IP Protection in Financial Services09.03.2015
By Mark Warren, Product Marketing Director, Perforce Software
Most companies involved in financial services have long understood the need for secure IT systems. After all, their applications typically manage high-value financial transactions and deal with highly sensitive personal data. They have relied on traditional perimeter protections, such as firewalls, virtual private networks (VPNs) and identity management, to try to keep potential intruders out of their data centers.
However, two significant new risks have not yet received the same level of attention: (1) The value the actual applications processing these transactions hold, and (2) The real threats from inside the organization.
These trading applications are highly complex pieces of software that embody the competitive differentiation from one organization to another. Whether it’s the optimizations that allow for transactions to be processed faster or innovative modelling that better tunes rates and charges to market conditions, the source code behind these systems is extremely valuable and represents a significant part of the company’s intellectual property (IP). If any of this code is leaked to a competitor, there could be significant financial and reputation costs to the company. Although the Goldman Sachs vs. Aleynikov case got bogged down in legal arguments, it shows just how serious the issue of stolen code is.
The Goldman Sachs case also indicates the other unrecognized risk: the IP theft was perpetrated by an employee (both sides admit this was the case) in good standing who had perfectly legitimate access to the source code. All efforts in trying to protect the perimeter were useless in such a situation.
This internal risk increasingly appears on the radar of security experts, and it can take many forms. A few examples:
- Disgruntled employees either selling IP to a competitor or preparing to take it with them to new employers
- The accidental loss caused by a coder taking code from more projects than necessary and then keeping it on an easily lost memory stick
- Remote, outsourced coders who may have a login to the company’s system but their accounts may have been shared or even stolen by someone else
It is hard to quantify the exact scale of the problem, but recent studies validate these concerns. A PWC report into global cyber security (http://www.pwc.com/gsiss2015) addressed the increasing incidents of IP theft and stated that company insiders cause most security incidents. A U.S. Department of Commerce report found that IP theft (all kinds, not just cybercrime) costs U.S. companies $200 to $250 billion annually, while the Organization for Economic Development estimated that counterfeiting and piracy cost companies as much as $638 billion per year.
If anything, the situation is getting worse. Software development environments are often isolated in silos, and the applications are becoming more complex so there’s an increasing volume of code and changes. Developers may be using tools that are fundamentally insecure or have weak audit trails (especially if they’re open source tools). Applications regularly include a variety of different kinds of content (e.g., video or graphics) so new, less technical contributors are involved who may be using different, non-secure tools. Application development and maintenance are often delivered by teams working in different locations and even different companies. With such complexity, it can be extremely difficult to achieve any real visibility of what is happening. Trying to manually set alerts or triggers on potentially risky behavior is expensive and unreliable.
These reasons are why more organizations are turning to techniques such as behavioral analytics in the fight against IP theft, detecting and surfacing anomalies (such as unusual activities) and applying algorithms that sort through all the noise. One of the hottest areas in security prevention right now, behavioral analytics, approaches identification of security vulnerabilities in a manner different from traditional security tools.
Real-time monitoring with such analytics is a critical element in threat detection. Analytics can also be important in investigating potential thefts. Perhaps the best way to illustrate what this means in practice is by real-world example. A well-known chip manufacturer knew that its software IP was being stolen and passed on, but it could not prove who, what or where. The company spent over a million dollars with a large, well-known consulting and services firm over the course of a year, yet was still unable to determine the root of the problem. In the end, the solution proved to be applying behavioral analytics to the company’s Perforce version control log data, a process that involved examining over nine billion events executed by 20,000 software developers. Within two weeks, concrete evidence was found against the two suspects, plus a further 11 unknown developers who had been replicating up to 500,000 files per day.
How behavioral analytics works
Behavioral analytics is based on understanding normal behaviors and combining multiple anomalous activities before flagging potential risk. Most vulnerability management tools tend to identify a lot of noise and can report many false alarms, making it hard to spot real threats. For instance, behavioral analytics might pick up that a software developer in a bank is working outside his or her usual hours or downloading vast amounts of code that is not then checked back in later. Either of these actions may be perfectly reasonable but when combined become a risk that needs attention.
Given the value of software to organizations in financial services, software-based IP has become an integral part of these organizations’ key resources. This software needs to be protected like any other valuable asset. Such protection is not a complete solution by itself but is a critical part of a holistic IP protection environment.