About Us

Tailored Solutions & Consulting, Inc. (TSC Advantage) was founded in 2006 as a response to the limitations of traditional security vendors who are failing to incorporate the need for proactive and holistic solutions in combating security threats to enterprises. We are an enterprise security provider specializing in the protection of trade secrets, intellectual assets, and other sensitive information using a patented methodology that holistically optimizes clients’ security posture to suit their unique organizational, procedural and market environments.

Headquartered in the Glover Park neighborhood of Washington, D.C., TSC Advantage’s global team brings together intelligence operations and analysis, business acumen, and agile technology solutions to meet the needs of a wide array of industries and organizations, ranging from the Fortune 500 to innovative start-ups, to the public sector and U.S. Critical Infrastructure communities.  Our proven delivery of proactive holistic security solutions makes us a uniquely trusted and qualified partner in resolving clients’ most complex and intractable challenges.

 

Services

In a complex world growing with sophisticated cyber attacks and threats from insiders, all organizations must be proactive in the defense of their sensitive information. From corporate intellectual property and trade secrets to protected health information, we have innovated an approach to enterprise security that can help secure organizations across all industries.

Our proactive approach examines holistic vulnerability across six critical domains of an organization with the intent of reducing risk and preventing an incident from occurring in the first place. Using unparalleled expertise and decades of combined experience understanding technical and human threat, TSC Advantage better safeguards client value, innovation, and reputation.

Insider Threat

Insider Threat

Unlike other providers, our specialized methodology and credentialed staff have the expertise to examine threats and risk-based behaviors emanating from the human being, whether those actions are deliberate, such as the placement of a competitive intelligence adversary inside your enterprise, or inadvertent, such as from a trusted insider.

Mobility

Mobility

Focusing on travel security and policies such as Bring Your Own Device (BYOD), we apply our patented process to protecting sensitive data while in transit – often times when intellectual assets, trade secrets, and other protected information are at their most vulnerable.

Physical Security

Physical Security

The standard "guns, gates and guards" approach can enhance employee safety and provide protection from external threats. But often times this creates complacency. And complacency breeds vulnerabilities that can be exploited. Our unique process considers threat vectors to physical security utilizing highly specialized expertise that examines risk from the adversary perspective.

Internal Business <br>Operations

Internal Business
Operations

Surprisingly, most organizations have difficulty agreeing on what data they possess is their most valuable. If it isn’t clear what is sensitive, how can effective security in its defense be achieved? Furthermore, what preparation has been done to ensure continuity of operations in the event of a data breach, whether in the form of a cyber incident or an insider threat?

Data <br> Security

Data
Security

Despite your best efforts, cyber threats continue to defeat traditional defenses, often without being caught for days, weeks, or months. TSC Advantage's proactive cyber risk management program focuses on current enterprise vulnerability in order to reduce the chances of a security incident from occurring in the first place.

External Business Operations

External Business Operations

In every industry and type of organization, external relationships such as partners, suppliers, and joint ventures bring additional risk. These entities demand vigilance, especially in overseas settings where government-mandated partial ownership can expose intellectual property or trade secrets.

Threat Vector Manager

Our patented Threat Vector Manager ™ (TVM) is a knowledge management process that identifies trends, patterns, and areas of elevated risk in order to prevent and reduce the inadvertent disclosure and/or compromise of sensitive information.

Designed to meet or exceed numerous national and international industry standards including NIST, ISO, SANS, COBIT as well as proprietary subject matter expertise, TVM™ provides an objective perspective not normally explored: real-time modeling and integrated data enabling for a comprehensive, proactive awareness of global enterprises and identification of emerging threats and risks. This methodology identifies best business practices, improves performance and decision-making, and informs resource allocation based upon risk sensitivity and exposure.

TVM™ helps maximize clients’ return on security investments by delivering objective intelligence and practical solutions to FINDFIX, and PROTECT the most critical problem areas.

FIND.

Baseline measurements of holistic vulnerabilities across threat vectors with our unique Enterprise Security Assessment and External Relationship Mapping solution

Comprehensive assessment of client-specific risk that measures policy maturity, procedure, and governance of intellectual asset defense in conjunction with critical business needs

Specification of resources required to more effectively remedy significant risk exposure, giving decision-makers ultimate control over outcomes

FIX.

Creation of targeted security initiative and implementation of improvements for priority vulnerabilities, based on level-of-effort and source-needs calculations

Subscription via a highly secure, encrypted cloud portal or local host for periodic reevaluations and illustration of impact of additional security initiatives

PROTECT.

Secure intelligence delivery via a customizable Executive Dashboard tailored to each client, including such sources as DLP, MDM, and SIEM data, as well as social media and RSS feeds

Ongoing assessments of evolving threats, vulnerabilities, and consequences for critical assets, along with continuous improvements

Integration with any vendor's security sensors already owned by the client, to leverage existing investments and position them for optimization

TVM™: A Holistic Approach Creates a Resilient Enterprise

News

TSC Advantage Enhances Holistic Cyber Assessment to Improve Enterprise Security

By TSC Blogger

Posture-based methodology transforms risk assessment for cyberinsurance, commercial enterprises and public sector

Washington, D.C. - TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of intellectual assets, trade secrets and other sensitive information, today announced that its patented Threat Vector Manager™ (TVM) technology is enhancing cyberrisk assessment and improving holistic security maturity for commercial organizations, critical infrastructure and the public sector. In addition, through its partnership with leading global insurance underwriters and brokers, TSC Advantage is transforming pre-binding risk assessment, which supports cyberinsurance policies for the critical infrastructure market and for those focusing on cyberterrorism.

Improving enterprise security posture through holistic assessment
As all organizations struggle to defend against cyberattacks, TSC Advantage is informing an intelligence-based process that aligns resources against an entity’s highest priority threats. TVM,™ through its associated Enterprise Security Assessment (ESA) component, identifies trends, patterns and areas of elevated risk within enterprise environments and offers customers a comprehensive and holistic measurement of security controls across the following six top-level domains:

Insider threat – Examines technical and non-technical precursors of risk from high-risk actors, events and behaviors from human beings throughout an enterprise ecosystem
Physical security – Focuses on the potential for physical intrusion and unauthorized access to priority locations where sensitive information is stored and accessed
Mobility – Explores vulnerability of data during foreign travel and from mobile devices
Data security – Examines risks stemming from the use and defense of enterprise IT resources
Internal business operations – Measures the effectiveness of initiatives that manage internal administrative vulnerabilities and critical assets resulting from personnel, organizational or business processes
External business operations – Examines an organization’s security strategy, policies and procedures, and threat universe resulting from external engagements

“With an increasing number of sophisticated cyberattacks arising from external dependencies, such as from third party vendors and trusted insiders, an effective security assessment cannot ignore human behavior in defense of cybersecurity, nor the financial or business constraints affecting security investments,” said Sean Doherty, president of TSC Advantage. “The holistic approach in our ESA provides evidence-based and objective assessments of internal and external forces affecting a client’s security posture, and is not limited in scope by only focusing on a singular area, such as traditional endpoint concepts and other IT-centric solutions,” Doherty said.

Transforming pre-binding risk assessment
TSC Advantage has partnered with more than a dozen insurance underwriters operating on the Lloyd’s of London exchange and worldwide insurance brokers to offer a new cyberinsurance product designed to address cyberliability exposures that arise within the utility and critical infrastructure sectors. Using TSC Advantage’s ESA risk assessment tool, insurance underwriters are afforded in-depth understanding of a pre-insured company’s holistic risk profile that considers the evolving sophistication of cyber threats and complexity of potential attack vectors.

“With the financial impact of cyber risk increasing every day, the cost of inaction leaves all organizations exposed to huge liabilities,” said Tom Quy, a leading cyberinsurance broker with Miller Insurance Services LLP of London. “By working with TSC Advantage, we are pioneering a vastly improved methodology for cyberinsurance underwriting, which rewards mature cyber security postures and allows our customers the ability to receive insurance with the broadest coverage, fewest exclusions, and tailored to their individual threat profiles.”

TSC Advantage Hosts ThreatLAB 2014 to Promote Better Understanding of the Complex Threats Facing U.S. Innovation

By TSC Blogger

Private and public sector security professionals will learn how to better defend intellectual assets and trade secrets in age of diversified threats

Washington, D.C. -  TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of intellectual assets, trade secrets and other sensitive information, today announced ThreatLAB™ 2014, an exclusive thought leadership event, taking place May 14-15 in Las Vegas, that is designed to educate private and public sector security professionals about the multitude of complex threats facing U.S. intellectual assets. Through interactive learning modules derived from case studies involving sophisticated threats to corporate secrets, attendees with will learn the skills to identify enterprise risk using holistic intelligence and analysis techniques.

ThreatLAB 2014 will feature a keynote address from John Powell, former vice president and general counsel for American Superconductor Corporation (AMSC). Powell will present a case study about an insider threat AMSC faced in 2011 that resulted in extraordinary value degradation for AMSC and the loss of hundreds of millions of dollars in revenue. Through lessons learned from the incident, the keynote will reinforce TSC Advantage’s message that corporate investments in security solutions should not be limited to specific technical controls focusing on data security. Rather, effective protection must also incorporate the understanding that corporate threats are diverse and that an integrated approach is the only way to successfully identify trends, patterns and areas of elevated risk across multiple enterprise domains, particularly from trusted insiders and external business dependencies.

