This document provides 10 tips for strengthening an insider threat program. It emphasizes the importance of collecting the right types of metadata on user activities rather than personal information. This includes data on unusual file transfers, printing, and application usage both on and off the corporate network. It also stresses the need to understand the full context and intent of anomalous behaviors to determine the appropriate response. Monitoring for early signs of reconnaissance of security controls and data aggregation can help catch threats before data theft occurs. The document recommends balancing privacy, visibility, and performance when implementing insider threat detection tools and techniques.
2. Get the RIGHT Data
It’s not enough to have a lot of data.
You need data specifically tailored
to detecting insider threats.
1
3. Here’s just some of the data you need
in order to accurately detect insider threats:
qUnusual rate of copying/moving
files, locally or on servers
qPrinting sensitive data, to a local
or networked printer
qUploads/downloads on the
corporate network
qUploads/downloads OFF the
corporate network
qCopying/pasting sensitive data to
a website
qUnusual file renames
qUnusual use of virtual machines
qUnusual disconnects from the
corporate network
qUse of hacking tools
4. Here’s just some of the data you need
in order to accurately detect insider threats:
qAttempts to disable or tamper
with security tools (like DLP)
qUse of portable applications
qUnauthorized use of
shared/admin accounts
qUnusual admin activity (scripts,
file activity, etc.)
qMachines running applications in
an unusual location
qMachines saving to an unusual
location
qUnusual use of network
capture/proxy/analysis tools
qUnusual local or network
movement of virtual machines
5. None of these are detected by network-
based tools or log files.
Many insider threat tools attempt to reverse-engineer their
visibility from existing data sources (like log files.)
But in most cases, that isn’t enough. Make sure you’re collecting
the right data, or threats will slip through the cracks.
… and that’s just a SMALL sample!
6. Detect all types of threats
We consistently see certain types of insider
threats slip through the cracks.
For example...
2
7. These are some threats
that often slip through the cracks:
ØCREDENTIAL MISUSE | Make sure you’re able to detect suspicious activity
from admin/privileged users.
ØCREDENTIAL THEFT | Many organizations can’t reliably tell when an
outsider has stolen user credentials.
ØADVANCED DATA EXFILTRATION | Can you detect data exfiltration from
a user who’s covered their tracks?
ØLATERAL MOVEMENT | A crucial warning sign of an infiltrator or malware
– not to be missed.
8. Don’t forget intent
It’s not enough to know that a threat exists.
Your response hinges on how much
you know about the context.
3
9. Intent is a huge factor.
Look at these three examples:
A login from a totally
new location or an
account logged into
multiple session at
once.
Suggested Intent:
Possible credential
theft.
A user downloading
and renaming an
unusually large
amount of files using
Incognito Mode.
Suggested Intent:
A data thief trying to
cover their tracks
A publicly accessible
Google Drive link that
was emailed to a
coworker.
Suggested Intent:
An employee
accidentally leaving
data exposed.
10. All three of these scenarios result in potential
data loss…
But context proves they are very
different, with very different
remediation needs.
This is why you need full context around your findings.
11. Here’s the recipe for context:
Data related
to User
Activities
The
sequence
of user
activities
Are those
activities
abnormal for
that user?
Properly capturing context is crucial
to any insider threat program.
12. Build a forensic trail
The cold, hard truth: You probably will have a
security incident at some point.
When it happens, you need to know how.
4
13. Make sure that after a breach,
you can answer important questions like:
Ø What files went missing?
Ø Which endpoints were infected by this malicious application?
Ø How did the attacker move laterally?
Ø How long has this attack been in progress?
Ø Which users were involved in the event?
14. Catch early signs
Would-be data thieves almost always follow certain
patterns of behavior.
Catch these, and you can stop theft before it happens.
5
15. The insider threat kill chain goes like this:
- Step 1 -
RECONNAISSANCE
Investigation before
data theft.
- Step 2 -
CIRCUMVENTION
Disabling or avoiding
security measures.
- Step 3 -
AGGREGATION
Collecting all of the data to
be stolen in one place.
