Traits exhibited by your best, smartest, and hardest working employee can be the same as those of the malicious (or sometimes even unwitting) insider.
Learn how to:
* Spot an insider threats
* Identify their network activity
*Incorporate best practices to protect your organization from the insider threat
10. • Seeing user activity
– Who, what, when, where
• Detecting data exfiltration
– Filtering suspicious events from normal network “noise”
• Detecting bad actors on the network
• Detecting other behavioral anomalies
– When activity on the network deviates from established norms, this
can be a sign of attack
– When hosts on the network behave in ways that they normally
wouldn’t or shouldn’t
10
Seeing the Insider Threat
What’s in the
bag, Mr.?
11. • Knowing
– Who it was – what do you know about this user?
– What they were using – was it an approved device?
– When they logged on – was it late at night?
– Where they logged on from – Locally? VPN?
• …is critical to combating the insider threat
• Cisco ISE Integration and the StealthWatch IDentity solution
provide this visibility
11
Monitoring User Activity
Who? What?When? Where?
12. • Who, what, when, and where is nice, but…
– What were they doing?
– NetFlow provides transactional information related to network events
• StealthWatch correlates user information with flow records to
add deeper context such as
– Who they were communicating with
– What apps they were using
12
Monitoring User Activity
Data from NetFlowApplication data
13. • Activity at strange times and strange durations can be suspect
• Alarms and thresholds automate the discovery process
13
Detecting Data Exfiltration
5 hour SSH connection??
• Who was it?
• How have
they behaved
in the past?
• StealthWatch
answers these
questions
14. • Pivot from charts to detail – the benefits of users + flow
• You’re not alone – pre-configured and configurable alarms
14
Detecting Data Exfiltration
Who? How Long?
To whom?
How much?
15. • NetFlow allows you to see all transactions on the network,
without having to decide what’s to be ignored
• Automated tools such as the worm tracker identify the source
and path of spreading malware
• The Concern Index highlights hosts that are behaving “oddly”
15
Bad Actors on the Network
16. • Alarms and informative graphics combine to provide visibility
into problems without the hassle of digging them out
mountains of data
16
Bad Actors on the Network
Alarm info
Source and spread of a
worm