Greg Shannon says.

Shannon heads an institute at Carnegie Mellon that specializes in insider threat technologies. He says failures in these technologies can create a really toxic workplace. Say I'm poking around a bunch of files, doing research above and beyond the call of duty. In the old days, no one would know, or I'd be called proactive.

Now, Shannon says, I'm under suspicion. "That's pretty demoralizing, demotivating and I may just say, fine, I'm going to find a job elsewhere. Even if I've ... maybe especially if I've done nothing wrong."

Lamar Pierce, a management professor at Washington University's Olin Business School, has another concern. He's seen managers misuse surveillance tools and effectively pick fights with employees who play a little fantasy football on the job.

Pierce says there's an inherent problem with mission creep, where bosses ask the wrong questions: "Why don't we start monitoring directly what people are doing during the afternoon? Why don't we starting reading people's emails to see if they say anything bad about the boss?"

Fear Of 'Being Spied Upon'

Cloudera, a San Francisco company with about 600 workers, records its employees' emails and Web-surfing patterns. Even though that's a standard practice, company co-founder Mike Olson says he isn't comfortable talking about it "because it raises in the minds of employees that they're being spied upon."

Olson says Cloudera does not currently have managers sitting in surveillance booths, looking for bad actors. And he doesn't like the sound of that.

"Absolutely every action I take on my computer while in the office is observed. I understand in the abstract that that's possible. As an employee, it would creep me out if I believed that my employer were doing that," he says.

Security companies are hoping that as this new software becomes more accurate, it'll feel a little less creepy.

Copyright 2014 NPR. To see more, visit http://www.npr.org/.

Transcript

ROBERT SIEGEL, HOST:

From NPR News, this is ALL THINGS CONSIDERED. I'm Robert Siegel.

MELISSA BLOCK, HOST:

I'm Melissa Block, and it's time now for All Tech Considered. More and more companies feel they have to protect sensitive data. And not just from hackers lurking outside their digital walls, but from insiders - employees who might swipe bank account numbers or electronic medical records, for example. Now, a new breed of security software is hitting the market to help with what's called insider threat detection. And as NPR's Aarti Shahani reports, that's raising some real labor relations issues.

AARTI SHAHANI, BYLINE: Step into the presentation, please.

MICHAEL CROUSE: Appreciate your time. And thanks again for joining us.

SHAHANI: Michael Crouse is the director of Insider Threat Strategies at Raytheon. He is giving me a virtual tour of a product called SureView.

CROUSE: So you're basically watching a screen.

SHAHANI: An employee's screen. Lots of security products track data when it moves between computers and servers. But SureView is a way to zoom into the employee's desktop and follow every keystroke. Take this file.

CROUSE: Family notes.txt.

SHAHANI: It could be family notes, or it could be company secrets. If the employee copies it to a USB stick, the software sets off a red alert, grabs that same file and displays its contents in real time.

CROUSE: And you can see kind of the quick view of it over to the right-hand screen.

SHAHANI: Managers can't predict when an alleged violation might happen, so SureView lets them rewind to the minutes or hour before the alert and watch like a slow-motion film.

CROUSE: So it's very compressed video, but it's very readable by an investigator.

SHAHANI: The software also tracks employee e-mails and websites they visit and pairs that data with this new stream to try to pinpoint malicious intent.

CROUSE: You can kind of, by watching video, determine that.

SHAHANI: Raytheon is a leading military contractor in the U.S., but here they're selling to a new market, the small business with sensitive data. They even put together this infomercial.

(SOUNDBITE OF INFOMERCIAL)

UNIDENTIFIED MAN: When most people think of cyber threats, they picture criminals or hackers trying to break into a network. What they don't realize is some of the biggest threats are already inside.

SHAHANI: Right now, companies use software to block an employee from copying or e-mailing an unauthorized document. But according to the research group, Gartner, only five percent of that software traces every move, looking for bad actors. By 2018, they project it'll be 80 percent. Behind this new technology is a new management philosophy. One that assigns a risk level to every employee.

(SOUNDBITE OF INFOMERCIAL)

UNIDENTIFIED MAN: One hundred percent of companies are at risk.

SHAHANI: What's hard to minimize is the false alarm.

CROUSE: It really is the limiting factor, if you will, to insider threat detection.

SHAHANI: Greg Shannon is a computer scientist at Carnegie Mellon. He says failures in technology can create a really toxic workplace. Say I'm poking around a bunch of files, doing research above and beyond the call of duty. In the old days, no one would know, or I'd be called proactive. Now, Shannon says, I'm under suspicion.

CROUSE: That's pretty demoralizing, demotivating and may just - I mean, just say, fine, I'm going to go find a job elsewhere. Even if I've - maybe especially if I've done nothing wrong.

SHAHANI: Lamar Pierce is a management professor at Washington University's Olin Business School. And he's got another concern. He's seen managers misuse surveillance tools. Pick fights with employees who play a little fantasy football on the job.

LAMAR PIERCE: Why don't we start monitoring directly what people are doing during the afternoon? Why don't we start, you know, reading people's e-mails to see if they say anything bad about the boss?

MIKE OLSON: Productive day?

SHAHANI: Mike Olson is the founder of Cloudera, a San Francisco company with about 600 workers. Cloudera records employee e-mails and web-surfing patterns. And even though that's a standard practice, Olson isn't comfortable talking about it.

OLSON: Because it raises in the minds of employees that they are being spied upon.

SHAHANI: Olson says Cloudera does not currently have managers sitting in surveillance booths, looking for bad actors. And he doesn't like the sound of that.

OLSON: Absolutely every action I take on my computer while in the office is observed. I understand, in the abstract, that that's possible. As an employee, it would creep me out if I believed that my employer were doing that.

SHAHANI: Security companies are hoping that as this new software becomes more accurate, it'll feel less creepy. Aarti Shahani, NPR News. Transcript provided by NPR, Copyright NPR.