It's a nightmare scenario for any enterprise: An employee, a trusted insider, steals the company's most sensitive data, its trade secrets. For Societe Generale, the nightmare may have become a reality after the bank discovered that proprietary code used in its high-frequency trading system was apparently stolen. A former trader who worked in the bank's New York office allegedly pilfered the code last year before quitting.
Samarth Agrawal was arrested April 19 on one count of
Societe Generale, authorities said, had spent millions of dollars developing its computer system for sophisticated, high-speed trading on various security markets. Fortunately, the bank caught the apparent theft, but security experts said it appears that key controls to prevent theft of trade secrets and intellectual property either failed or were missing.
"If the guy wasn't so clumsy and obvious, he probably would have gotten away with it," said Jonathan Gossels, president and CEO of Sudbury, Mass.-based security consulting firm SystemExperts Corp.
The Societe Generale case comes just eight months after a similar theft of trade secrets. In that case, a computer programmer was accused of stealing code belonging to the proprietary trading system of his former employer, which was widely reported as The Goldman Sachs Group Inc.
Access controls and user provisioning
According to prosecutors, Societe Generale took many steps to protect its proprietary code, including limiting access only to employees who need it for their work, monitoring its systems and restricting electronic transfers outside the systems. In an email statement, Societe Generale said it "vigorously protects" its proprietary information and intellectual property.
However, security experts wondered why a trader would need access to code in the first place. "Why would anyone except a programmer have access to the program's code?" asked Jodi Pratt, principal consultant at Jodi Pratt and Associates, an Aptos, Calif.-based consulting firm that specializes in fraud and operating risk management for the financial services industry.
While some traders do custom programming, that didn't appear to be the case with the suspect in the Societe Generale case, Gossels said. "Most people shouldn't be touching the source code," he added.
Moreover, the way the alleged thief got a hold of code he wasn't authorized to access indicates a lack of proper provisioning, Pratt said. "Usually in financial institutions, access is strictly provisioned by the role you serve and your individual user ID," she said.
If Societe Generale had appropriate access controls in place, the suspect wouldn't have been able to see the code he wasn't authorized to see, Gossels said.
Protecting trade secrets
Intellectual property like proprietary computer code is perfectly suited for the protection provided by data loss prevention (DLP) tools, Gossels said.
"It's hard to deploy DLP tools enterprise wide. They're expensive with ongoing costs," he said. "But when you've got this very targeted and isolated environment, that's when you lock it up [with DLP], implement fine-grained access controls and make sure you're monitoring and logging access."
A DLP tool, he added, can restrict what a user can do with data he's authorized to access, including preventing the data from being copied into Word files.
A system that monitors internal behavior and tracks suspicious employee activity would have detected the suspect's Saturday office visit, assuming Saturday wasn't his normal workday, Pratt said. Internal fraud detection systems, like those offered by Memento Inc., look for unusual behavior such as employees accessing network resources from computers that aren't their assigned workstations or during off hours.
"You can identify if someone is in a place they shouldn't be," Pratt said.
Gossels notes, though, that Societe Generale did catch the apparent theft of trade secrets and has forensic evidence to track the suspect's steps: "Clearly they had good logs in place."