“It has been estimated that intellectual asset theft costs American businesses between $300 and $500 billion a year, yet we continue to see the standard corporate response be limited to advanced malware detection programs or legacy endpoint protection,” said Sean Doherty, president of TSC Advantage. “While those are important, they offer limited defense and are just a piece of an overall puzzle. The purpose of ThreatLAB 2014 is to educate the market that threats are as diversified as they are complex – and they require a holistic approach in order to truly understand and remediate them.”

To learn more about ThreatLAB 2014 or to request an invitation, please visit http://threatlab2014.com/.

 

Tailored Solutions & Consulting Inc. (TSC Advantage) Announces Key Partnership with Global Insurance Market Led by Lloyd’s of London

By TSC PR

Lloyd’s of London Insurance Product to Integrate TSC Advantage’s Holistic Risk Assessment Methodology with New Cyber Security Policy for U.S. Energy Industry

Washington, D.C. - based Tailored Solutions & Consulting Inc. (TSC Advantage), an innovator in enterprise security intelligence specializing in intellectual asset and trade secret protection, today announced the integration of its patented Threat Vector Manager™ (TVM) platform with a new cyber insurance policy for U.S. critical assets led by Lloyd’s of London.

“As discussed in Executive Order 13636, the cyber threat to U.S. critical infrastructure represents a growing and persistent challenge to the national and economic security of the United States,” said Sean Doherty, President of TSC Advantage. “As a first of its kind, we are excited to pioneer incentives for private industry’s partnership with public sector cyber security initiatives. Our platform provides insurance underwriters a means to reliably and accurately determine the cyber risk class of U.S. critical assets using our objective, standards-based methodology for assessing holistic enterprise security.”

TSC Advantage’s platform will assist London and international underwriters to optimize their pre-binding process through incorporation of TVM’s™ Enterprise Security Assessment component. TSC Advantage’s methodology is trusted to deliver objective, baseline measurement of holistic vulnerabilities across six domains while examining threat vectors both internal and external. With TVM™, underwriters will be afforded contextual awareness of the potential insured’s security posture — not a mere audit — as well as a clear understanding of strengths, weaknesses, and associated risks of loss.

“In an age of growing and sophisticated cyber attacks as well as threats emanating from insiders, it is essential all organizations ensure a proactive and holistic approach to their security,” Doherty said. “Rather than spending money on theory, companies will be receiving objective, real-world risk assessment that will enable them to obtain appropriate insurance for their particular risks, and thereby reducing the cost of implementing Executive Order 13636 and PPD-21,” he said.

TSC Advantage Addresses trade secret theft at Intellectual Property Owners Association annual meeting

By TSC PR

TSC Advantage Director of Security Intelligence Reminds Audience of the Dangers Posed by Insider Threats

Washington, D.C. – Tailored Solutions & Consulting (TSC Advantage), an innovator in enterprise security intelligence specializing in intellectual asset and trade secret protection, has announced that TSC Advantage’s Director of Security Intelligence addressed an audience of legal experts, business leaders, and other stakeholders at the Intellectual Property Owners Association annual meeting in downtown Boston, MA on 17 September 2013.

During the keynote panel presentation with in-house counsel and experienced practitioners from Ford Global Technologies LLC and the U.S. Department of Justice’s Computer Crime and Intellectual Property Section, TSC Advantage’s director offered the audience practical advice for preventing and addressing trade secret theft in an age of growing and targeted threats to corporate value.

“The decision of whether to protect innovation via patent, trade secret or otherwise is almost entirely separate from that of effective security.  An adversary doesn’t care about what legal category their desired target information falls under, only if they can get access to it,” said Mark Lopes, TSC Advantage’s Director of Security Intelligence.

“Paranoia is part of good business practice as long as it does not impede efficiency or disrupt innovative culture,” he continued. “You should always assume somebody wants your company’s most sensitive information simply because of the current or potential future economic value it represents.  To assume everyone will respect ownership rights is not only naïve, it could also mean corporate suicide.”

Distinguishing between TSC  Advantage and other security firms who only apply cyber-centric or software solutions to enterprise security challenges, Lopes reminded the audience that most threats actually originate from human beings within organizations and not from external and distant hackers.

“We continue to see a vast amount of security resources being poured into purely IT and cyber solutions while the vast majority of data shows that most intellectual property and trade secrets are compromised via insider threats,” he said. “While investment in IT and cyber is important and can help prevent the remote theft of corporate secrets, it does very little to deter, detect and prevent the more prevalent source of theft: someone within your own corporate ecosystem. This is what we focus on at TSC Advantage.”

Statement by Tailored Solutions and Consulting (TSC Advantage) on FBI’s iguardian platform for cyber threat reporting

By TSC PR

TSC Advantage Expert: Platform Complementary to Executive Order 13636; Highlights U.S. Government’s Commitment to Value-based Cyber Programs for Private Sector

Washington, D.C. – While U.S. Executive Order 13636 represents a new policy emphasis on public and private sector coordination on cyber threats, the FBI’s recent launch of iGuardian is a complementary initiative dedicated to the mutual benefit of government and industry. It is a mechanism designed to expedite and augment the cyber security dialogue between private industry and the FBI.  It also extends to private industry actors that are not officially designated as critical infrastructure, which is the primary scope of E.O. 13636.  More importantly, however, it demonstrates the FBI’s commitment to establishing cyber programs that create value for participating US businesses.

While not a replacement for corporate security investments, iGuardian is intended to transform cyber partnerships into enabling proactive and preventative postures.  For example, it is intended to facilitate assessments of sophisticated cyber adversaries within and across sectors, aimed at exposing shared as well as unique cyber threats and vulnerabilities. Rather than evaluating cyber threat data from an exclusively enterprise-centric view, this portal will assist FBI’s generation of crosscutting examinations that result in improved cyber awareness and ultimately the dissemination of actionable information to private industry.  In short, it enables industry to benefit from the skills and expertise of US Government cyber technologists, while still maintaining and tailoring enterprise cyber investments.

Collaboration between the public and private sectors is requisite to the defense of US economic ingenuity.  Neither sector in isolation has at its disposal the depth and breadth of skills, resources and information required to stem the tide of cyber attacks.  In the cyber realm, national security concerns and economic interests are interleaved, as is public-private sectors’ interest in defense of American cyber posture.

“Participation in programs such as iGuardian will enable industry trailblazers to shape the scope and outcome of this nascent mechanism for dialogue with the US government – assuring it meets the bottom line needs of the US commercial sector and the Executive Branch,” says Natalie Lehr, TSC Advantage’s co-founder and Director of Analytics. “It is a critical step in exposing the barriers and tackling the uncertainties surrounding cyber risk and federal dialogue with private industry,” she said.

TSC Advantage continues thought leadership on intellectual asset protection

By TSC PR

TSC Advantage Director of Security Intelligence Speaks to Business Leaders in Boston on Corporate Espionage and BYOD

Washington, D.C. – Tailored Solutions & Consulting (TSC Advantage), an innovator in enterprise security intelligence specializing in intellectual asset and trade secret protection, has announced that TSC Advantage’s Director of Security Intelligence addressed an audience of business leaders and security experts at the Licensing Executive Society Conference in Boston, MA on June 18th.

During a panel presentation on the topic of protecting sensitive data such as intellectual assets and trade secrets, TSC Advantage’s director offered a suggestion as to how U.S. companies should understand the growing phenomenon of corporate espionage directed against them.

“Instead of looking at this issue from a moral standpoint, it is better to understand why this issue is occurring from an economic perspective,” said Mark Lopes, TSC Advantage’s Director of Security Intelligence.  “Why would a competitor choose the longer, harder, and more expensive path to value creation when they could simply steal it from you with the click of a mouse or through a well-placed insider?”

In response to a proposed question concerning effective BYOD policy development, Lopes highlighted the growing challenges companies face while trying to maintain the right balance between information security and employee productivity as wrought by the ubiquity of mobile devices.  “At TSC Advantage, we tell our clients that access control is the key to preserving intellectual property as it pertains to BYOD,” he said.  “From this standpoint, we believe that access to information on devices such as personal tablets and phones must be limited to information that a company would feel comfortable losing in the event of a security incident.”

btn-next btn-prev

Implications of Smaller-Scale Data Breaches: Citigroup, 2013

By Tim, Marketing

Poor security – Citigroup, 2013

The personal information of 150,000 Citigroup clients who filed for bankruptcy between 2007 and 2011 was exposed after Citigroup failed to properly redact court records prior to storing them on the Public Access to Court Electronic Records (PACER) system.

 

Citigroup claims that the mishap occurred due to a limitation in the software that the company used to redact personal information. Since Citigroup refused to divulge what software led to the breach, it is impossible for the public to know how the attack was conducted.

Following the incident, the company was quick to upgrade its computer software and re-train its employees on enhanced redaction policies and procedures in order to avoid similar attacks in the future.

 

Expert insight: Software updates are vital to maintaining computer security because they patch security vulnerabilities, fix program bugs and provide program enhancements. Computer software that is not updated presents a higher risk of being infected with malware and being exploited by other malicious attacks. Organizations must be proactive in order to ensure that security technologies and procedures are up to date and employees are properly trained on security procedures.

 

It only takes one mistake or oversight to open a company’s network to risk. Contact us to learn how our Enterprise Security Assessment (ESA) can help identify and prevent security risks.

