From Requirements through Operation
The emergence of the Advanced Persistent Threat triggered a frenzy of strategic planning resulting in identification of a list of prioritized control improvement projects. Most fell within the responsibility of existing teams. However, one did not have an obvious owner. After a few less than successful attempts by others, I stepped up to lead the project.
The Lockheed-Martin “Kill Chain” is a common means to refer to the stages or steps that the threat actor takes from the beginning of an attack to succeeding in their objective. My assignment was to reduce the probability of information theft at the point where the threat actor controlled an identity in the system that had authorized access to Office files contain in Windows file shares. The contributing fact is that access is granted to file shares as needed to perform assignments, but the access authorization frequently remains in place long after the need has ceased. I first became aware of this problem in the late 1980’s, but it had defied solution all that time.
Steps in the project included documenting the objectives and ultimately the requirements for the solution. My earlier work in developing and maintain the security control framework lead me to review our security requirements manual for relevant requirements. I was delighted to discover text that could be incorporated into the project requirements document, rather than having to invent requirement text. There were two relevant requirements: removing unneeded access authorizations, and monitoring for anomalous behavior. Detailed functional requirements were developed to support the requirements.
A market search was performed to identify candidate solutions. The candidate products were each evaluated against the detailed requirements. Only one product was responsive to all main requirement areas, so it was ultimately selected and implemented. I’ll skip all those details except one. During the proof of concept (pre-production) phase we operated the system with a very limited scope of file-share servers. During that time, we discovered that one user was reading an extraordinary number of files. We ultimately turned the data over for investigation as a potential insider threat. Of course I was not in a position to learn the outcome of the investigation. But it was heartening to confirm the solution met the expectation.