Insider Threat has become a very "real" issue for organizations of all sizes and across all industries. The focus of these malicious attacks (from insiders, outsiders and malware) is often human generated data such as documents. IT can reduce their risk of exposure by taking on a few minor, yet impactful tasks.
7. VARONIS SYSTEMS
3.8 insider attackers per organization per year (on average)
45% of organizations can’t tell if they’ve suffered an insider breach
34% estimate the cost of an insider breach to be > $1 million
Reputational damage is immeasurable
CEOs and CISO are losing their jobs due to breaches
The Impact of Insider Threats
… and, according to the NSA, the national average in 2014/2015 for
realizing a breach occurred within an organization was 270 days!
11. VARONIS SYSTEMS
Phishing Works Really Well
23%
of recipients open phishing
messages.
11%
of recipients click on
attachments.
– 2015 Verizon Data Breach Investigations Report
15. VARONIS SYSTEMS
Inside-Out Approach: 4 Phases, 5 Tips
INSTRUMENT &
ALERT
LOCK DOWN &
PREVENT
SIMPLIFY OPTIMIZE
Enable Audit Trail &
Alerting
Inventory
Permissions
Classify and Tag
Sensitive, High
Profile Data
Remove Excess
Access
Remove Stale Data
Standardize
Permissions and
Structures
Data Ownership /
Self-service data
management
Automate Retention
& Disposition
Automate
Entitlement
Secure Search
Mobile Access and
File Synchronization
16. VARONIS SYSTEMS
Tip #1: Turn the lights on
Classify sensitive content
Inventory permissions
Enable auditing
17. VARONIS SYSTEMS
Tip #2 Fix your biggest problems
Global access
Excessive access
Broken ACLs
18. VARONIS SYSTEMS
Tip #3 Analyze & Alert on User
Behavior
Baseline normal activity
Alert on anomalies
React to alerts
19. VARONIS SYSTEMS
Tip #4: Move the responsibility
Assign owners
Establish a process
Automate that process
20. VARONIS SYSTEMS
Tip #5: Get control of Active
Directory
Fix common mistakes
Monitor changes
Track KPIs
Hello everyone! Thanks for coming out today! Today we’re going to talk about 5 things that IT should be doing, particularly when it comes to all that human generated data you have sitting out there, but you probably are not doing.
I'm Mike Egli, an engineer with Varonis. I’ve been in the industry for about 20 years. I spent the first 10 years managing professional services teams and consulting, and the second half in IT leadership and now with Varonis.
Not to spend too much time on who we are because I think that how we solve some of IT’s current challenges speaks volumes about who we are, but I think its worth noting that we’re an 11 year old company that’s publicly traded, and growing rapidly. We have over 4000 customers who are using solutions that we have in 3 categories … enterprise search and ediscovery, enterprise secure collaboration, and secure data governance. I think what we do and why we’re growing will make a lot more sense once I tell a little story about how we got started.
A little over a decade ago, there was a large scale project off the coast of Africa where a company was taking high resolution digital photos of the ocean floor. Obviously, a pretty expensive project with some very difficult to replace data. One day, the staff comes in and realizes that the data is no longer on their NetApp storage. They start asking questions like “Where did it go?” “What happened?” “Who could have done this?” and no one had any answers. Even when escalating it to two senior engineers at NetApp, they acknowledged that a way to answer those questions didn’t exist … but it would make an excellent product. NetApp’s leadership agreed, but it wasn’t a focus for them and so they helped those two engineers get funding to start Varonis and now over a decade later we’re helping other companies answer those important questions about their data.
While there’s many reasons that your unstructured or human generated data and a governance strategy of that data matters, one of the newest and greatest risks your business faces is insider threat. Now let me ask you this … do any of these names here sound familiar? <CLICK>
The industry we work in has changed dramatically in just the past 5 years due to the impacts of security breaches and data protection. Focusing on insider threat was never viewed as important prior to now because people focused so heavily on the edge they ignored what was inside and what someone could grab (exilftrate).
Look at the diversity of industries .. There’s no common thread. Anyone is a target. And look how rapidly it grew in just 10 years I can barely fit more bubbles. What do you think it will look like in another 10 years?
Now, let’s take a look at some interesting information on breaches from 2015. The folks at SANS and Crowd Research have shared some pretty overwhelming numbers. An average of 3.8 attacks occur per organization every year. Almost half of all organizations have no clue if they’ve been breached. And, to top it off … if you do realize you have a breach, the average is takes 270 to know it!