Implications of Smaller-Scale Breaches: Policy and Procedure

By Tim, Marketing

Breaches aren’t always the work of external hackers or malicious insider threats. They are frequently the result of carelessness on the part of an employee or security administrator. But when it comes to securing confidential information, there’s no room for error. Improperly implemented or unsuccessfully enforced security policies and procedures leave an organization vulnerable to a wide array of security risks.

 

Stolen device – Florida Department of Juvenile Justice, 2013

A thief broke into a secure office of the Florida Department of Juvenile Justice (DJJ) and stole a mobile device that contained sensitive data. Although DJJ’s technology policy requires that all mobile devices be encrypted and password-protected, the stolen device was not compliant with these security measures.

As a result, the records of more than 100,000 juvenile delinquents and employees were compromised, putting them at risk of identity theft. In response to the incident, all DJJ employees and contracted provider programs were emailed a copy of its policy reminder and security instructions.

In order to ensure that employees and contracted provider programs understood DJJ’s technology policy, the documents defined the parameters of the policy in regards to employee requirements and the expectations of contracted provider programs.

 

Expert insight: In addition to providing a strict and specific mobile security policy, organizations should periodically review policies with employees in order to ensure that everyone thoroughly understands the processes and ramifications of compliance failures. They should also implement training and checks to guarantee security procedures are being followed. Additionally, planned and random audits can help identify weaknesses or irresponsible activities before serious consequences occur.

Why Insider Threat Detection Fails

By Gabriel Whalen, Insider Threat Expert

Virtually anyone who works in industry or government can tell you what the reportable warning signs of insider threat are – sudden behavioral changes, unexplained affluence, odd working hours, etc. Yet every time an espionage incident, intellectual property theft, or mass shooting takes place, it seems as though indicators are either not reported, or somehow fail to reach those who need to know. So what exactly is going on here?

There are a variety of mechanisms responsible for the failure of insider threat detection; reporting mechanisms, inter-organizational communications,  and the existence and enforcement of policy are just a few laid out in CERT’s Common Sense Guide to Mitigating Insider Threats (2012). While any valid insider threat program certainly should address the nineteen components presented within the guide – it must also examine how detection is communicated to employees.

In a discussion pertaining to evolutionary psychology and business ethics, Cosmides and Tooby (2004) delve into a crucial element of the human mind that gets overlooked when discussing threat detection and reporting – humans are unable to detect procedural rule violations that are not precautionary or social in nature. The hunter-gather mind that humans have developed is equipped with specific machinery to detect social contract violations – instances wherein one receives the benefit (Q) without paying the price (not P) or vice versa – but the majority of humans fail at detecting violations of non-social “if then” rules.

The reason for this selective reasoning specialization is simple; our minds are the product of millions of years of natural selection. In terms of scale, we have just recently emerged from hunter-gatherer societies, yet our minds largely remain within this realm. Our mental machinery has been tailored for a starkly different world from which we live in today. In the past, societies were smaller and people often lived with extended family and spent most of their time outdoors. The number of people that an individual might have encountered throughout his or her lifetime was far less than that of an individual in 2014. In a world where people spent most of their days simply trying to stay alive, being able to detect social contract cheaters, or free-riders, was an essential skill because every individual had the incentive to reap benefits without expending personal resources.

Within the context of natural selection, the fact that humans are adept at detecting violations of precautionary rules (e.g. if you’re going take risk A, then you must take precaution B) makes perfect sense. Possessing this skill provides palpable utility to an individual; and that utility is survival. However, the procedural rules of the workplace are another matter. They are not social or precautionary rules and they generally do not identify a benefit or risk to the individual. For example, most insider threat programs can be boiled down to “if you see something, say something.” While straightforward, it simply does not hit the same mental circuits that say, walking through a pit of snakes might. If there is no obvious risk to the individual, and no potential personal benefit – humans are less engaged.

What threats and benefits to an organization mean to an individual remains largely ambiguous. The human mind was developed in an environment in which social exchanges were face to face, in real time, and the results were often observable. The indirect relationship between benefits to the individual and the group were more readily observable (e.g. if I spend time crafting tools in order to allow the hunters more time to hunt, I will eat better). Reporting a coworker who fails to lock their computer may not activate the same mechanisms. The value to the individual through the group is not as apparent and the threat and benefit are obscured. Even within organizations that are serious about implementing security measures through negative reinforcement (counseling, performance review), individuals generally do not lose their jobs. With that said, a culture of enforcement and repercussions can be advantageous.

To put it in more everyday terms, this is one of the reasons why it’s so difficult to get the public out of traditional ways of doing things. For example, it is common knowledge that studies reflect a direct correlation between smoking tobacco and cancer; it’s usually just a matter of time. In most metropolitan areas of the United States today, the effects of smoking are not observed and documented as often as they should be. Going back a few decades, we all knew smoking led to cancer, but it took serious public campaigns and incentives to curb smoking – even though people could rationally understand that smoking might kill them, the lengthy process generally wasn’t rapidly observable enough to command the public’s attention.

If there isn’t a negative repercussion directly associated with an action, our minds fail to acknowledge the association. This is the substance of modern parenting. In order to curb dangerous behaviors, punishment must be swift, consistent and enforceable; otherwise the lesson is lost. This concept can be assimilated to ocean thermal delay – when actions and reactions are separated by timeframes that exceed the normal human attention span, we are less apt to acknowledge (and accept) the connection.

So how can an organization take steps to effectively address insider threat? Anchor the threat of observable impact to the employee. Simply providing training on the machinations of “if you see something, say something” does not go far enough; insider threat detection needs to be tied to livelihood. Consider the impact of the following two statements:

  1. All personnel must badge into facility X, never allow a person to “tailgate” into the building.
  2. Reviews of security incidents over the past two years have found tailgating to be the most common method for unauthorized personnel to gain access to intellectual property at facility X. As a result, several companies are now selling our product at a lower price. We will likely have to find ways to streamline budgets, to include no bonuses or pay increases, and the possibility of layoffs.

The first statement is valid, but it fails to emphasize the bottom line impact. Even the second statement is insufficient due to the fact that the damage has already occurred; therefore, the threat could be considered non-existent.

Another aspect to contemplate is the likelihood of a perceptual difference in security stance between management and the average employee. There are very good reasons for employees to nod in accordance with management when security edicts are discussed, but the underlying truth can be acutely different. Management may be oblivious simply because no one wants to tell the emperors they have no clothes.

In order to address this issue, organizations might consider a neutral third party assessment that compares attitudes and perceptions of security from the viewpoint of both employees and management on a scheduled basis. Industrial psychologists could also assist organizations through framing security training in a manner that elicits not only compliance, but active participation from employees as well.

The combination of impartial active listening, conveyance of threats to the individual employee, and the implementation of swift, observable repercussions can create a proactive culture of security awareness, but the organization must be willing to invest.  Please contact us below if you would like to know more about this or our ESA methodology to help secure your enterprise.

 

About the Author

Gabriel Whalen has a Master’s in Forensic Psychology, a decade of experience in the U.S. National Security community, and a background in acting, biology, and ethical hacking. Gabriel represents TSC Advantage’s diversified talent portfolio as a social engineer, behavioral analyst, and insider threat expert.

 

References

Cosmides, L. & Tooby, J. (2004). Knowing thyself: The evolutionary psychology of moral reasoning and moral sentiments. In R. E. Freeman and P. Werhane (Eds.), Business, Science, and Ethics. The Ruffin Series No. 4. (pp. 91-127). Charlottesville, VA: Society for Business Ethics.

Silowash, G., Cappelli, Dawn., Moore, Andrew., Trzeciak, Randall., Shimeall, Timothy., & Flynn, Lori. (2012). Common Sense Guide to Mitigating Insider Threats, 4th Edition (CMU/SEI-2012-TR-012). Retrieved April 02, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=34017

Implications of smaller-scale breaches: The insider threat

By Tim, Marketing

Insiders have an advantage over outsiders with malicious intentions. Possessing the knowledge of a company’s physical and technical security policies and procedures allows insiders to bypass safeguards that are implemented to defend against external threats.

Insider advantage – Vodafone Telecommunications, 2013

In September of 2013, the German telecommunication company Vodafone fell victim to an insider breach perpetrated by a contract worker. The contractor was able to successfully breach a database containing 2 million customer names, addresses, gender, birthdates and banking account numbers.

Vodafone responded to the incident by changing the passwords and certificates of all administrators and wiping the affected server. It also informed its customers to be on the lookout for phishing scams that could occur as a result of the breach.

Expert insight: Identifying potential insider threats can be difficult, especially in a corporate setting. Employers should strive to become acquainted with their employees so they can detect behavioral indications that an individual is up to no good. Organizations should also apply physical and technical security measures in order to increase the levels of protection against malicious insiders. Contact us to learn more about these solutions and other safeguards to ensure the fortification of your enterprise.

Implications of Smaller-Scale Data Breaches (Pt. 1)

By Tim, Marketing

Unless you’ve been living under a rock, you’ve heard all about the massive Target data breach. After all, it’s hard not to take notice when the personal information of 110 million people is stolen. However, such massive breaches are rare. Far more frequent, are smaller, less well-known and often unheard of breaches that impact organizations worldwide every day. While these breaches may not be on the evening news, their relative impact on the people affected by them is equally harmful.

Over the next few weeks, we’ll profile a few smaller-scale, high-impact breaches and share our insights about what went wrong and how these breaches could have been prevented. Although these incidents occur on a regular basis in the US,  below is an example of one prominent targeted attack that put more than financial records at risk in South Africa.

