The Case of the 'Disgruntled' Tesla Insider

By John Boatman, June 25, 2018 | SHARE

Tesla CEO Elon Musk claims that at least one employee stole sensitive intellectual property and sabotaged existing operations at the electric car-maker’s battery plant in Nevada, which would constitute a major insider threat event.

While many details are still unknown, Musk called the employee “disgruntled” and said the “stated motivation is that he wanted a promotion that he did not receive.” It was also suggested that there may be more than one insider involved.

The employee, a technician at Tesla’s Gigafactory, reportedly has been sued by the company and admits to at least some of the allegations — although he views himself as a whistleblower revealing “lies [Musk] told to the public and investors.”

Whatever clarifying information may emerge in the coming weeks, the initial allegations represent one of the more nightmarish scenarios a company’s security team and leadership could ever face. In essence it’s a hybrid insider threat event, and a significantly damaging one at that. But was it preventable?

Musk’s June 17 email to employees describes some of the specific actions the insider is said to have taken, such as “making direct code changes to the Tesla Manufacturing Operating System under false usernames” and “exporting large amounts of highly sensitive Tesla data to unknown third parties” (including confidential photos and video of Tesla’s manufacturing systems, plus other trade secrets).

At least some of the activity underlying these misdeeds was likely detected by the company’s network security systems, but were the corresponding alerts turned into actionable intelligence in a timely manner? Apparently not. Perhaps they were drowned out by numerous other alerts, the majority of them likely false positives. Or perhaps Tesla’s security team was distracted by another event, or understaffed.

Either way, by the time those alerts were triaged, prioritized, investigated and acted upon, the damage to Tesla was already done.

But it’s also true that no matter how stealthily the employee moved or how well he may have covered his tracks, many of the behaviors preceding each malicious act were in fact discoverable — not through network data alone, of course, but certainly through a more advanced user behavior analytics (UBA) solution with the ability to conduct threat hunting.

With access to a broader array of non-network information sources like incident reports, employee complaints, supervisor evaluations or other HR records, plus access badge and printer data, many of these behaviors would have been known in advance once they were analyzed by a UBA solution like Haystax Technology’s Constellation for Insider Threat.

One of the unique features of Constellation is that it takes a ‘whole-person’ approach to assessing risk, using a 700-node probabilistic model of human behavior to continuously analyze employee actions and prioritize those individuals most likely to harm an organization through malice, negligence or even inadvertence. Constellation connects to a wide variety of network and non-network data sources, and uses machine learning and other artificial intelligence techniques to augment the data so that it can be applied as evidence to the model.

A telling piece of evidence of insider risk at Tesla can be found in Musk’s statement that the Gigafactory technician was “disruptive and combative” in the workplace, and even tried to persuade his colleagues to join his scheme. There are several Constellation model nodes that would have reflected this adverse behavior, alerting security analysts to the growing issues of concern around the employee and his diminishing trustworthiness.

Likewise, being passed over for a promotion is crucial evidence for another key risk indicator in the model. In fact, “disgruntlement” is one of the top-level concepts that negatively impacts employee trustworthiness.

Had Constellation been deployed at Tesla, users would have been alerted to the employee’s bad behavior early enough to have paid closer attention, or even placed him on a watch list, so that by the time the data exfiltration or code changes were detected the security team could have acted immediately to avert a larger crisis.

As any security leader will tell you, an ounce of risk prevention beats a pound of post-event response every time.

#  #  #

Note: For a use case that’s eerily similar to the Tesla incident, please see the first report in our Haystax Insights Series: To Catch an IP Thief. It describes how Constellation for Insider Threat discovers a disgruntled employee who steals IP from a large company after being passed over for a promotion — but before he walks out the door with a thumb drive.