July 2, 2015

Helix Threat Detection Q & A: What You Need to Know to Stop Data Theft

IP Protection
Perforce’s own Chris Hoover and Charlie McLouth recently hosted a webinar called ”Learn How to Stop Data Theft Before It Happens,” which gave an overview of the features and advantages of our Helix Threat Detection capabilities. Helix Threat Detection helps stop data theft by...
  • Detecting anomalous user behavior against the assets stored in Helix repositories. 
  • Eliminating false positives by using advanced math models and machine learning to categorize high-risk users and projects. 
  • Identifying internal theft and compromised accounts early enough in the process that you can respond before harm has been done.

If you missed the webinar, we invite you to watch the on-demand version and see the product in action. 
There were a lot of questions from the audience, not all of which could be answered in the time provided. I’ve compiled some of the more popular questions and the corresponding answers below. 

Questions and Answers

How is Helix Threat Detection different from other security tools?

Helix Threat Detection provides detailed contextual information on what a user account has done to particular projects (set of files) and compares it to a baseline cluster of similar users. The level of granularity in the Perforce logs helps to quickly and accurately identify anomalous user behaviors that deviate from the baseline. These anomalous behaviors include things like “wandering” into inactive or rarely accessed projects,” hoarding” more projects than one’s peers, and “sneaking” access during atypical hours of the day). The product does much more than simply counting how many resources a particular user has accessed.
How do I get started?
First of all, you need to be using our Versioning Engine to take advantage of this capability. A great way for Perforce customers to try Helix Threat Detection is our free risk analysis report.  Start by turning on the audit with P4AUDIT  or structured audit logs. To participate in a risk analysis report, you’ll provide us with a month of audit logs. We will anonymize your data and later review with you an analysis of potential threats in your organization.
What type of log level should be configured on our server for the free risk analysis?
You must enable the audit logs (P4AUDIT) or use the structured audit logs. This depends on your system environment and the log rotation process that’s in place. 
Does the system actually stop what it considers to be anomalous behavior or just report it?  
The short answer is that the system tells you early enough that you can take action before much data has been accessed. Helix Threat Detection provides a reporting mechanism that identifies anomalous behavior that may indicate high-risk threats. A REST API is available so that it’s possible to write code triggers to take actions based on the detection of anomalous behavior. 
Is Helix Threat Detection part of the Helix Versioning Engine or is it licensed separately?
Helix Threat Detection is licensed separately. It runs on different hardware. Perforce provides a software connector that collects your audit log data and feeds it into an analytics engine. Please contact a Perforce account representative for more information about Helix Threat Detection or to discuss pricing options.
We are rolling logs every 15 minutes. Can we use offline files?
Yes, you can rotate the audit logs, which will get ingested into the analytics engine.
We have designers and developers who are geographically dispersed throughout the world each working on a different part of the project? How do we secure access to files to specific individuals in order to prevent IP theft?
Perforce provides very granular file-level permissions to ensure users have access to only assets that are relevant to the work that they’re doing. Access controls can be applied to a repository, branch, directory or individual file.  IP-address specific access control rules can be used to enforce access only to users in different geographical regions or authorized locations. Perforce isn’t like some open-source style SCM’s that clone everything and distribute it. After access control has been established via protection tables, then audit logs can be analyzed.
Are the Helix Threat Detection security features associated with a specific Perforce instance, or can they be composed of numerous Perforce instances?
If you have a single P4D instance or multiple, or a federated model of commit edge servers and things like that, all of the audit log information will feed into a single analytics engine. You get a comprehensive view of everything. 
To learn more, watch the on-demand version of the webinar.