Combating Insider Threats – Protecting Your Agency from the Inside Out

Company Confidential - © 2015 Lancope, Inc. All rights reserved.

Andrew Wild

The Insider Threat: Protecting Your Organization from the Inside Out

Chief Information Security Officer


Who am I?• Information security professional• Background in network engineering• U.S. Army veteran


Evolution of Cyber Conflict

War Dialing, Phone Phreaking …

Manual Attacks (1980s)

Viruses, Worms …

Mechanized Attacks (1988)

Google, RSA …

Talented Human / Mechanized Attackers (2009)

Target, Neiman Marcus …

DIY Human / Mechanized Attackers (2011)

Intelligence Driven Human Defenders

Manual DefensesUnplug

Mechanized DefensesFirewall, IDS/IPS

Targeted Human/Mechanized DefendersReputation, App-aware Firewall


Today’s Threat Landscape

Despite $32 billion spent on conventional tools, threats continue to evade detection…

…data breaches continue

17http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


Sobering Statistics

http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf


http://espn.go.com/mlb/story/_/id/14531169/christopher-correa-former-st-louis-cardinals-executive-pleads-guilty-hacking-houston-astros-database


CISO Thoughts on Another Breach in the News• Not another one….

• Is my organization prepared?– Could we detect this event?– Would we do better or worse than the latest victim?– Asset Management

• Do we know what we have?– Access Control

• Privileged Credential Management/Monitoring.• Egress filtering & monitoring• Network segmentation

– Detection• How mature are our capabilities?• Do we have pervasive visibility across our entire environment?

– Incident Response• Are we prepared to manage an incident like this?

• What can we learn from the this recent breach?


Today Top Threats Still Get Through

243 days before attackerswere discovered621 incidents & over 44 million compromised records

$3.03M is the avg. lost business cost of a breach in the US

FW

IPS

IDS


• Employees• Contractors• Partners

What/Who is an Insider?


http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/


http://www.bbc.com/news/world-us-canada-23123964


http://money.cnn.com/2015/10/07/media/matthew-keys-convicted-los-angeles-times/


Why are Insider Threats on the Rise?


What are the Top Types of Insider Threats?


Forrester Research: https://www.forrester.com/Understand The State Of Data Security And Privacy 2013 To 2014/fulltext/-/E-RES82021


https://www.clearswift.com/about-us/pr/press-releases/new-research-reveals-more-third-employees-willing-sell-private-company-data-and-proprietary


http://www.verizonenterprise.com/DBIR/


5 Steps to Manage the Insider Threat• Create a strong insider policy• Improve awareness• Strong hiring processes with screening• Rigorous subcontracting & third party risk management• Monitor employees


We Have to Change the Game!


Changing the GameDefenders need to find hundreds of vulnerabilities and fix them all, while the attackers only need to find one

Attackers need to complete a series of operations without being detected, while the defenders only need to detect them in one


Phases of the Attack Continuum (chain)Infiltration

Exfiltration

Series of Operations


Lancope’s Continuous Response Loop

Detect

AnalyzeRespond

Monitor• Monitor• Detect• Analyze• Respond


Continuous Response along the Attack Continuum Infiltration

Exfiltration

Series of Operations

Raising the cost to adversaries through Continuous Response

Detect

AnalyzeRespond

Monitor

Detect

AnalyzeRespond

Monitor

Detect

AnalyzeRespond

Monitor

Detect

AnalyzeRespond

Monitor

Detect

AnalyzeRespond

Monitor

Detect

AnalyzeRespond

Monitor


Detection Methodology• Signature = Inspect Object against blacklist

– IPS, Antivirus, Content Filter• Behavioral = Inspect Victim behavior against blacklist

– Malware Sandbox, NBAD, HIPS, SIEM• Anomaly = Inspect Victim behavior against whitelist

– NBAD, Quantity/Metric-based – Not Signature-based

Signature Behavioral Anomaly

Known Exploits BEST Good Limited

0-day Exploits Limited BEST Good

Credential Abuse Limited Limited BEST


WAN DATACENTER

ACCESS

CORE3560-X

Atlanta

New York

San Jose

3850 Stack(s)

Cat4k

ASA Internet

Cat6k

VPC Servers

3925 ISR

ASR-1000

Nexus 7000 UCS with Nexus 1000v

© 2014 Lancope, Inc. All rights reserved.

Network As A Sensor (NaaS)Internal Visibility from Edge to Access

EdgeWANFirewallIPSProxyCoreDistributionAccessUCSISEReputation


Flow – The Network Phone Bill

Flow CacheDestination IP

Origin IPDestination PortOrigin PortL3 ProtocolDSCP

Flow Info Packet Bytes/PacketOrigin IP , Port, Proto...

11000 1528

… … …… … …

Monthly StatementBill At-A-Glance

Flow Record

Telephone Bill


Network As A Sensor (NaaS)


Behavioral Detection Model

As flows are collected, behavioral algorithms are applied to build “Security Events.” Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected.

Detect Behavioral Change

Addr_ScanBad_FlagBeaconing HostBot Infected Host – SuccessfulBrute Force LoginFake ApplicationFlow_DeniedICMP FloodMax Flows InitiatedMax Flows ServedSuspect Quiet Long FlowSuspect Data LossSYN FloodUDP Received…(+255 custom defined events)

Security Events (94 +)

ReconC&CExploitationData HoardingExfiltrationPolicy ViolationDDoS Target

Alarm Category

Alarm TableHost SnapshotEmailSyslog/ SIEMMitigation

Response


Behavioral Detection Model

As flows are collected, behavioral algorithms are applied to build “Security Events”. Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected.

• 100% LAN accountability • 90+ days flow storage

average• 365+ days summary data

stored• Profile over 1M internal hosts

Continuous Network Monitoring

Apply Network SegmentationThe network is your

sensor

Outside - Internet• Geo Location• Business Partners• Cloud Providers• Social Media

Inside - Internal

• Location – Site - Branch• Datacenter• Function - Application• Business Unit• Sensitivity - Compliance

Build logical boundaries

Command & Control

• New Malware Families

• Point-of-Sale malware

• Banking malware• Keylogger, Exfil data• DDOS


What is Context-Aware Security?The use of situational information (e.g. identity, location, time of day or type of endpoint device) to operationalize security and improve information security decisions.

Context-Aware Security


Breaking Down the Boundaries


Conclusion• Data breaches are continuing, and growing in size

• Shortage of IT security experts and the need for talent is growing. Automation is the way forward.

• Cybersecurity is a knowledge-based game

• Use your network as a sensor

• Context-aware Security Analytics can improve detection and accelerate response through a Continuous Response Loop:

• Monitor, Detect, Analyze, Respond (Repeat)


Thank you! Andrew Wild, Lancope@[email protected]

Combating Insider Threats – Protecting Your Agency from the Inside Out

Technology

Transcript of Combating Insider Threats – Protecting Your Agency from the Inside Out