Gunpowder, Treason and Insider Threat!

This week many of us will be, at some point visiting a fireworks display with our families to celebrate what’s possibly the earliest example of a thwarted insider threat. Dating back over 400 years people have celebrated the foiled plans of 1604 to assassinate King James I. 

Whilst, not the inspiration or the brains behind this plan; Guy Fawkes was found with many barrels of Gunpowder directly underneath the House of Lords. He was only found following a tip-off to the King by one of his servants which prompted a search of the basements under the House of Lords. 

The only reason the plot was unsuccessful was that it was detected in time as the King knew where to focus his search. It’s the same approach that’s utilised by traditional log management solutions today. They utilise Correlation rules to seek out ‘known bad’ behaviour. They’re only effective if maintained and updated with the latest accurate intelligence. Without being tipped off, King James I could have met his fate.

There are many anomalous activities that surround the gunpowder plot but didn’t arise suspicion at the time such as:

  • the initial plans being discussed in the Duck and Drake Inn
  • rental of the basement under the House of Lords
  • delivery and storage of many barrels of gunpowder
  • and the repeated visits to the basement by Guy Fawkes to confirm that the plot hadn’t been detected.

Like with cyber Incidents of today, if you look hard enough there is evidence within the log data. You just need to know where to look and what to do with it. Machine Based Behavioural Analytics solutions do not have the same restrictions as legacy SIEM solutions and thus can identify anomalous activity without the need to know where to search. Utilising behavioural analytics and machine learning technologies enables much of this process to be automated with a very high degree of accuracy. 

It’s crucial to have a clear framework for surfacing anomalies and detecting potential threats that can be triaged and remediated early, and pro-actively protect the enterprise from the consequences of a data breach. After all, a fire consumes all in its trail, and the incendiary effects of a data breach are no different.

Stay safe and enjoy the displays.