Sources:
https://www.sans.org/reading-room/whitepapers/analyst/insider-threats-fast-directed-response-35892
http://www.securonix.com/insider-attacks-were-the-most-costly-breaches-of-2015/
http://info.varonis.com/hs-fs/hub/142972/file-2194864500-pdf/ponemon-data-breach-study.pdf
http://www.darkreading.com/vulnerabilities---threats/survey-shows-insider-threats-on-the-rise-organizations-experience-an-average-of-38-attacks-per-year/d/d-id/1321069
There are 3 types of insider threats that we have to worry about.
Turncloak. insider - maliciously leaking data -someone who is supposed to be on the network and has legitimate credentials, but is abusing their access for fun or profit.
We've seen all sorts of motives that drive this type of behavior: things as sinister as selling secrets to foreign governments or as simple as taking a few documents over to a competitor upon resignation.
Pawn. This is just a normal employee - makes a mistake exploited by a bad guy. Whether it's a lost laptop or emailing a sensitive document to the wrong person, mistakes are a part of life, but they hurt nonetheless. In a minute we'll take a look at the statistical breakdown of mistakes vs. malice.
Imposter. Outsider w/ insider credentials. Locate information on behalf of the inside user and exfiltrate it.
We should assume that we have attackers on the inside already. Our goal is to a.) minimize the damage any single account can do by reducing their access to need-to-know, and b.) put into place sophisticated detective controls to alert when sensitive data may be in jeopardy.
Now, while the turncloak is the malicious insider who’s knowingly exfiltrating your data, the majority of breaches occur purely by accident. The biggest cause of your breaches really is the employee who makes a mistake. It could be leaving a USB key somewhere, clicking a link in an email, or sending an email to the wrong person. But, this is where you need to spend more time … protecting the organization from either the malicious intent or even the accidental drag and drop.
Statistically speaking, the biggest threats businesses have faced over the past few years really do fall in to the category of “oops!” done by your average employee. Misdelivery, and publishing errors constitute almost 70% of threats, and roughly 50% of those assets involved are human generated data like your average word or excel document. And, how are people getting to those documents? They are leveraging the permissions of either their own account which can get to places it probably shouldn’t … or … they are using the credentials of someone else.
Now, I mentioned some examples of how employees make mistakes. Here’s one of the most common and effective ones. Phishing.
Verizon performed a data breach investigation last year and found that at least 1 in every 5 people will open an email and at least one in every 10 will open an attachment or click a link! That means if you have 100 employees, it is very likely you already have people clicking links and potentially have their credentials sitting out there in the hands of an imposter.
What’s particularly scary about the 11% stat is that, if the attacker gets your employees to click, there are immediate and grave consequences. In most cases, it means that malware or ransomware has been staged and a has control of at least one machine on your network.
But, phishing isn’t the only effective way to wreak havoc as an insider threat model. Ransomware is one of the newest ways to effectively cripple an organization and it functions as a innovative business model which just increases its adoption by nefarious people. If you’re not familiar with it … the basics are that you infect a user, and their computer uses their credentials to go to any file on the network it can reach and encrypts it with a key only they have. It also drops a document there with instructions on where you can pay the owner of the encryption key to get your documents back. Its brutal because it can encrypt anything it can get to, it’ll spread around like a virus, and most organizations cannot recover either fast enough or fully to ignore the threat.
*click*
But, its just gotten worse. Ransomware just because a service. Ransom32 is a service that lets you build your own ransomware, type in your bitcoin address, and target people. AND, it’s super small, and java based so its cross platform, can be embedded in websites, etc. This is literally a business that helps someone build ransomware by taking a cut of the profit. This is the world we live in as people in the IT industry.
Ok, now let me ask this … who’s afraid of the shower? Ok, what about mountain lions? Makes sense right? Big scary cat with claws … thing that drops water. But, you’re 100x more likely to slip and fall in the shower than run across a mountain lion. So who here replaces their bath mat every 6 months?
It’s all about irrational biases … one “looks” scary and so we focus there versus the other one. I hear it all the time .. “we’re too small to be a target” or “we’re a family company, we don’t have insider threat problems”. EVERYONE is at risk … from the 5 employee corner convenience market who’s employee snags some money out of the register and adjusts the day’s sales in the system to compensate, or the 1000 employee manufacturing company where an employee snags R&D documents on his last day before he goes to a competitor. What’s important is identifying what is a true risk by looking at the cold hard facts, the numbers, the frequency of events. Then develop a plan of attack.
People often talk about he inside out approach to security … ie don’t just secure the edge … like candy you don’t want a hard exterior and a soft chewy core, right? So, start from your security permissions, your data, and how people are using it, and then work your way out. That means having a data governance strategy and this chart shows what that could look like. What we’ll do now is walk through some examples of this in terms of 5 overall tips to improving the situation with your unstructured data.
Bi-Directional View
Go through a short form of the standard DA introduction and go straight to:
Who has access to the Finance Folder?
