Waymo v. Uber: The Danger of Insider Threats

Interset’s Ross Sonnabend explores how security analytics can prevent insider threat-related disasters like Waymo vs. Uber.

Insider Threat Incident

After just five days of trial, Waymo and Uber reached a settlement on the court case that has drawn a wealth of media coverage and scrutiny. The settlement, which provides 0.34 percent of Uber’s equity to Waymo, follows a months-long battle to determine if global ride-hailing giant Uber stole trade secrets from Google’s self-driving car project Waymo.

According to Waymo, former engineer Anthony Levandowski secretly downloaded thousands of confidential corporate files prior to leaving the company and used these proprietary designs to his advantage when he eventually joined Uber’s self-driving car initiatives through the acquisition of his startup, Otto.

To win a case like this, Waymo’s lawyers would have needed to prove that this is actually what happened. Which files did Levandowsky download? When did he download them, and where did those files go? Unfortunately, answering these questions with any kind of certainty is exceptionally difficult without paper‒or in this case electronic‒trail.  

The attention this trial has gotten certainly makes it seem extraordinary, but let me tell you: this stuff happens every day. Whether it’s high-, mid-, or lower-level employees, anyone can sneak confidential files into their possession. And if they can, you bet they will.

Not everyone intends to do harm with stolen data. I’m sure many of us are in the habit of emailing or backing up certain “personal work” files before changing jobs. But the grim reality is that once data is out of the corporate network, who knows where it might end up‒even accidentally. In the era of BOYD, especially, companies really should operate under the assumption that employees do download corporate data onto devices or storage services where they don’t legally belong, and they should have safeguards in place to detect when something like that is happening.

The Uber/Waymo incident is ringing familiar in our ears over here at Interset. It’s hard not to see the similarities between this and the international incident involving Edward Snowden, who exfiltrated millions of files out of classified areas within the US Intelligence Community. In a white paper, we broke down the Snowden case and explained the various anomalies that could have been detected had some form of security analytics been in place, such as the act of logging into a classified network using someone else’s credentials or accessing and modifying log files of backend systems. Comprehensive forensic records would have been a huge asset in proving Snowden’s guilt beyond reasonable doubt, and it would’ve detected his illegal activities from the start.

We know the power of security analytics because we’ve seen this first-hand. Recently, a medical technology company who had deployed our solution was able to detect unusual behavior by an employee who was about to exit the company, emailing large volumes of data (including intellectual property) through Gmail. Thanks to Interset, the company was able to identify and terminate the employee and prevent the IP from landing in the wrong hands.

We see it time and time again. Insiders are an increasingly common security risk, with 25 percent of data breaches involving internal actors, according to Verizon’s 2017 Data Breach Investigations Report. In fact, most cybersecurity problems become insider threats. Think about it: once an actor is inside your network, your data is clearly at risk. This is a key use case for us at Interset because our solution is ideally suited for detecting data staging & exfiltration. Artificial intelligence‒and machine learning in particular‒is uniquely able to help identify insider threats, which often involves large volumes of unlabeled data.

With 350+ machine learning models, Interset is able to determine many anomalies in behavior, such as unusual network traffic patterns, email usage patterns, expense reporting, and even human versus non-human (bot) behavior. For example, our platform can detect whether a user accesses a shared drive an unusually large number of times compared to their “unique normal” behavior, which may be an indication of reconnaissance activity (image below).

Insider Threats

In this example, it was very unusual that Joshua Newman access the shared drive “Network Shares→ Client data” 38 times in a one hour. Normally, Joshua access that shared drive 1.1 times an hour ‒ at most twice. His peer group similarly only access that shared drive 1.1 times an hour, and the average of the maximum for his peer group is twice in an hour. This type of measurement of normal and abnormal is the key to proactive prevention of data exfiltration, and in this case, apparently worth $245 million to Waymo.

Our solution can also detect unusual data exfiltration through email, USB sideloading, web uploads, and more, with its ability to understand a user’s normal behavior and highlight those users acting differently than they normally would, or that their peer group normally would.

The biggest advantage you can give your company in the fight against data theft is being proactive. Once IP has been exfiltrated, the damage is done, and the only way to render justice is proof. It’s a massive hassle‒as Waymo and Uber are learning at the moment‒and potentially avoidable.

Ross Sonnabend is SVP of Strategy at Interset.