Combating Insider Threats – Protecting Your Agency from the Inside Out
-
Upload
lancope-inc -
Category
Technology
-
view
370 -
download
1
Transcript of Combating Insider Threats – Protecting Your Agency from the Inside Out
![Page 1: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/1.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Andrew Wild
The Insider Threat: Protecting Your Organization from the Inside Out
Chief Information Security Officer
![Page 2: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/2.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Who am I?• Information security professional• Background in network engineering• U.S. Army veteran
![Page 3: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/3.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Evolution of Cyber Conflict
War Dialing, Phone Phreaking …
Manual Attacks (1980s)
Viruses, Worms …
Mechanized Attacks (1988)
Google, RSA …
Talented Human / Mechanized Attackers (2009)
Target, Neiman Marcus …
DIY Human / Mechanized Attackers (2011)
Intelligence Driven Human Defenders
Manual DefensesUnplug
Mechanized DefensesFirewall, IDS/IPS
Targeted Human/Mechanized DefendersReputation, App-aware Firewall
![Page 4: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/4.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Today’s Threat Landscape
Despite $32 billion spent on conventional tools, threats continue to evade detection…
…data breaches continue
17http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
![Page 5: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/5.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Sobering Statistics
http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf
![Page 6: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/6.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved. http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReportSummary2015.pdf
![Page 7: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/7.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
![Page 8: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/8.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
![Page 9: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/9.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
![Page 10: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/10.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
![Page 11: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/11.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
![Page 12: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/12.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
![Page 13: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/13.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
http://espn.go.com/mlb/story/_/id/14531169/christopher-correa-former-st-louis-cardinals-executive-pleads-guilty-hacking-houston-astros-database
![Page 14: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/14.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
CISO Thoughts on Another Breach in the News• Not another one….
• Is my organization prepared?– Could we detect this event?– Would we do better or worse than the latest victim?– Asset Management
• Do we know what we have?– Access Control
• Privileged Credential Management/Monitoring.• Egress filtering & monitoring• Network segmentation
– Detection• How mature are our capabilities?• Do we have pervasive visibility across our entire environment?
– Incident Response• Are we prepared to manage an incident like this?
• What can we learn from the this recent breach?
![Page 15: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/15.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Today Top Threats Still Get Through
243 days before attackerswere discovered621 incidents & over 44 million compromised records
$3.03M is the avg. lost business cost of a breach in the US
FW
IPS
IDS
![Page 16: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/16.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
• Employees• Contractors• Partners
What/Who is an Insider?
![Page 17: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/17.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
![Page 18: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/18.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
![Page 19: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/19.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
http://www.bbc.com/news/world-us-canada-23123964
![Page 20: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/20.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
http://money.cnn.com/2015/10/07/media/matthew-keys-convicted-los-angeles-times/
![Page 21: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/21.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Why are Insider Threats on the Rise?
![Page 22: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/22.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
What are the Top Types of Insider Threats?
![Page 23: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/23.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Forrester Research: https://www.forrester.com/Understand The State Of Data Security And Privacy 2013 To 2014/fulltext/-/E-RES82021
![Page 24: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/24.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
https://www.clearswift.com/about-us/pr/press-releases/new-research-reveals-more-third-employees-willing-sell-private-company-data-and-proprietary
![Page 25: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/25.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
https://www.clearswift.com/about-us/pr/press-releases/new-research-reveals-more-third-employees-willing-sell-private-company-data-and-proprietary
![Page 26: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/26.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
http://www.verizonenterprise.com/DBIR/
![Page 27: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/27.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
![Page 28: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/28.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
![Page 29: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/29.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
![Page 30: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/30.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
5 Steps to Manage the Insider Threat• Create a strong insider policy• Improve awareness• Strong hiring processes with screening• Rigorous subcontracting & third party risk management• Monitor employees
![Page 31: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/31.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
![Page 32: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/32.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
![Page 33: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/33.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
We Have to Change the Game!