 

Targeted breach – South African Police Service, 2013

Anonymous is responsible for jeopardizing the lives of thousands of individuals after revealing the identities of users of an anonymous whistleblowing website that is run by the South African Police Service (SAPS).

As a result of a simple SQL injection, roughly 16,000 records dating back to 2005 were exposed, exported and posted to a website hosted by Anonymous. Details obtained included the names, addresses, phone numbers and email addresses of whistleblowers. Since the website is hosted outside of South Africa, authorities were unable to shut it down. Subsequent to the incident, thousands of informants and their families became easy targets for vengeful criminals.

Considering that the database was easily hacked, people are concerned that SAPS isn’t following strong security measures.

 

Expert insight: In order to prevent SQL injections, security administrators should implement input validation techniques. By doing so, user input is authenticated against a set of rules that regulate input length, type and syntax. Additionally, organizations should create application-specific database user accounts and grant users access permissions to the database with the lowest privileges possible.

For more recent examples of cyberattacks, check out our recap of recent incidents here: bit.ly/1hIE8VU.

ThreatLAB2014: The Cybersecurity Conversations you Need to Hear

By Jason, Senior Analyst Business Operations

It was the second day of ThreatLAB2014 and the room was full. The final closing remarks and “thank you’s” were said and done; the plates from the wonderful lunch provided by the Las Vegas Monte Carlo Resort and Casino were cleared. Effectively, the conference was over, yet none of the attendees wanted to leave.

More than a year ago, TSC Advantage and our partners began to wonder what a conference that focused on holistic security would look like. Naturally, the conference would have keynotes, presenters and panels; but it would also incorporate an interactive component. We knew we didn’t want to just get people in a room and talk at them about cyberthreats; we wanted to get the right people in the room and have an open discussion about holistic solutions to cyberthreats.

 

The real insider threat

The opening keynote by John Powell set the stage for ThreatLAB perfectly. Mr. Powell was the general counsel for American Superconductor Corporation (AMSC) in 2011 when the company fell victim to a devastating corporate espionage event. He offered a chilling retelling of how a single employee, who had all the right access and who was working with a China-based competitor, was able to steal AMSC’s proprietary source code. As a result of this insider threat, AMSC’s market capitalization was reduced by 90 percent, its annual revenue plummeted by 75 percent and its workforce was decimated by 70 percent.

Threat, it turns out, does not always emanate from the outside. No firewall could have prevented this attack. AMSC was a small company; the company knew it should have compartmentalized its crown-jewel code, but “AMSC often does field-testing, and having our code compartmented wouldn’t have been practical in the day-to-day operations of our small business,” Mr. Powell said.  As he continued, Mr. Powell reiterated a common theme regarding how most companies think about cyberthreats: “We were a small company, we had tight budgets and a small staff busy executing our business plan. We honestly just thought this would never happen to us.” Powerful words that — if we are all as honest with ourselves as Mr. Powell was with us — may prove beneficial for us.

The insider threat that happened to AMSC highlights exactly what TSC Advantage has been saying for years: cyber-centric solutions to cyberproblems ignore the fundamental reality that threats are diversified and never limited to just one domain.

 

From reactive to holistic

With John’s story still fresh in our minds, we began what would be one of the most interesting portions of the conference: the interactive scenarios. Using TSC Advantage’s Enterprise Security Assessment (ESA) tool loaded onto iPads, we divided into threat assessment teams and worked our way through several scenarios modeled directly after real-life headlines of cyberattacks.

The first scenario flawlessly captured the confusion that stems from being forced into the reactive state of post-incident reaction: What do we know? How did this happen? What vulnerabilities were exposed? How do we keep this from happening again? Chaos and confusion are the emotions that characterize being caught in a reactive state. All of your strengths and weaknesses sharply come into focus and you begin to realize that policy without training and training without follow-up is meaningless.  “If you are reacting to something, then you have already lost,” said one participant.

But attendees did not stay “lost.” As the day progressed and teams began to mesh, they started to look beyond the “who-did-it-and-how” stance of post-incident reaction and something magical happened. Presenting the participants with information from TSC Advantage’s ESA tool allowed them to step beyond the reactionary role and begin discussing the need to eradicate the concept that legacy defenses such as firewalls or physical security solutions, such as guns, gates and guards, offer sufficient protection in today’s evolving landscape.

The conversation quickly turned to holistic solutions, transitioning the mentality of cyber being the cure-all into a comprehensive assessment examining the full suite of ingress points through which threats may enter an organization. One participant who works for a major online retailer said it best when he proclaimed, “In order to mitigate risk we must have buy-in from not only corporate leadership, but from all divisions across our organization.” Holistic security means you need to find your enterprise-wide vulnerabilities fix them and protect them through ongoing cross-domain conversations within your organization.

 

Until next year

ThreatLAB2014 was full of real-life tales of woe, yet as we sat around the now cleared tables, we were not discussing the tragic headline-making outcomes of past incidents. Instead we discussed the commonalities we all face as business professionals. “Surprisingly, the biggest challenge I still face is convincing my leadership that mitigating cyberthreats has a direct value to our bottom line,” said a participant representing a global logistics provider. Every person at the table wholeheartedly agreed on that concept.

As I stood up to exchange business cards with a director of IT for an energy company, he said, “these are the conversations I needed to hear.” We shook hands and as he turned to leave he paused and asked, “ThreatLAB is going to be an annual thing, right?”

It turns out that getting the right group of people together to discuss the ever-morphing challenges of cyberthreats is exactly what many people have been looking for. ThreatLab2014 was an amazing two-day conversation and it was one we hope will continue throughout the year until ThreatLAB2015!

 

To learn more about ThreatLAB2014 or stay informed about future events, visit us online or follow TSC Advantage on Twitter: @TSCAdvantage.

Threat Lab 2014 is Coming: Join Us in Solving the Complex Threats Facing U.S. Innovation

By Armond, Senior Threat Specialist

A lot of people have been asking us about ThreatLAB2014. Slots for attendance have been filling up fast and we are hard at work developing the exciting scenarios for the interactive portion scheduled for day one.  In case you haven’t heard, the ThreatLAB2014 event will highlight the complex threats facing U.S. innovation.  It will be a combination of traditional keynote speakers and panel discussions coupled with interactive scenarios during which our attendees will have the opportunity to learn critical intelligence techniques to better understand holistic vulnerabilities associated with corporate espionage incidents impacting three fictional companies. (Spoiler alert: the vulnerabilities are not just limited to the traditional “cyber” threat and ALL could have been avoided had there been an emphasis on being proactive rather than reactive.)

In fact, the real reason why we at TSC Advantage (along with our partners) came up with the ThreatLAB 2014 concept was because we needed a fun and interesting way to tell the market what we have been saying since our founding in 2006: cyber-centric solutions are fundamentally limited when it comes to responding to cyber threats.  This is because isolated investments in expensive technology hardware and software ignore the role of people and processes.  What about human behavior inside an organization (think insider threat)?; Or the role of external dependencies, such as suppliers, sub-suppliers, or contractors (think the Target breach)?; Or even the financial and business constraints affecting security investments (think every organization everywhere).  This is why we advocate a holistic approach to risk assessment – one that is “proactive” at its core and that considers the evolving risks in dependent business functions.  It also can deliver a more cost-effective and more resilient approach to security that explores all the internal and external forces affecting a security posture.

For our ThreatLAB 2014 keynote, we are lucky to have John Powell, who was the general counsel for American Superconductor Corporation (AMSC) in 2011 when the company fell victim to a devastating corporate espionage event where an employee – in exchange for an apartment in Beijing, $1.7 million, and gifts for his girlfriend – sold out his company by providing AMSC’s competitor with crucial source code relating to its proprietary wind turbine technology.  As a result of this insider threat, AMSC’s market capitalization was reduced by 90 percent, its annual revenue plummeted by 75 percent and its workforce was decimated by 70 percent.  John’s presentation, “Sinovel Trade Secret Theft: Case Study of AMSC’s Successful Litigation and Conviction After Purported Chinese Corporate Espionage of AMSC Trade Secrets,” will serve as a valuable, albeit somber learning experience for ThreatLAB 2014 participants as they begin to transition to problem-solving mode and start the scenarios.

This is going to be an awesome event.  Did I mention it is going to be in Las Vegas and that accommodations at the amazing Monte Carlo Resort & Casino are covered for participants? This is one event you don’t want to miss.

For more information on attending ThreatLab2014, please visit the website or send me a note through our website or Twitter. We hope to see you there.

Why Industrial Espionage? It’s Basic Economics

By Mark Director of Security Solutions

Over the past few years, traveling around the country and talking to companies about industrial espionage has proven to be an enlightening experience.  I’ve met aspiring entrepreneurs, Fortune 100 executives and everything in between.  Some companies I’ve met have been so paranoid that they refuse to even consider overseas operations; while others are so naïve that they think it could “never happen to me”.  Sadly, I can count on one hand the number of companies that are 1) both aware of the threat and 2) taking appropriate steps to safeguard their confidential and sensitive information.

The degrees of denial are sometimes overwhelming.  Frequently, the legal representative in the room chimes in about how litigation is the key to successful IP protection.  Almost as often, I will hear from the IT rep about the latest and greatest firewall that was recently installed that now “fully protects” all of their intellectual assets.  Both camps could not be farther from reality.

