SlideShare a Scribd company logo

10 Tips to Strengthen Your Insider Threat Program

D
Dtex Systems

This document provides 10 tips for strengthening an insider threat program. It emphasizes the importance of collecting the right types of metadata on user activities rather than personal information. This includes data on unusual file transfers, printing, and application usage both on and off the corporate network. It also stresses the need to understand the full context and intent of anomalous behaviors to determine the appropriate response. Monitoring for early signs of reconnaissance of security controls and data aggregation can help catch threats before data theft occurs. The document recommends balancing privacy, visibility, and performance when implementing insider threat detection tools and techniques.

Technology
1 of 33
Download to read offline
10 tipsTO STRENGTHEN YOUR INSIDER THREAT PROGRAM
Get the RIGHT Data It’s not enough to have a lot of data. You need data specifically tailored to detecting insider threats. 1
Here’s just some of the data you need in order to accurately detect insider threats: qUnusual rate of copying/moving files, locally or on servers qPrinting sensitive data, to a local or networked printer qUploads/downloads on the corporate network qUploads/downloads OFF the corporate network qCopying/pasting sensitive data to a website qUnusual file renames qUnusual use of virtual machines qUnusual disconnects from the corporate network qUse of hacking tools
Here’s just some of the data you need in order to accurately detect insider threats: qAttempts to disable or tamper with security tools (like DLP) qUse of portable applications qUnauthorized use of shared/admin accounts qUnusual admin activity (scripts, file activity, etc.) qMachines running applications in an unusual location qMachines saving to an unusual location qUnusual use of network capture/proxy/analysis tools qUnusual local or network movement of virtual machines
None of these are detected by network- based tools or log files. Many insider threat tools attempt to reverse-engineer their visibility from existing data sources (like log files.) But in most cases, that isn’t enough. Make sure you’re collecting the right data, or threats will slip through the cracks. … and that’s just a SMALL sample!
Detect all types of threats We consistently see certain types of insider threats slip through the cracks. For example... 2
These are some threats that often slip through the cracks: ØCREDENTIAL MISUSE | Make sure you’re able to detect suspicious activity from admin/privileged users. ØCREDENTIAL THEFT | Many organizations can’t reliably tell when an outsider has stolen user credentials. ØADVANCED DATA EXFILTRATION | Can you detect data exfiltration from a user who’s covered their tracks? ØLATERAL MOVEMENT | A crucial warning sign of an infiltrator or malware – not to be missed.
Don’t forget intent It’s not enough to know that a threat exists. Your response hinges on how much you know about the context. 3
Intent is a huge factor. Look at these three examples: A login from a totally new location or an account logged into multiple session at once. Suggested Intent: Possible credential theft. A user downloading and renaming an unusually large amount of files using Incognito Mode. Suggested Intent: A data thief trying to cover their tracks A publicly accessible Google Drive link that was emailed to a coworker. Suggested Intent: An employee accidentally leaving data exposed.
All three of these scenarios result in potential data loss… But context proves they are very different, with very different remediation needs. This is why you need full context around your findings.
Here’s the recipe for context: Data related to User Activities The sequence of user activities Are those activities abnormal for that user? Properly capturing context is crucial to any insider threat program.
Build a forensic trail The cold, hard truth: You probably will have a security incident at some point. When it happens, you need to know how. 4
Make sure that after a breach, you can answer important questions like: Ø What files went missing? Ø Which endpoints were infected by this malicious application? Ø How did the attacker move laterally? Ø How long has this attack been in progress? Ø Which users were involved in the event?
Catch early signs Would-be data thieves almost always follow certain patterns of behavior. Catch these, and you can stop theft before it happens. 5
The insider threat kill chain goes like this: - Step 1 - RECONNAISSANCE Investigation before data theft. - Step 2 - CIRCUMVENTION Disabling or avoiding security measures. - Step 3 - AGGREGATION Collecting all of the data to be stolen in one place.
The insider threat kill chain goes like this: - Step 4 - OBFUSCATION The culprit covers their tracks to avoid detection. - Step 5 - EXFILTRATION The actual moment of data theft, when the data leaves the organization.
Detecting earlier steps in the kill chain can give you a crucial advantage. By learning the signs warning signs that insider data theft will likely take place, you can potentially stop a breach before it happens.
Don’t sacrifice privacy Employees are becoming less and less tolerant of heavy surveillance… …and, in some places, so is the law. 6
Here are Some tips on balancing privacy and security: 1. IF POSSIBLE, AVOID HEAVY EMPLOYEE MONITORING …like tools that take screenshots or video capture. Not only do these make users uncomfortable, they also tend to be very heavy –and they make GDPR compliance difficult. If you do need these tools, try limiting their deployment.
Here are Some tips on balancing privacy and security: 2. COLLECT META-DATA WHEREVER POSSIBLE The right meta-data can give you plenty of insights without the invasive quality of heavier data like screenshots or video. Bonus: They’re much lighter on your endpoints and network.
Here are Some tips on balancing privacy and security: 3. ANONYMIZE PERSONAL IDENTIFYING INFORMATION By anonymizing all personal identifying information, you avoid the privacy issue completely. What’s more, anonymizing your data makes it much easier to achieve GDPR compliance, if your organization does business in the EU.
Watch policy violations Bad actors don’t just do one bad thing. Pay attention to IT policy violations, as they can be indicators of something worse. 7
Our analysts often find that policy violations are indicators of other dangerous behavior. Look for activity like: Ø Gambling / Gaming Ø Online Shopping/Selling (We once even discovered an employee selling company property on Ebay!) Ø Inappropriate Web Browsing Ø Personal Webmail Use (which can also be a phishing risk in its own right) Ø Pirated Software
See off-network Today, employees are more mobile than ever. Focusing on the corporate network isn’t enough anymore. 8
Today’s enterprises are permeable: Cloud Hosting & Applications Work from Home ColocationsWork from Coffee Shop BYO DevicesMobile
You can no longer expect data to remain in your organization at all times. Getting off-network visibility is crucial understanding how your data moves and protecting from theft.
maximize your resources Any tool is only as good as your team’s ability to manage it. Prioritize making the most of your resources! 9
One major way to be more efficient is to reduce false positives. Here are some tips: ØALERTS BASED ON BEHAVIOR, NOT STATIC RULES | Tools that alert on user behavior rather than blanket rules cut through the noise faster. ØALERT OR SCORE STACKING | Stacking scores or alerts means that the most urgent threats rise to the top. ØIDENTIFY PRIORITIES INTERNALLY | Identify the highest risk areas, users, or data types in your org. and customize your tools to focus there. ØUNDERSTAND ACCURACY IS BASED IN DATA | Alert accuracy ultimately comes from the quality of the data. If you have the wrong data, you’ll get lots of noise.
Balance visibility & performance We all agree that tools that are too cumbersome aren’t useful. But, giving up visibility isn’t the answer, either. 10
“Performance is a non-issue, because I strictly limit endpoint agents!” Now, you might be thinking... You’re not alone. Lots of people combat performance issues by turning to agentless solutions instead. But unfortunately, it’s not so simple…
Remember that list of user activities? From earlier in this presentation? You need that kind of visibility (and more!) to detect insider threats. And here’s the complicated part: You can only get it from the endpoint…
But don’t fear! There are endpoint visibility- based tools that respect performance. ØTry setting an overall endpoint performance goal instead of limiting the strict number of agents on machines. This gives you much more flexibility. ØFor example, your team could limit the CPU usage of combined agents to 8%, max. ØTest, test, test! Before committing to a product, test it extensively within your environment and benchmark its performance for yourself. ØPay attention to scalability. Even agentless solutions often run into major deployment problems. ØAvoid solutions that collect and store heavy data like videos and images.
Still lost? We can help! Dtex is purpose-made to detect insider threats. Contact Us at Info@DtexSystems.com