16. The insider threat kill chain goes like this:
- Step 4 -
OBFUSCATION
The culprit covers their
tracks to avoid detection.
- Step 5 -
EXFILTRATION
The actual moment of data
theft, when the data leaves
the organization.
17. Detecting earlier steps in the kill chain
can give you a crucial advantage.
By learning the signs warning signs
that insider data theft will likely take place, you can
potentially stop a breach before it happens.
19. Here are Some tips on
balancing privacy and security:
1. IF POSSIBLE, AVOID HEAVY EMPLOYEE
MONITORING
…like tools that take screenshots or video capture.
Not only do these make users uncomfortable, they also
tend to be very heavy –and they make GDPR
compliance difficult.
If you do need these tools, try limiting their
deployment.
20. Here are Some tips on
balancing privacy and security:
2. COLLECT META-DATA WHEREVER POSSIBLE
The right meta-data can give you plenty of insights
without the invasive quality of heavier data like
screenshots or video.
Bonus: They’re much lighter on your endpoints and
network.
21. Here are Some tips on
balancing privacy and security:
3. ANONYMIZE PERSONAL IDENTIFYING
INFORMATION
By anonymizing all personal identifying information,
you avoid the privacy issue completely.
What’s more, anonymizing your data makes it much
easier to achieve GDPR compliance, if your
organization does business in the EU.
22. Watch policy violations
Bad actors don’t just do one bad thing.
Pay attention to IT policy violations, as they
can be indicators of something worse.
7
23. Our analysts often find that policy violations
are indicators of other dangerous behavior.
Look for activity like:
Ø Gambling / Gaming
Ø Online Shopping/Selling
(We once even discovered an employee selling company property on Ebay!)
Ø Inappropriate Web Browsing
Ø Personal Webmail Use
(which can also be a phishing risk in its own right)
Ø Pirated Software
25. Today’s enterprises are permeable: Cloud
Hosting &
Applications
Work from
Home
ColocationsWork from
Coffee Shop
BYO DevicesMobile
26. You can no longer expect data to remain in
your organization at all times.
Getting off-network visibility is crucial
understanding how your data moves
and protecting from theft.
27. maximize your resources
Any tool is only as good as your team’s ability
to manage it.
Prioritize making the most of your resources!
9
28. One major way to be more efficient is to
reduce false positives. Here are some tips:
ØALERTS BASED ON BEHAVIOR, NOT STATIC RULES | Tools that alert on
user behavior rather than blanket rules cut through the noise faster.
ØALERT OR SCORE STACKING | Stacking scores or alerts means that the
most urgent threats rise to the top.
ØIDENTIFY PRIORITIES INTERNALLY | Identify the highest risk areas,
users, or data types in your org. and customize your tools to focus there.
ØUNDERSTAND ACCURACY IS BASED IN DATA | Alert accuracy
ultimately comes from the quality of the data. If you have the wrong data,
you’ll get lots of noise.
29. Balance visibility & performance
We all agree that tools that are too
cumbersome aren’t useful.
But, giving up visibility isn’t the answer, either.
10
30. “Performance is a non-issue, because I
strictly limit endpoint agents!”
Now, you might be thinking...
You’re not alone. Lots of people combat performance
issues by turning to agentless solutions instead.
But unfortunately, it’s not so simple…
31. Remember that list of user activities?
From earlier in this presentation?
You need that kind of visibility
(and more!) to detect insider threats.
And here’s the complicated part:
You can only get it from the endpoint…
32. But don’t fear! There are endpoint visibility-
based tools that respect performance.
ØTry setting an overall endpoint performance goal instead of limiting the
strict number of agents on machines. This gives you much more flexibility.
ØFor example, your team could limit the CPU usage of combined agents to 8%, max.
ØTest, test, test! Before committing to a product, test it extensively within
your environment and benchmark its performance for yourself.
ØPay attention to scalability. Even agentless solutions often run into major
deployment problems.
ØAvoid solutions that collect and store heavy data like videos and images.
33. Still lost? We can help!
Dtex is purpose-made to detect insider threats.
Contact Us at Info@DtexSystems.com