In the beginning, it was often a challenge to overcome every objection because each party had a natural and vested interest in thinking that they weren’t the department charged with protecting the company’s intellectual assets and other sensitive data (this was sometimes in contradiction to the opinion of the C-Suite, which had the opinion that a particular department was in fact the LEAD in protecting intellectual assets).  That is, until one day I realized there was a universal way to describe the problem that all functional areas and levels of an organization could relate to: basic economics.

Imagine two groups of kids putting lemonade stands on the street corner for an afternoon.

  • Group 1 begins their venture by purchasing supplies.  They spend $4 on cups, signs and markers.  They spend $1 each on five different brands of lemonade ($5) to determine which tastes the best, mixes the best, and holds up in the heat.  After some trial and error, they decide on one brand and purchase $1 of product for the day.
  • Group 2 also starts by purchasing start-up supplies. They spend $4 on cups, signs and markers. But instead of spending any money on developing their product, one of their employees pulls out a pair of binoculars and observes that Lemonade Stand #1 is using Acme brand mix.  They spend $1 on the Acme lemonade powder to mix with water.

Summary

GROUP 1

GROUP 2

Start-Up Costs (R&D)

$9.00

$4.00

Raw Goods

$1.00

$1.00

Selling price/cup

$0.50

$0.40

Break Even Sales

20

12

Group 2 has significantly lower start-up costs, meaning they can enter the market with a 20% pricing discount and still reach profitability almost 2x faster than their competitor.  What company wouldn’t take that?

This may seem overly simplistic, but it is this exact example that has had, by far, the most impact with the companies whom I have had the pleasure of speaking.  Everyone can see the clear economic benefit to Group 2 by skipping the R&D phase.  The IT department realizes that the theft of IP doesn’t need to go through their firewall.  The General Counsel realizes that not all theft is easily proven and litigated against.  And the CFO in the room sees the clear financial stakes of not protecting sensitive information.

I vividly recall one particular California executive took umbrage with my talking points about overseas industrial espionage and indicated it was nothing more than the current scare tactic of the day.  No more than two weeks later, a report by a respected publication came out detailing pervasive and irrefutable evidence of concerted overseas efforts to acquire US technology.  I’ll never forget the call back from this executive asking if we’d come in and take a look at their current security posture.

It shouldn’t take a publication to prove to US companies that economic espionage is occurring; it’s just basic economics.

BYOD: Everyone is (Or Will Be) Doing It

By Ryan, Senior Threat Analyst

What is BYOD?  Glad you asked.  Today’s employees are investing their hard earned paychecks in mobile computing devices that are newer, smaller, more powerful, and more productive.  These devices are evolving at a pace faster than most companies are updating their computer hardware.  Employees expect to be able to do their work on devices that are at least as fast and capable as their personal devices.  In order to avoid obligatory hardware refreshes on a yearly basis, companies have sought less expensive alternatives.

Bring Your Own Device, or BYOD, is the latest evolution in the new distributed network model revolution that began with cloud services.  In a nutshell, BYOD means employees bring their own devices to the workplace and use them throughout the course of conducting business. Employees utilize their personal devices to access customer/prospect data, send emails and engage in a host of other activities/tasks.  For those of us (I am guilty) who miss the good old days of secure devices operating on secure networks, BYOD can foster some debate.  How can a company expect to retain control of its intellectual property when it is floating in a cloud, readily accessible by employee’s personal devices?

BYOD exists at your company, with or without your blessing, acknowledgement, or approval.  As a result, your organization may be reaping benefits such as cost reduction, improved productivity, and employee morale.  However, without a BYOD policy, you are putting your organization and its intellectual assets, trade secrets, and other proprietary data at risk.  So the question isn’t “IF” you should adopt a policy but “WHEN”.

The answer to this question is simply – “ASAP”.   A well-crafted BYOD policy should be implemented immediately.  And it should maintain pace with current technology as well as in an intelligent and methodical manner that will provide employees with benefits while ensuring your intellectual property remains secure.

Key components of a BYOD policy:

  • Determining the types of phones and other devices that will be supported
  • Training for employees on Do’s and Don’ts
  • IT outreach for set up and configuration
  • Requiring employees to sign a statement that they were properly briefed and trained on the policy.  In addition, they must understand that the company will audit the use of the documents on their device
  • Company must have ability to audit use and control documents through software
  • Company needs ability to encrypt and remotely delete documents if the device is lost or stolen
  • Implementing BYOD will inevitably present challenges to safeguarding the integrity of your network.  TSC Advantage can help implement a cost effective solution that is designed to identify those challenges before they become problems or evolve into a catastrophic situation.   Become the technological champion who innovates, saves money, and fortifies the future of your company.

IP Protection and the Manufacturing Industry

By Al, TSC Sr. Project Manager

When you read the morning newspaper, daily articles detail the latest intellectual property, trade secret or personal information theft from commercial and government entities.  On the commercial front, the stories primarily focus on high technology or financial institutions (such as Google or J.P. Morgan).  Theft from manufacturing companies is often ignored.  It is here where some of the most significant IP and data losses occur and often go unnoticed for months or years.  Losses typically go undetected until a competitor comes out with a product that “looks just like “x” product” that was being produced by the targeted company(s).

Manufacturing companies produce a wealth of IP and innovation.  However, the public and media (as well as the companies themselves) have been slow to recognize the threats.  In order to effectively combat these threats, manufacturing companies must first identify the IP and data that represent the lifeblood of their organization.  Second, they must understand how it is potentially at risk.

They must establish effective processes and procedures to safeguard their IP and data.  It’s critical to institute monitoring technologies such as data loss prevention (DLP) tools and digital rights management tools. Additionally, employees need training and awareness programs to help them understand both the significance of IP and data protection and “how” they should both handle IP and data and report potential security violations.

The major issues common to classic manufacturing companies are:

  1. Non-security employees (engineers, line workers, admin and support staff, et al) are paid to “get the job done” and IP/data security typically takes a back seat. Training that emphasizes the need for each and every employee to take IP and data security seriously and “own” protecting IP and data within their environment is a MUST.
  2. Internal system constraints and legacy processes lead to potential IP and data loss.  TSC Advantage often finds that poor internal system design and/or lack of bandwidth leads employees to design broken business processes in order to “work around” system limitations.  In one example, remote locations had trouble accessing sensitive design information.  An employee was chartered to “print out” all documents that were needed for work.  This led to the potential for physical loss of paper data but also allowed unauthorized personnel to see particular data and provided them with the ability to violate the “least privilege” practice of IP protection.
  3. Foreign joint ventures and suppliers need extra focus.  This is a large area for IP and data leakage via either direct espionage or basic “losses.”  A comprehensive system analysis is necessary in addition to sensitivity to cultural norms and legal requirements in various overseas locations.

These are just some of the challenges that commercial manufacturing entities face.  TSC Advantage is helping this significant and perpetually emergent manufacturing base acknowledge the threat to their sensitive IP and data sources and to implement protection measures to ensure these companies retain their industry advantages.

Employee Awareness May be Your Best Line of Defense

By Armond, Senior Threat Specialist

The presence of fortified security in the form of gates and guards offers false hope to companies looking to protect their sensitive data.  While physical security is undeniably an important element of deterrence, it should never be regarded as the sole antidote in preventing compromise to intellectual assets and trade secrets.  In fact, no single component of enterprise security ever provides complete protection in an age of sophisticated and persistent threats to sensitive data.  Security solutions must be as diversified and resilient as the very threats that are targeting you (not trying to scare you, but you are probably in possession of information that somebody wants).

One way to begin an effective IP protection strategy is through employee education and awareness.  Employees are on the front lines. They are your human resources specialists, your administrative staff, your operations and sales people, your information technologists, and your research and development team.  The scope is boundless.  What likens these seemingly unrelated groups is that they all have access to sensitive information – from knowledge of competitive processes and trade secrets to patents, trademarks, and copyrights – that directly contributes to your differentiation and thus your ability to create and capture value.

Yet, the question remains: are these employees aware of the value of the information they possess?  Do they understand what information is considered more valuable than others?  Furthermore, are they cognizant of the vital role they play in protecting it?  In all industries and in all organizations, the need for employee security awareness, effective education, as well as data classification and loss prevention are critical to the safeguard of sensitive information.  In this regard, a Fortune 500 company is no different than a state health exchange or a major public university.  The reason?  All three organizations have information that they are obligated to protect.  For the Fortune 500 Company, it is trade secrets and intellectual assets.  For the state health exchange, it is electronic protected health information covered under the HIPAA Security Rule.  And for higher education, it is personal identifiable information protected under FERPA guidelines as set by the U.S. Department of Education.  What unifies these organizations is their requirement to secure information that must be protected – because a failure to do so may result in significant value degradation or even administrative and financial penalties imposed by regulatory authorities, such as the U.S. Department of Health and Human Services.

So what are some classic examples of poor employee awareness and education?  Take for example a common theme among organizations with robust physical security programs, such as a gated campus, visitor access control, and security patrol.  At such a place, employees may develop a sense of false security and neglect basic security measures out of the belief that the onus is not on them, per se, but rather “the security folks” who probably “got it covered”.  The employee may not even think to question the presence of a stranger (or a known colleague) within a sensitive area – such as a server room or an area where key R&D takes place – because of a mistaken assumption that the person probably “belongs.”  But that is a dangerous assumption to make.  The rise in sophistication of intellectual property theft – even from Insider Threats (http://goo.gl/jeQmcE) demonstrates the need to equip employees with the knowledge of the complexity of threat directed against them and how it does not matter if a particular component of their enterprise – such as physical security – is well fortified.  If an adversary is determined enough, they will certainly pivot and exploit the vulnerability left undefended.

