Your SlideShare is downloading. ×
0
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Identify and Stop Insider Threats
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Identify and Stop Insider Threats

407

Published on

Traits exhibited by your best, smartest, and hardest working employee can be the same as those of the malicious (or sometimes even unwitting) insider. …

Traits exhibited by your best, smartest, and hardest working employee can be the same as those of the malicious (or sometimes even unwitting) insider.

Learn how to:
* Spot an insider threats
* Identify their network activity
*Incorporate best practices to protect your organization from the insider threat

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
407
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Insider Threat Matthew McKinley, Technical Product Marketing mmckinley@lancope.com (770) 225-6500
  • 2. Insider Threat Matthew McKinley, Technical Product Marketing mmckinley@lancope.com (770) 225-6500
  • 3. • Why am I interested in Insider Threat? – Motives – Types • Who commits insider computer crimes and why do they do it? • An observation • Using StealthWatch to combat different insider threats – The Kill Chain – How can we see Insider Threats? – Use Cases • Lancope Pro Tip 3 Overview © 2012 Lancope, Inc. All rights reserved.
  • 4. 4 Why am I interested in Insider Threats? © 2012 Lancope, Inc. All rights reserved. AlgoSec Survey of 182 IT Security Professionals
  • 5. • Verizon 2012 Data Breach Investigations Report • 2012 – 98% stemmed from external agents – 4% implicated internal employees • 2011 – 92% stemmed from external agents – 17% implicated insiders • 2010 – 70% stemmed from external agents – 48% were caused by insiders • Hacking in 2012 – 3% involved SQL Injection – 55% involved default credentials – 40% involved stolen credentials – 29% involved brute force or dictionary attacks 5 Why Insider Threats? – The Verizon Breach Report © 2012 Lancope, Inc. All rights reserved.
  • 6. 6 What are the motives? © 2012 Lancope, Inc. All rights reserved.
  • 7. • 12 years of history • Over 700 insider threat cases • IT Sabotage – Average: $1.7 million – Mean: $50,000 • IP Theft – Average: $13.5 million – Mean: $337,000 7 Insider Threats © 2012 Lancope, Inc. All rights reserved.
  • 8. • Much of the practice of computer security has to do with making sure the doors are locked. We spent little effort trying to find out if the bad guys are in. – We tend to assume that if the bad guys are in, its game over. • Systems will stop working or money will be instantly stolen. (This isn’t always true.) – It is useful to disrupt ongoing attacks even if you can’t prevent them. • StealthWatch can help 8 An Observation © 2012 Lancope, Inc. All rights reserved.
  • 9. • A sophisticated attack on a network involves a series of steps • Traditional thinking views any system compromise as a successful breach • Any successful action taken to stop an infection prior to data exfiltration can be considered a win • This is the Kill Chain concept introduced by Mike Cloppert at Lockheed • StealthWatch provides visibility at each stage of the chain 9 Visibility through out the Kill Chain © 2012 Lancope, Inc. All rights reserved. Recon Exploitation (Social Engineering?) Initial Infection Internal Pivot Data Preparation & Exfiltration Command and Control
  • 10. • Seeing user activity – Who, what, when, where • Detecting data exfiltration – Filtering suspicious events from normal network “noise” • Detecting bad actors on the network • Detecting other behavioral anomalies – When activity on the network deviates from established norms, this can be a sign of attack – When hosts on the network behave in ways that they normally wouldn’t or shouldn’t 10 Seeing the Insider Threat What’s in the bag, Mr.?
  • 11. • Knowing – Who it was – what do you know about this user? – What they were using – was it an approved device? – When they logged on – was it late at night? – Where they logged on from – Locally? VPN? • …is critical to combating the insider threat • Cisco ISE Integration and the StealthWatch IDentity solution provide this visibility 11 Monitoring User Activity Who? What?When? Where?
  • 12. • Who, what, when, and where is nice, but… – What were they doing? – NetFlow provides transactional information related to network events • StealthWatch correlates user information with flow records to add deeper context such as – Who they were communicating with – What apps they were using 12 Monitoring User Activity Data from NetFlowApplication data
  • 13. • Activity at strange times and strange durations can be suspect • Alarms and thresholds automate the discovery process 13 Detecting Data Exfiltration 5 hour SSH connection?? • Who was it? • How have they behaved in the past? • StealthWatch answers these questions
  • 14. • Pivot from charts to detail – the benefits of users + flow • You’re not alone – pre-configured and configurable alarms 14 Detecting Data Exfiltration Who? How Long? To whom? How much?
  • 15. • NetFlow allows you to see all transactions on the network, without having to decide what’s to be ignored • Automated tools such as the worm tracker identify the source and path of spreading malware • The Concern Index highlights hosts that are behaving “oddly” 15 Bad Actors on the Network
  • 16. • Alarms and informative graphics combine to provide visibility into problems without the hassle of digging them out mountains of data 16 Bad Actors on the Network Alarm info Source and spread of a worm
  • 17. • StealthWatch can help you: – Perform targeted monitoring of employees who are “on the HR radar” – Unusual Access Times (Could be any account) – Access after termination (!) (accounts or open sessions) – Monitor access to specific parts of the network • Host Groups – Monitor behaviors that show malicious activity • SYN Floods • Scanning 17 Use Case: Detecting IT Sabotage © 2012 Lancope, Inc. All rights reserved. See access from here To here
  • 18. • StealthWatch can help you: – Monitor access to sensitive areas of the network with • Host Groups – Logins coming from another user’s machine (different user logins to different systems from the same address) – Long flows from sensitive servers to outside hosts • Used in data loss detection 18 Use Case: Detecting Fraud © 2012 Lancope, Inc. All rights reserved.
  • 19. • Key window – 30 days before and after resignation/termination • 54% of CERT’s exfiltration cases occurred over the network (most email) • StealthWatch can help you spot: – Email with large attachments to third party destinations – Large amounts of traffic to the printer – Useful for data Infiltration and Exfiltration 19 Use Case: Detect Theft of Intellectual Property © 2012 Lancope, Inc. All rights reserved.
  • 20. • IT cannot address insider threat by itself – People have a tendency to think that IT is solely responsible for all computer security issues. • Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions? • IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having? • Are you applying policies consistently? 20 Lancope Pro Tip: Combating Insider Threat is a multidisciplinary challenge © 2012 Lancope, Inc. All rights reserved. IT LEGALHR
  • 21. Thank You Matthew McKinley, Technical Product Marketing mmckinley@lancope.com +1 (770) 225-6500

×