![Page 34: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/34.jpg)
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Changing the GameDefenders need to find hundreds of vulnerabilities and fix them all, while the attackers only need to find one
Attackers need to complete a series of operations without being detected, while the defenders only need to detect them in one
![Page 35: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/35.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Phases of the Attack Continuum (chain)Infiltration
Exfiltration
Series of Operations
![Page 36: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/36.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Lancope’s Continuous Response Loop
Detect
AnalyzeRespond
Monitor• Monitor• Detect• Analyze• Respond
![Page 37: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/37.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Continuous Response along the Attack Continuum Infiltration
Exfiltration
Series of Operations
Raising the cost to adversaries through Continuous Response
Detect
AnalyzeRespond
Monitor
Detect
AnalyzeRespond
Monitor
Detect
AnalyzeRespond
Monitor
Detect
AnalyzeRespond
Monitor
Detect
AnalyzeRespond
Monitor
Detect
AnalyzeRespond
Monitor
![Page 38: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/38.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Detection Methodology• Signature = Inspect Object against blacklist
– IPS, Antivirus, Content Filter• Behavioral = Inspect Victim behavior against blacklist
– Malware Sandbox, NBAD, HIPS, SIEM• Anomaly = Inspect Victim behavior against whitelist
– NBAD, Quantity/Metric-based – Not Signature-based
Signature Behavioral Anomaly
Known Exploits BEST Good Limited
0-day Exploits Limited BEST Good
Credential Abuse Limited Limited BEST
![Page 39: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/39.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
WAN DATACENTER
ACCESS
CORE3560-X
Atlanta
New York
San Jose
3850 Stack(s)
Cat4k
ASA Internet
Cat6k
VPC Servers
3925 ISR
ASR-1000
Nexus 7000 UCS with Nexus 1000v
© 2014 Lancope, Inc. All rights reserved.
Network As A Sensor (NaaS)Internal Visibility from Edge to Access
EdgeWANFirewallIPSProxyCoreDistributionAccessUCSISEReputation
![Page 40: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/40.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Flow – The Network Phone Bill
Flow CacheDestination IP
Origin IPDestination PortOrigin PortL3 ProtocolDSCP
Flow Info Packet Bytes/PacketOrigin IP , Port, Proto...
11000 1528
… … …… … …
Monthly StatementBill At-A-Glance
Flow Record
Telephone Bill
![Page 41: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/41.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Network As A Sensor (NaaS)
![Page 42: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/42.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Behavioral Detection Model
As flows are collected, behavioral algorithms are applied to build “Security Events.” Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected.
Detect Behavioral Change
Addr_ScanBad_FlagBeaconing HostBot Infected Host – SuccessfulBrute Force LoginFake ApplicationFlow_DeniedICMP FloodMax Flows InitiatedMax Flows ServedSuspect Quiet Long FlowSuspect Data LossSYN FloodUDP Received…(+255 custom defined events)
Security Events (94 +)
ReconC&CExploitationData HoardingExfiltrationPolicy ViolationDDoS Target
Alarm Category
Alarm TableHost SnapshotEmailSyslog/ SIEMMitigation
Response
![Page 43: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/43.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Behavioral Detection Model
As flows are collected, behavioral algorithms are applied to build “Security Events”. Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected.
• 100% LAN accountability • 90+ days flow storage
average• 365+ days summary data
stored• Profile over 1M internal hosts
Continuous Network Monitoring
Apply Network SegmentationThe network is your
sensor
Outside - Internet• Geo Location• Business Partners• Cloud Providers• Social Media
Inside - Internal
• Location – Site - Branch• Datacenter• Function - Application• Business Unit• Sensitivity - Compliance
Build logical boundaries
Command & Control
• New Malware Families
• Point-of-Sale malware
• Banking malware• Keylogger, Exfil data• DDOS
![Page 44: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/44.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
What is Context-Aware Security?The use of situational information (e.g. identity, location, time of day or type of endpoint device) to operationalize security and improve information security decisions.
Context-Aware Security
![Page 45: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/45.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Breaking Down the Boundaries
![Page 46: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/46.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Conclusion• Data breaches are continuing, and growing in size
• Shortage of IT security experts and the need for talent is growing. Automation is the way forward.
• Cybersecurity is a knowledge-based game
• Use your network as a sensor
• Context-aware Security Analytics can improve detection and accelerate response through a Continuous Response Loop:
• Monitor, Detect, Analyze, Respond (Repeat)
![Page 47: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.fdocuments.net/reader035/viewer/2022070516/5870be9b1a28ab0b4a8b695d/html5/thumbnails/47.jpg)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Thank you! Andrew Wild, Lancope@[email protected]