Cryptographic deterrence against insider threat


In 2007, the Estonian government was hit by Russia's coordinated cyberattacks. Although they were eventually not too complicated or harmful to Estonian digital systems, they brought national cybersecurity into the spotlight. While most of the standard tools and methods were in place - Estonia had built a strong fence around its critical assets and networks that withheld the attacks, one question arose - what if there’s somebody inside the fence that we can’t detect?

Credit: Taaniel Malleus

15 years have passed since, and we see both the geopolitical tensions and cyber threats at much higher levels in Europe today. Add the ever-increasing complexity of digital processes in our daily lives and the explosion of third-party-assisted information value chains, and you get a setting that is much harder to safeguard than the one in 2007. One of the major challenges lies in trusting the insiders - maintaining control over what happens inside the protected fence.

The 2007 experience made the Estonian government look for effective solutions to ensure data and process integrity. The solution came from a newly founded deep-tech cryptography company, Guardtime. With the help of their proprietary KSI Blockchain, Guardtime has helped to change the cybersecurity paradigm, rooting out the human-based trust in cybersecurity and replacing it with mathematical proofs. It’s world-leading blockchain technology, to ensure that no system misusage or malicious activity goes undetected. Instead of protecting the fence, and blindly trusting your insiders, KSI Blockchain-based cybersecurity measures now enable making the data the final perimeter itself.

The importance of integrity in the complete cybersecurity posture is something that is worth re-emphasizing, especially in the light of turbulent times and growing digital espionage. Lately, Estonian former president Toomas Hendrik Ilves stressed this point in an interview for the Washington Post, highlighting the importance of data integrity as one of the core pillars of any information security posture.

The question of trust in digital systems and digital assets is not only a concern for the European governments. It’s one of the most critical components in any digitalization process and public acceptance of new solutions. Still - in most cases, trusting anything digital means trusting the people behind the digital. But as the data shows, trust alone is not enough.

Recent insider threat statistics reveal that 69% say their organizations have experienced an attempted or successful threat or corruption of data in the last 12 months, and that insider attacks have become more frequent every year. Not all those cases are politically motivated and coordinated. The most common insider threat is still a plain human error, like a misconfiguration in a system that creates vulnerabilities or noncompliance with regulations or policies. Such mistakes can be very costly for organizations, causing financial losses, fines, and damaged reputations. According to an analysis, 90% of all breaches reported to the UK Information Commissioner's Office (ICOin 2019 were the result of mistakes made by end-users. This was up from 61% and 87% over the previous two years.

Besides the increase in such human errors, there has also been a rapid increase in the number of inside actors. Reliance on cloud infrastructure, interdependent information systems, and other new complexities have made avoiding such mistakes almost impossible. The solution must be the rapid discovery of these mistakes, fast remediation, and transparent accountability.

Unlike mistaken, but still honest, insiders, it gets even more complicated when you are dealing with malicious insiders. Their harmful actions are intentional and thus increase the risk of cover-ups and hidden traces, for example in audit logs. It’s an often overlooked issue how simple it is for a privileged insider to access and manipulate audit trails by just deleting their traces. In most organizations, such actions would be undetected as the efforts are concentrated mostly on protecting the perimeter around the data and trusting the insiders, leaving the data itself vulnerable against attacks that come from inside the trusted circles. As such attacks are typically the most difficult to discover, their damages can be much more significant.

The insider threat topic has received a lot of attention from researchers and practitioners, and the consensus stands that mitigation measures must be a combination of several technical and procedural tools. But the Estonian experience and Guardtime’s innovations bring a new element to the mix - one that enables us to root out the final weakest link, the trust.

“Truth, not trust” is the philosophy behind Guardtime’s solutions. Our blockchain-based cybersecurity tools are designed to eliminate all human trust by enabling organizations to monitor the integrity and correct status of all critical network assets and processes. KSI Blockchain, and solutions built upon it, can give users mathematical proof and real-time feedback that digital systems remain secure and that no wrongdoing is hidden by insiders. These proofs can even extend across organizational boundaries, giving the value-chain partners, regulators, auditors, and even end-users the confidence to verify the accuracy of the digital information.

Guardtime’s latest invention, the TrueTrail solution, is a high-performance tool for audit trail security. It’s designed to protect the log files and other audit trails from any manipulation and report immediately if harmful patterns are detected at administrator levels. This means that the ultimate source of truth - the archive of the system’s audit trails - can be trusted, if necessary, even in courts.

TrueTrail integrates to existing audit trails, providing agents to sources and a central API for reporting and proof extraction. Truetrail central API can be deployed as a service or on-premise. Its main goal is to sign all log entries at their creation, lock their proofs in blockchain, and eliminate the possibility that any later manipulations are introduced to the audit trails later. TrueTrails active monitoring component can verify the audit trail archive on a specified interval to report the affirmation of integrity, pinpoint any inconsistencies and ensure that systems are operated within approved configurations by the right persons. Any deviation from defined baselines or any data manipulation in a protected archive will be reported in the customer’s preferred SIEM dashboard in near real-time. It’s a powerful addition to any security or infrastructure team to enhance their situational awareness and trust over maintained systems.

But foremost, TrueTrail acts as a deterrence measure. Once the insiders know that it is impossible to cover the traces of their misdoings in the audit trails, and thereby the detection of their actions is inevitable and immediate, they are likely to reconsider any planned harmful steps in the digital systems. In other cases, the rapid detection of misconfigurations, and the trusted audit log, can help to avoid costly incidents with third-party collaborators and own staff.

In conclusion, blockchain is not a silver bullet to solve the whole insider threat issue, but cryptographic verification of audit trails, coupled with real-time monitoring, enables to mitigate several unaddressed risks in the digital world. TrueTrail will guarantee the indisputable truth of what happens in the digital systems, and that will eventually build trust. Trust in your insiders, trust in your partners, and trust in anything digital.