Educating your employees on what constitutes “valuable” as well as the tactics that may be used to pilfer data can offer a proactive step in fortifying your enterprise against IP and trade secret theft.  At TSC Advantage, we specialize in a holistic approach to enterprise security that seeks to understand vulnerability being created by six critical domains across your organization – whether private or public sector – in our unique approach to IP and trade secret protection.  But make no mistake: the front lines of protection rests with the human front lines of defense (and that’s everybody who works for you).

Helpful Hints: Protecting Intellectual Assets During Foreign Travel

By TSC Threat Analyst

“The willingness of US scientists and scholars to engage in academic exchange makes US travelers particularly vulnerable not only to standard electronic monitoring devices—installed in hotel rooms or conference centers—but also to simple approaches by foreigners trained to ask the right questions.”

– Annual Report to Congress on Foreign Economic Collection and Industrial Espionage, 2003

“If a company has significant intellectual property that the Chinese and Russians are interested in, and you go over there with mobile devices, your devices will get penetrated.”

– Joel F. Brenner, Official in the Office of the Director of National Intelligence, 2012

These quotes are indicative of the risks to intellectual property that US businesses face everyday when traveling overseas. So what is the best strategy to use if you want to show a prospective client your capabilities and how your company is the right solution for them?  How do you separate yourself from competitors while simultaneously protecting your intellectual assets?

Before I do, here are a few examples of intellectual assets that we unknowingly possess while traveling overseas that could prove extremely valuable to an adversary:

  • Customer data
  • Employee data
  • Vendor information
  • Pricing information
  • Proprietary formulas and processes
  • Technical components and plans
  • Corporate, financial or investment data
  • Phone directories
  • Computer access protocols and network design
  • Corporate, marketing or acquisition strategies
  • Negotiation strategies
  • Passwords (computer, phone, accounts)

Here are a few practices to minimize information loss while still allowing you to have a successful trip abroad:

  • Research and understand the environment of your potential client prior to your travel.
  • Only take what you and your company are prepared to lose if ever compromised.
  • Have your company information security experts wipe clean all electronic devices prior to your travel and upon your return.
  • Minimize the use of personal devices while traveling overseas.
  • Never load anything (such as thumb drives) given to you by anyone overseas on to your devices.
  • Understand that some businesses in foreign countries may have host government affiliations.  Be cognizant of what information you convey back to your company headquarters.
  • Adhere to your company’s information security policies for travelling abroad.
  • Be attentive – Where are your belongings at all times? What are you being asked and by whom? Do you remember your talking points? Is the material being discussed part of the pre-approved agenda sent ahead of your trip, or is it being solicited?

The truth is there is no simple solution to completely eliminate the possibility of corporate espionage or deterring an adversary from stealing your intellectual assets.  However, making an effort to constantly improve employee awareness and guidelines while traveling overseas will lead to successful trips and the protection of valuable intellectual assets.  Please give us a shout if you have any questions on how TSC Advantage can assist in your development of an effective mobility policy.

Why Tactical Solutions to Strategic Problems Always Fail

By Mark Director of Security Solutions

For six long months, you’ve worked a lot of overtime to earn a little extra money so you can treat your family to a theme park vacation.  Eventually, you reach your financial goal, pick up the amusement park tickets and take out some cash for the surprise trip.  But first, you take your family out to dinner to celebrate.  After relaxing, all seems right in the world. However, things take a drastic turn for the worse when you return home. Your state-of-the-art security system has been disabled.  You find yourself in a momentary state of confusion as you recall having turned it on before leaving.  There are no broken windows, all your doors are locked from the inside and you find no evidence of forced entry.

As you frantically scour the house, it appears as though nothing has been taken or damaged. Then it hits you: there IS one thing that may be missing.  You race to the locked cabinet, and frantically open it.  With one glance, your heart drops.  The envelope with the amusement park passes, cash, and airline tickets are gone.  Six months of effort squandered.  In a matter of hours, someone completely unraveled everything you had been working towards.

After surveying the damage, you transition into “problem-solver mode.” You vow that this will never happen again.  You install floodlights and motions sensors.  A new, six foot fence encompasses your property and two large Doberman’s prowl within.  You upgrade the alarm system.  Your window and door locks are now top of the line.  And finally, you replace the locked cabinet with a Class TXTL-60 safe that can withstand explosive charges.  You have hardened your defenses from the outside in, thus ensuring that your hard work and family dreams will never be taken from you again.

Unfortunately, you are no closer to being safe than you were the moment you left for that family dinner. Why?

You have applied sound, robust and proven tactical solutions to an overwhelmingly strategic problem. You failed to recognize that the real issue was not the theft of your vacation envelope but HOW the thief knew it existed.  You upgraded a safe in order to prevent easy entry, but you still don’t know how the locked cabinet in your home office was so easily identified as holding the prize.  You improved the features of your alarm system without addressing how the deactivation code was compromised last time.  Your dogs now prowl and protect your exterior, yet it remains unclear how the initial entry was made.  In essence, you’ve improved your security marginally (if at all), while simultaneously highlighting to any previously unwitting bystander that there must be something valuable to protect inside.  Otherwise, why would you spend precious family resources on all of these security upgrades?  Perhaps instead of being the target of one professional thief, you’ll now be the target of an additional few who are willing to chance the security for the assumed windfall inside.  And worst of all, you’ve created a false sense of security for yourself and your family.

You would never expend funds unless you were sure it was addressing the problem.  Unfortunately, these are the mistakes that countless U.S. corporations – from start-ups to Fortune 100 companies – are making daily in response to a systemic problem of intellectual property and trade secret theft.  Tactical solutions such as the latest and greatest anti-virus program and physical security upgrades are often viewed as adequate countermeasures against leakage of sensitive corporate information.  In an effort to prevent the next theft, they are failing to understand the root cause that may lead to 100 more thefts down the road.  How did these bad actors know where to find your sensitive information?  Who told them a product was moving from R&D to Pilot phase?  How did the information get through the strong internal controls?  Was an insider involved?  Did someone in the corporate ecosystem such as a supplier, joint venture or partner gain access to the information?  Is this part of a larger concerted effort against your organization?

No one should tell you that a tactical solution would not be a part of a broader security strategy.  There is often a significant overlap. Holistic solutions include proper IT protection, travel security and basic physical security safeguards.  However, your corporate IP thief is banking on the fact that every U.S. corporation will stop its protection efforts there.  And most importantly, they are counting on the fact that human nature will stay true to form and a false sense of security will envelop the organization as people see the enterprise protection efforts in place. The only state of an enterprise more attractive to an IP thief than complacency is denial.

Maintain hope. There is no cliff to dive off. There is no such thing as an insurmountable enemy.  The American spirit is based on the belief that a large challenge is simply a great opportunity to conquer.  It is important to understand the root causes of our current challenge.  We must focus our precious corporate resources on not just stopping an ongoing issue but knowing how it was perpetrated and learning from it in order to prevent the next one.  Through increased awareness and attention, corporate leaders have taken the important first steps in getting a handle on this acutely imperative issue.  How this issue is addressed will define whether we continue to lead the world in innovation for generations to come or succumb to the economic realities of constant competition against entities that have built their success upon our shoulders.

Recent Posts

btn-next btn-prev

Holistic Enterprise Security: The Best Approach in Protecting Your Trade Secrets

By TSC Blogger

screenshot_holistic_enterprise_securityAccording to the Commission of the Theft of American Intellectual Property, a U.S. advisory group, the theft of intellectual assets is estimated to cost U.S. businesses more than

$300 billion annually.1  Increasingly, American companies are facing persistent threats to the integrity of their business activities and are grappling with how to stem the erosion of their value due to commercial espionage as perpetuated by foreign and domestic actors.  In addition to the harm this causes the affected firm, these thefts also contribute to American job loss and a decline of the U.S. economy as captured in GDP terms.  In some cases, this has resulted in the permanent ceding of American ingenuity to rivals who are not only stealing the intellectual property (IP), but also counterfeiting and adapting it to foreign markets by focusing on low-cost positioning and mass consumption and subsequently evolving into market disrupters in their own right.

These challenges are consistent and costly.  Since 2010,cyber espionage attacks  -    for the purposes of stealing American intellectual property – have risen 38% with the average cost to the victimized firm representing approximately $8.9 million per year.2  And with an estimated 80% of corporate value tied to these intangible assets,3 the potential for extraordinary loss is evident.

So what should U.S. companies do to protect themselves from this threat?  Although investments in defensive measures such as firewalls or anti-virus solutions are popular tools for securing intellectual property, it ignores the fact that vulnerability emanates from other access points into an organization.  In an age of growing and sophisticated attacks, particularly as related to the state sponsorship of IP theft through cyber and insider threats, firms must ensure security investments are diversified across their entire business enterprise.

But what does that mean?  It is not to say that security investments in specific components of an enterprise do not provide protection.  They can.  The problem is that a single­ faceted approach is insufficient and incomplete.