Data Classification
Show the classification results and discuss data classification:
What kind of data is in the Finance Folder?
Logs
Right click and go to the Log to show:
Who’s been touching data within the Finance Folder
How can you protect your data if you don’t know anything about it? We start by taking inventory of your entire unstructured data environment. This means classifying sensitive content, crawling ACLs and Active Directory, and enabling comprehensive, non-intrusive auditing of how users interact with data.
The result? You can finally see. You’ll know who has access to data and who is accessing it, where sensitive information lives, and where it’s overexposed and at-risk.
How can you protect your data if you don’t know anything about it? We start by taking inventory of your entire unstructured data environment. This means classifying sensitive content, crawling ACLs and Active Directory, and enabling comprehensive, non-intrusive auditing of how users interact with data.
The result? You can finally see. You’ll know who has access to data and who is accessing it, where sensitive information lives, and where it’s overexposed and at-risk.
Bi-Directional View
Go back to the Work Area and this time show them a now familiar concept but:
What can “Everyone” (Group) get to?
Recommendations
Open and discuss the Recommendations panel on the:
Finance Folder
Report: Global Group Access Analysis
Discuss and show how to
How do I get a complete list of all folders that everyone has access to?
Applying global access to the company’s holiday party photos is probably okay, but in the vast majority of cases, we should avoid global access like the plague.
I’ve seen global access applied to folders with millions of credit card numbers, socials, and more.
This problem can be very hard to remediate—you can’t just pull everyone’s access without inciting a riot. When everyone under the sun has access, it’s very difficult to know who really needs that access.
The solution is to look at historical access activity in your audit trail to determine who has been accessing data exclusively via global access groups.
Our DatAdvantage product shows you which information is globally accessible and who has actually been accessing it. From there you can apply tighter permissions and run a simulation that will tell you exactly which people will be impacted if you were to remove global access.
This capability is indispensable when doing global access remediation, lest you get a bunch of angry phone calls. ☺
Permissions creep plagues us all. It's hard to prevent and can be even harder to remediate. How often does the help desk receive a call from a user complaining that they have too much access? Never.
- People change jobs, departments, responsibilities
- Temporary projects often require temporary access, but temporary access has a way of becoming permanent
- Consulting contracts start and end
How do you know when someone no longer needs access to data?
You can analyze a person’s activity. If they stop accessing EVERYTHING, then you can probably just disable their account.
But to determine if they no longer need SPECIFIC permissions, you need correlate their access activity with their security groups. And even if a person no longer accesses data granted to them by a specific group, it’s not always a foolproof indicator that they no longer need access.
A better answer is hidden in this little red X. I included a picture of Elon Musk because it feels like something he should’ve invented. :-)
The X is Varonis telling us that Andrew Weiricc no longer needs access to the company’s finance data. It determines this through bi-directional cluster analysis. Not only has Andrew stopped using the data, but his fundamental data access behaviors no longer match a typical member of that security group.
You can then manually accept the recommendation or have Varonis automatically execute revocations on your behalf.
Alerts (Margaret Coakley)
UBA
Our customers have had a lot of success preventing insider breaches using some of the alerts you see here.
We create a baseline of all user activity, allowing you to detect suspicious behavior, whether it’s an insider accessing sensitive content, an administrator abusing their privileges, or ransomware like CryptoLocker.
By combining behavioral analysis with knowledge of what’s inside the files the insider is touching, alerts become much more accurate than traditional methods.
You can send this hi-fidelity alerts into your SIEM for further analysis rather than flooding it with every event.
One of my favorite use cases for file analysis is building profiles for strains of malware.
This is a profile we’ve used to very successfully combat CryptoLocker.
It works like this:
All file access activity is monitored and threshold alerts are in place to detect rapid file modification from a single user. When that happens, an alert is triggered which notifies IT. The process then check the user’s machine for the presence of CryptoLocker registry values, and then automatically disables the user. And because you have the audit trail, you can see precisely which files were encrypted and use something like decryptcryptolocker.com to restore them.
Statistics – Data Owner
Entitlement Review
The first task is to use the access activity to determine who the likely data owners are. Business users have more context than IT when it comes to making decisions about access, so lets give them that responsibility.
Assigning ownership in a way that relies on hard evidence of usage vs. a qualitative survey asking “Do you own this file share?” increases your odds of success.
Discuss the importance of cleaning up accounts
Users with expired passwords
+ Expires Passwords & Audit GPO reports
In order to monitor risk on your domain, you need to make sure to have the tools and rules that can detect AD changes and that can alert you when abnormal behaviors are happening
That’s it!
Be sure to sign up for a free threat assessment. We’ll perform all 3 steps of the Inside-Out Security playbook in your environment. There’s no commitment and you get a nice risk report at the end that’ll help you take action.