A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide...
Transcript of A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide...
![Page 1: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/1.jpg)
SESSION ID:SESSION ID:
#RSAC
Tim Casey
A Field Guide to Insider Threat Helps Manage the Risk
HUM-T10R
Senior Strategic Risk AnalystIntel Corp.
![Page 2: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/2.jpg)
#RSAC
How do you think of insider threat?
2
![Page 3: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/3.jpg)
#RSAC
The problem is becoming more complex
3Logos and trademarks are the property of their respective owners
![Page 4: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/4.jpg)
#RSAC
The Field Guide to Insider Threat
Accidental leak
Espionage
Financial fraud
Misuse
Oportun. data theft
Physical theft
Product alteration
Sabotage
Violence
Reckless
Insider
Untrained/
Distracted
Insider
Outward
SympathizerVendor Partner
Irrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
![Page 5: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/5.jpg)
#RSAC
Characterizing Insider Threat
![Page 6: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/6.jpg)
#RSAC
Definitions
Insider Threat is the potential for a current or former employee, contractor, or business partner to accidentally or maliciously misuse their trusted access to harm the organization’s employees and customers, assets, or reputation.
A Threat Agent is a representative classof people who can harm an organization, intentionally or accidentally, and identified by their unique characteristics and behaviors.
6
![Page 7: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/7.jpg)
#RSAC
Insider Threat Agents
Non-Hostile
Reckless Insider
Outward Sympathizer
Untrained/ Distracted Insider
Hostile/Non-Hostile
Partner
Supplier
Hostile
Activist
Competitor
Disgruntled Insider
Irrational Individual
Nation State
Organized Crime
Terrorist
Thief
Non-Hostile Non-Hostile OR Hostile Hostile
7
![Page 8: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/8.jpg)
#RSAC
Attack Types
Accidental leak
Espionage
Financial fraud
Misuse
Opportunistic data theft
Physical theft
Product alteration
Sabotage
Violence
8
![Page 9: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/9.jpg)
#RSAC
Attack Types
IP & Data Loss
Ooops
Ongoing, targeted IP extraction
Exiting employees
Accidental leak
Espionage
Financial fraud
Misuse
Opportunistic data theft
Physical theft
Product alteration
Sabotage
Violence
9
![Page 10: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/10.jpg)
#RSAC
Threat-Consequence Vector Matrix
Analysis by Intel’s Threat Agent Analysis Group
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Insider
Untrained/
Distracted
Insider
Outward
SympathizerVendor Partner
Irrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X XOpportunistic data
theftX X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
10
![Page 11: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/11.jpg)
#RSAC
Applying the Field Guide
![Page 12: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/12.jpg)
#RSAC
Demonstrate the scope of the problem
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Employee
Untrained/
Distracted
Insider
Outward
SympathizerVendor Partner
Irrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X XEspionage X X X X X X X X
Financial fraud X X X X XMisuse X X X X X X X X
Opport. data theft X X X X X X X XPhysical theft X X X X X X
Product alteration X X X X X X X X XSabotage X X X X X XViolence X X X
60 separate Insider Threat vectors –Are you prepared for all of them?
12
![Page 13: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/13.jpg)
#RSAC
Prioritizing Protection to Optimize Resources
• Accidental leak
• Espionage
• Financial fraud
• Misuse
• Opport. data theft
• Physical theft
• Product alteration
• Sabotage
• Violence
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Insider
Untraind
Distractd
Insider
Outward
Sympathiz
er
Vendor PartnerIrrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theftX X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Food Manufacturer (example)
13
![Page 14: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/14.jpg)
#RSAC
Prioritizing Protection to Optimize Resources
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Insider
Untraind
Distractd
Insider
Outward
Sympathiz
er
Vendor PartnerIrrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theftX X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Food Manufacturer (example)• Accidental leak
• Espionage
• Financial fraud
• Misuse
• Opport. data theft
• Physical theft
• Violence
• Product alteration
• Sabotage
14
![Page 15: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/15.jpg)
#RSAC
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Insider
Untrained/
Distracted
Insider
Outward
SympathizerVendor Partner
Irrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportunistic data
theftX X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Minimize the Threat
15
![Page 16: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/16.jpg)
#RSAC
Intent Non-HostileNon-Hostile
/HostileHostile
Attack Type
Reckless
Insider
Untrained/
Distracted
Insider
Outward
SympathizerVendor Partner
Irrational
IndividualThief
Disgruntled
InsiderActivist Terrorist
Organized
CrimeCompetitor
Nation
State
Accidental leak X X X X X X X
Espionage X X X X X X X X
Financial fraud X X X X X
Misuse X X X X X X X X
Opportun. data theft X X X X X X X X
Physical theft X X X X X X
Product alteration X X X X X X X X X
Sabotage X X X X X X
Violence X X X
Provide context for your data
2-day factory downtime
Lost market lead in key product
$15M in lawsuits
3% annual shrinkage
16
Example incidents
![Page 17: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/17.jpg)
#RSAC
Customize for your threat landscape
The model is open-ended and you can extend & tailor it to your environment
17
![Page 18: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/18.jpg)
#RSAC
How the Guide Can Help You
Having a Field Guide helps you manage risk by:
Establishing a common framework and language for managing insider threat throughout the organization and community
Prioritizing threats and optimizing the use of limited resources
Identifying threats for mitigation
A framework to describe and manage your unique threat landscape
18
![Page 19: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/19.jpg)
#RSAC
Applying the Field Guide in Your Organization
Short termShare the Guide with key stakeholders to inform them of the problem scope and enlist them in your team
Assess your particular threats and controls against the Field Guide to ensure you are managing your most dangerous insider risks
Medium termModify the model to reflect your situation and priorities
Long termUse the Guide to regularly re-assess your overall insider threat landscape
19
![Page 20: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/20.jpg)
#RSAC
Resources
Intel Field Guide to Insider Threat: http://ow.ly/CLux308vUbP
Intel Threat Agent Analysis: https://communities.intel.com/docs/DOC-23914https://communities.intel.com/docs/DOC-1151
Improving Healthcare Risk Assessments to Maximize Security Budgets (how to tailor the model for your environment):http://ow.ly/1W2H308vUfx
CERT Insider Threat Center: https://www.cert.org/insider-threat
We actively engage with fellow travelers utilizing Threat Agent Analysis related to:
Threat Assessments
Supplier Management and Supply Chain Risk
Tools and Visualization
20
![Page 21: A Field Guide to Insider Threat Helps Manage the Risk · SESSION ID: #RSAC Tim Casey A Field Guide to Insider Threat Helps Manage the Risk HUM-T10R Senior Strategic Risk Analyst Intel](https://reader035.fdocuments.net/reader035/viewer/2022081406/5f12116c10eb0d30d93c2549/html5/thumbnails/21.jpg)
#RSAC
Questions?