Take for example, security boutiques specializing in cyber defense (and offense).  These firms will gladly sell their products and services as the panacea for total security and protection, but vendors specializing in these services tend to offer a reactive approach rather than a proactive one and only focus on domain-specific areas of an organization.  Most times, their services are only utilized after a security incident has already occurred and where an erosion of value, innovation, and reputation has already been inflicted.  Additionally, introducing additional infrastructure may also create more complexity as well as data that inevitably may be left unanalyzed and uncorrelated to other threats being introduced from other ingress points into the enterprise.  Although application behavior, system performance, user actions, malware activity, APT, and other deceptive activity are critical data streams in any post-incident assessment, a cyber-centric approach to security such as this lacks the capability to corroborate vulnerability from elsewhere within the organization, and is devoid of the fundamental philosophy that a proactive and holistic methodology could have prevented an incident from occurring in the first place.

For companies who rely on ‘in-house’ personnel to meet their security needs, the basic problem remains the same.  Although some organizations prefer this solution due to a fear of revealing vulnerabilities to outsiders, these personnel tend to focus only on diagnostics, forensics, and security monitoring.  Often times – and because of the nature of their employment – these staff members may not be able to offer an objective assessment and lack the true investigative and analysis expertise to ‘connect the dots’ across the entire enterprise.

For this reason, instead of focusing on security solutions in just one component of an enterprise, the more prudent approach to enterprise security is a holistic intelligence program diversified across the entire organization practiced by the right experts.  This can offer a trusted way for firms to protect their intellectual assets and other sensitive data in an age of sophisticated threats.  “We are suggesting that a ‘big picture’ approach to security is a better way for organizations to understand their threat landscape,” said Mark Lopes, TSC’s Director of Enterprise Security Intelligence.

Holistic Security: A Deeper Look

At TSC, we define holistic security as encompassing six basic functional units and processes of an organization: Mobility, Data Security, Physical Security, Insider Threats, and Internal/External Business Operations, which includes joint venture and supply chain risk management.  It is based on the premise that so-called ‘isolated incidents’ of vulnerability occurring in one area of a business should be juxtaposed with structured and unstructured data being produced from other areas as a means to deeper understand and identify threat and possibly corroborate other vulnerabilities and negative trends using similar methodologies.  So what can these isolated incidents look like?  The below example demonstrates how four separate incidents – when interpreted holistically and proactively -  could have assisted skilled experts understand the nature of a threat directed against a company’s valuable data.

Isolated Incident #1:
The IT Department observes Employee #1 trying to gain access to a folder for which he/she lacks permission.  This folder contains sensitive information on a prototype development not yet introduced to the market.  A week later, this same employee was observed running a scan of the company’s internal network.  When IT staff notice this activity, they confront the employee however a reasonable explanation was provided and no subsequent action was taken. This information was not shared with any other department within the company.

Isolated Incident #2:
The office manager notices Employee #1 working late hours, an irregular and seemingly unnecessary activity given this employee’s position and job title.   Late one evening, Employee #1 attempts to leave the building with a bag containing folders labeled, “proprietary.”  When the office manager questions this activity, the employee offers a frantic apology and a plausible explanation. Accepting this response as legitimate, the office manager does not share this information with anybody else inside the company.

Isolated Incident #3:
A different employee, Employee #2, travels overseas to attend a meeting with a foreign partner on a joint venture (JV) opportunity. During the trip, the employee travels with both his smartphone as well as a company laptop containing proprietary information.  This is because the employee’s company did not establish security policies and procedures covering Mobility, which covers Bring Your Own Device (BYOD) and foreign travel.  Additionally, on more than one occasion, Employee #2 accesses his company’s network from the partner’s internal network.  Not thinking anything of it, Employee #2 does not mention this activity to any of his colleagues upon his return.

Isolated Incident #4:
At lunch on a Monday morning, colleagues learn Employee #1 just returned from a weekend trip overseas. When asked about it in detail, the employee offers a hurried and confusing explanation about a ‘weekend getaway’ that appeared to be in conflict with the established lifestyle pattern of this person.  Later that day, colleagues learn that Employee #1 traveled with numerous company thumb-drives and disks – more evidence of unusual behavior for a traveler supposedly on vacation from work.  Over time, colleagues begin to notice Employee #1 exhibiting unexplained affluence.  For example, they observe him driving a brand new car rather than the more modest vehicle he usually drives.  When asked by a colleague, the employee stated sheepishly the car was a gift from a distant relative.  Without additional information confirming suspicions, the issue was dropped and this information was not shared with anybody else inside the company.

As individual data points, the preceding incidents could be interpreted as mundane and ordinary. But if these events were documented, and if they were correlated and analyzed proactively by the right experts with information collected from other departments, certain patterns could begin to emerge that would confirm the presence of holistic vulnerability emanating from Insider Threat and Mobility – and possibly prevent the threat from materializing in the first place.  Whereas Employee #1 was demonstrating behavior of a classical malicious insider, Employee #2 served as an example of the need for organizations to codify security policies and procedures relating to Mobility and the role employees must play in safeguarding critical information.

“It takes the right professionals with the right backgrounds to be able to correlate, analyze, and investigate the types of complex and disparate data sets that ultimately serve as potential threat indicators to companies,” said Sean Doherty, President of TSC.  “This is our core competence.”

TSC Threat Vector Manager
As an innovator in enterprise security intelligence, TSC specializes in the protection of intellectual assets and trade secrets using this very unique holistic approach and other innovative techniques.  Using its patented Threat Vector Manager ™ (TVM) platform, TSC experts integrate and correlate an array of internal and external data sets from six fundamental domains and provide actionable recommendations to fix problems across an enterprise while delivering ongoing vulnerability protection.  Based on the threat vectors being investigated, TVM™ establishes baseline threat and vulnerability metrics and creates a threat assessment review.  Actionable recommendations are then created to mitigate identified threats and a plan for delivering ongoing intelligence to prevent future losses is developed.

Some additional benefits of TVM™ include:

  • Secure intelligence delivery of holistic threat vectors via a customizable Executive Dashboard based upon desired priorities
  • Visualizations to quickly and effectively communicate the level of activity and risk
  • Provides an overall assessment of  client-specific risk that measures maturity of policy, procedure, and governance supporting on-going defense of clients’ most valuable assets in conjunction with critical business needs
    • Streamlines policy and procedure development and focuses on the most impactful areas
    • Informs resource allocation based upon risk sensitivity and exposure

Summary
In an era of sophisticated threats, intellectual asset and trade secret protection is best achieved through a holistic approach utilizing trusted intelligence methodologies practiced by the right experts.  Based on business priorities, available budget, and resources, TSC offers cost-effective and comprehensive security programs necessary to find, fix, and protect critical security vulnerabilities.   “Failure to address the challenge of trade secret theft costs industry billions of dollars each year,” said Pamela Passman, President and CEO of CREATe.org, a leading non-profit dedicated to helping companies, suppliers, and business partners reduce piracy, counterfeiting, and trade secret theft.  “[It] can have devastating reputational, financial, and legal impacts for individual companies and the global economy as a whole.”

About the Author
Armond is a Senior Threat Specialist at TSC and is based in Washington, D.C.  He joined TSC in 2011 and has managed global projects as well as specialized training and awareness programs focusing on threat analysis and intellectual asset protection for both the private and public sector.  He holds a Master’s degree from the Fletcher School of Law and Diplomacy at Tufts University and a Bachelor’s degree from the University of New Hampshire.

About Tailored Solutions and Consulting (TSC)
TSC, an innovator in enterprise security intelligence, specializes in the protection of intellectual assets and trade secrets. Employing a holistic approach, TSC identifies and protects organizations’ critical and valuable intellectual assets against insider threats, supply chain risks, cyber security vulnerabilities, mobility, and physical security risks. Using patented methodologies through its Threat Vector Manager™ framework, TSC leverages its analytical and investigative expertise, diverse language skills, and global experience from work in the public and private sectors to provide customized solutions to members of the Fortune 500, innovative start-ups, and the public sector.  For more information, please visit us at www.tscadvantage.com.

Endnotes
1. The Securities and Exchange Commission is currently reviewing its guidance to companies on regulatory disclosure obligations, as companies who have been the victims of cyber attacks and other events with potential for value degradation are either not reporting or underreporting their victimhood in their annual filings.  Nowhere was this more evident than in the case of Coca-Cola.  In this example, the cola giant experienced a significant data breach in 2009 at the hands of Chinese hackers who successfully pilfered intelligence information on the brand’s attempted $2.4 billion acquisition of juice manufacturer China Huiyuan.  It was not until years later that Coca-Cola officials publicly revealed this information.

2. Source: Ponemon Institute report entitled, “2012 Cost of Cyber Crime Survey: United States”
3. Source: Tauriq Keraan -Tile Rembrandt in the Corporate Attic: Extracting Maximum Value from Intellectual Assets,” Deloitte, 2010.

Recent Posts

btn-next btn-prev

August 25, 2014

By TSC Blogger

A group of hackers has extracted the personal data of 27 million (more than 70 percent of the population) South Korean people using various gaming and movie ticketing websites. The data included user’s names, resident registration numbers, account names and passwords. South Korean authorities believe the hackers were selling the information to others scammers for profit. A 24-year-old man known as Kim and 15 others have been arrested in association with the crime.

August 19, 2014

By TSC Blogger

Community Health Systems, which operates hospitals  in 28 states across the nation, has been hacked. Criminals recently broke into the company’s computers, gaining access to the names, Social Security numbers, physical addresses, birthdays and telephone numbers of  4.5 million patients. The FBI is working closely with the hospital network.

