Richard Bejtlich writes about fraud, waste, and abuse (FWA) being beyond the purview of network security monitoring. I tend to agree, but the situation, as Bejtlich notes, isn't clear cut.
It is important to keep in mind that part of the reason organizations fund information security departments is to help with fraud, waste, and abuse as well as "sexier" problems such as espionage, theft, and destruction. As I've written previously, information security should focus on preventing and detecting unauthorized access. When fraud, waste, or abuse is carried out by gaining and exploiting unauthorized access, then the organization should rightfully expect the security monitoring team to detect it and alert the incident response or investigation team.
However, detecting FWA carried out by folks using authorized access in inappropriate ways is typically beyond the capabilities of most security monitoring teams. Expecting your monitoring team to detect improper entries in an expense report is rather unreasonable.
I talk a bit about this in Cryptography in the Database. In Chapter 1 I make the distinction between authentic changes to a database and appropriate changes. Authentic changes are changes made by authenticated and authorized people. Appropriate changes are changes that are aligned with the policies of the organization (i.e. not fraudulent). Security can help with the authenticity of changes, but determining appropriateness is an audit process (by people with the right domain knowledge).
Another way of looking at this is to say that security monitoring watches for cases of unauthorized access, while determining if a particular instance of unauthorized access is fraud, waste, or abuse is an investigatory task. In some organizations, both of these functions might be included in the information security department. In others, they might be split. Some orgs separate all three functions: information security, security monitoring, and investigations would each be in a completely separate departments.
To add one more twist to the situation, fraud investigations are generally hungry for data and that includes data about authorized access. Monitoring for unauthorized access often includes gathering data about authorized access. Logs, traffic patterns, DHCP records are all grist for the security mill and can be useful in fraud investigations.
Similarly, while security groups typically don't collect and store all traffic across the network, they often have the capability of collecting and storing some of it. An investigation team might very well want the security team to monitor all traffic from a particular user or all activity on a particular user's laptop. How practical (or legal!) this is in any given environment is an open question, but it is indicative of where security and anti-fraud processes overlap.
To sum up, security teams prevent and detect unauthorized access. Fraud investigators look for inappropriate use of company resources. Some of the information the security team gathers may be relevant to fraud investigations, but fraud investigation goes a lot deeper than just unauthorized access--a lot of fraud occurs via access that is authorized. Similarly, preventing and detecting unauthorized access addresses many more threats than just fraud, waste, and abuse.
These are two different functions requiring two different skill sets. Attempts to blend the two functions together into the same team, can easily lead to ineffectiveness in both.
Comments