August 16, 2014

By TSC Blogger

Popular supermarket store chains Albertson’s and SuperValu have had their payment card networks compromised after falling victim to hackers. The hackers made off with names, card numbers, expiration dates and the three-digit security codes. It is currently unclear how many customers have been impacted by the massive data breach

August 13, 2014

By TSC Blogger

A Chinese software engineering student identified as “Li” has been arrested after creating a new malware strain called the “Heart App,” which has infected over 100,000 phones. When phone owners download the app, it sends a text to their listed contacts encouraging them to download it as well. At this point, the victims voluntarily offer their personal information. More than 20 million infected messages have already been blocked by Chinese phone providers.

 

August 12, 2014

By TSC Blogger

In May, 2012, Tennessee-based maintenance and construction firm Tennessee Electric Company Inc. (now TEC Industrial) was the target of a  cyberheist that saw thieves use more than four dozen money mules to drain over $300,000 out of the company’s TreSummit Bank accounts. TEC is suing TriSummit to recover the funds, alleging negligence, breach of contract and fraudulent concealment.

 

 

August 6, 2014

By TSC Blogger

In a series of internet attacks, Russian hackers have stolen 1.2 billion user names and passwords from 420,000 websites. In addition, the hackers have accumulated 500 million email addresses that could help them orchestrate further criminal activity. The stolen information is being used to send marketing pitches, schemes and junk messages on social outlets. Most of the compromised sites remain vulnerable to further break-ins.

 

 

July 30, 2014

By TSC Blogger

Haley Chiropractic Clinic in Tacoma, Wash. was recently broken into. Burglars stole three computers containing patient information including: names, addresses, dates of birth, Social Security numbers, health insurance information and diagnosis information. The theft has been reported to Federal authorities and 6,000 current and former patients are being notified.

 

July 25, 2014

By TSC Blogger

Six individuals from the United States, United Kingdom, Russia and Canada have been indicted in connection with an international hacking scheme that compromised more than 1,600 StubHub accounts. The defendants used preexisting payment card information tied to each account to purchase and resell thousands of tickets to popular events. As a result of the scheme, StubHub was defrauded out of $1 million.

 

 

 

July 21, 2014

By TSC Blogger

Goodwill, a non-profit clothes and furniture donation organization, has reportedly fallen victim to a series of credit card breaches involving Goodwill locations nationwide. An unknown number of affected credit cards and debit cards all appear to have been used at Goodwill stores, but fraudulent charges on those cards occurred at stores such as big box retailers and supermarket chains. This activity is consistent with other recent data breaches involving credit and debit cards, including the intrusions at Target, Neiman Marcus, Michaels, Sally Beauty and P.F. Chang’s. Goodwill is working with the U.S. Secret Service on an investigation into these reports.

 

July 16, 2014

By TSC Blogger

Before leaving the Park Hill School District in Missouri, a former employee downloaded all files from their computer onto a hard drive, without consent. The former employee connected the hard drive to a home network, exposing the personal information – including social security numbers – of more than 10,000 current and former staffers and students on the internet. The school district is updating policies to more strictly prohibit employees from taking information.

July 15, 2014

By TSC Blogger

CNET, one of the world’s most popular technology review websites, was hacked by a Russian hacker group that goes by the name “worm.”  The hackers reportedly stole a database of usernames, emails and encrypted passwords from CNET’s servers which includes the data of more than 1 million users. The group claims they hacked BBC last year and Adobe Systems and Bank of America previously.

July 1, 2014

By TSC Blogger

A staffer at Stanford Federal Credit Union inadvertently included the personal information of roughly 18,000 members to another member. The exposed data includes names, addresses, member numbers, tax identification numbers, loan offers and credit information. The California-based credit union is installing additional software systems and implementing new operational protocols to ensure that another incident like this does not occur in the future. All impacted individuals are being notified.

 

June 25, 2014

By TSC Blogger

Up to 1.3 million records, including health care and bank account information, may have been exposed after a server at Montana’s public health department was hacked. The Department of Public Health and Human Services shut it’s server (which held information such as names, addresses, birth dates, confidential healthcare information and Social Security numbers) down after suspicious activity started occurring. The state is unsure at to whether or not the data on the server was inappropriately used or accessed. Those affected are being contacted by the Department of Public Health and Human Services and will be offered free credit monitoring.

June 17, 204

By TSC Blogger

A hacker group calling themselves “Rex Mundi” has broken into Domino’s Pizza systems and posted details to Pastebin. The stolen data (of over half a million customers) allegedly includes customers’ full names, addresses, phone numbers, email addresses, passwords, delivery instructions and even favorite pizza toppings. Rex Mundi has threatened to expose the customer data unless the pizza giant pays a ransom.

 

June 13, 2014

By TSC Blogger

Redwood Regional Medical Group imaging center in Santa Rosa, California, has reported a data breach. A thumb drive containing confidential health records of nearly 34,000 patients was stolen from unlocked employee locker at the office. This is not the first security incident experienced by the medical group – in 2012, officials notified  close to 32,000 patients across the state that their health information was accidentally made accessible on the Internet for nearly a year. The information was accessible through a simple Google search of the patient’s name.

June 10, 2014

By TSC Blogger

Over 1,800 patients of Penn State Hershey Medical Center have been put at risk after a lab technician took confidential information home. The employee had been entering clinical test data (including names, medical record numbers, names of lab tests, visit dates and test results) into a test log on a personal computer and had used a flash drive and a personal email account to transport the information. Penn State Hershey has conducted an internal investigation and the medical center is training employees on protecting patient information.

 

June 4, 2014

By TSC Blogger

In a  major privacy breach at Rouge Valley Centenary hospital, as many as 8,300 new mothers had their name, address, and phone number turned over to private companies selling Registered Education Savings plans by two staff members at the Scarborough Hospital. The privacy commissioner of Ontario is investigating.

 

June 2, 2014

By TSC Blogger

An unknown attacker hacked into the client database of Monsanto subsidiary Precision Planting. The attack compromised 1,300 accounts that include names, addresses, tax IDs, social Social Security numbers and financial information. The 1,300 employees affected by the breach are potentially in grave financial danger.

May 26, 2014

By TSC Blogger

Prosecutors building a case against Wang Dong, one of five Chinese military hackers indicted this week for economic espionage, have received some assistance from the fact that wang has been leaving a trail behind himself. Also known as UglyGorilla, Wang has become known as China’s most flamboyant hacker after leaving his initials “UG” in the logs of thousands of compromised computers. Wang is suspected of hacking Coca-Cola in 2009 and a California nuclear plant operated by Pacific Gas & Electric in 2011.

May 21, 2014

By TSC Blogger

Online auction company eBay has posted a message announcing that it has been hacked. A database containing encrypted passwords has been breached, allowing hackers access to employee log-ins and encoded passwords. The sales giant is urging all of its members to change their passwords immediately.

Recent Posts

btn-next btn-prev
close

Team

It’s easier than you think for your sensitive data – such as intellectual assets, trade secrets, protected health information, or customer data – to fall into the hands of a competitor, hacker, disgruntled employee, or foreign government.

Let us introduce you to some of our team members who will be helping you secure your enterprise.

Len

Chief Technology Officer

Len joined TSC Advantage in 2013. He offers more than 20 years of experience in the military, consulting, and high-tech industries, developing system and enterprise architectures to solve complex business problems with technology. His resume includes ManTech International, where he focused on collaborative technologies and agile development, and the consulting firms Booz Allen Hamilton and BearingPoint, where he led several enterprise architecture projects for large U.S. Government organizations. Len also has experience with large-scale integrators including positions at Raytheon and Boeing, as well as 10 years in the United States Air Force as a navigator. Len earned a Bachelor’s degree in Computer Science from Syracuse University, a Masters of Science in Computer Information Systems from St. Mary’s University, and a Doctor of Computer Science from Colorado Technical University.

Allen

Senior Project Manager

Allen joined the company in 2011. With more than 20 years of experience in the commercial and government sectors, Allen has worked at a variety of organizations including several Fortune 500 corporations. During his commercial tenure, Allen managed numerous programs within the telecommunications and information security industries, including several large multi-million dollar projects related to cellular/satellite network implementation. Allen’s background also includes defense policy analysis and national security policy, as well as military experience in the US Navy as a Russian Linguist and Soviet Naval analyst. Allen possesses a PMP and CISSP certification and holds a Masters degree in International Affairs from Columbia University.

Armond

Senior Threat Specialist

Armond joined TSC Advantage in 2011 and has 10 years of international security and consulting experience. He has managed complex global projects as well as led specialized training and awareness programs focusing on threat remediation and intellectual asset protection for both the private and public sector. He holds a Masters degree in International Affairs with an emphasis on International Business from Tufts University’s Fletcher School.

Natalie

Director of Analytics

Natalie has been with the company since 2007. With more than 15 years of experience as an intelligence professional, Natalie’s expertise spans both the government and commercial sectors. Natalie’s work for the U.S. Government includes extensive experience in the identification, acquisition, and development of critical information, supporting high value national security interests. In the commercial arena, Natalie led the development of innovative methods to acquire and analyze critical information to protect specific interests and high-value intellectual assets. Natalie holds a Masters degree in International Relations from Yale University.

close btn-next btn-prev

Contact Us

Interested in proactively defending your enterprise?  Curious about possible employment opportunities?

Please contact us here