Recommended

How to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the CloudHow to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the Cloud
Nordic Backup
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
Andrew Case
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
AlienVault
 
Datix Handler Training manual
Datix Handler Training manualDatix Handler Training manual
Datix Handler Training manual
Ola Hill
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
centralohioissa
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & More
William Mann
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
Lancope, Inc.
 

Recommended

How to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the CloudHow to Bulletproof Your Data Defenses Locally & In the Cloud
How to Bulletproof Your Data Defenses Locally & In the Cloud
Nordic Backup
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
Andrew Case
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
AlienVault
 
Datix Handler Training manual
Datix Handler Training manualDatix Handler Training manual
Datix Handler Training manual
Ola Hill
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
centralohioissa
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & More
William Mann
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
centralohioissa
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider Threats
Lancope, Inc.
 
10 Components of Business Cyber Security
10 Components of Business Cyber Security10 Components of Business Cyber Security
10 Components of Business Cyber Security
Comodo SSL Store
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
ahmad abdelhafeez
 
Cyber Liability - Small and Medium-Sized Businesses
Cyber Liability - Small and Medium-Sized BusinessesCyber Liability - Small and Medium-Sized Businesses
Cyber Liability - Small and Medium-Sized Businesses
Richardson Cyber
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015
Major Hayden
 
IS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and PrivacyIS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and Privacy
Jan Wong
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
Brian Honan
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Cybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesCybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation Slides
SlideTeam
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
David Mai, MBA
 
Five Mistakes of Incident Response
Five Mistakes of Incident ResponseFive Mistakes of Incident Response
Five Mistakes of Incident Response
Anton Chuvakin
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Lancope, Inc.
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
GFI Software
 
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Enterprise Management Associates
 
7 steps you can take now to protect your data
7 steps you can take now to protect your data7 steps you can take now to protect your data
7 steps you can take now to protect your data
Oregon Law Practice Management
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
Lancope, Inc.
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
Paul-Charife Allen
 
Ht t17
Ht t17Ht t17
Ht t17
SelectedPresentations
 
Data Loss Threats and Mitigations
Data Loss Threats and MitigationsData Loss Threats and Mitigations
Data Loss Threats and Mitigations
April Mardock CISSP
 
Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield Cloud Security 101
Stackfield Cloud Security 101
Stackfield
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
Animesh Roy
 

More Related Content

What's hot

Cybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesCybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation Slides
SlideTeam
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
Lancope, Inc.
 

What's hot (20)

10 Components of Business Cyber Security
10 Components of Business Cyber Security10 Components of Business Cyber Security
10 Components of Business Cyber Security
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Cyber Liability - Small and Medium-Sized Businesses
Cyber Liability - Small and Medium-Sized BusinessesCyber Liability - Small and Medium-Sized Businesses
Cyber Liability - Small and Medium-Sized Businesses
 
The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015The New Normal - Rackspace Solve 2015
The New Normal - Rackspace Solve 2015
 
IS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and PrivacyIS L07 - Security, Ethics and Privacy
IS L07 - Security, Ethics and Privacy
 
Proactive incident response
Proactive incident responseProactive incident response
Proactive incident response
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Cybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation SlidesCybersecurity Powerpoint Presentation Slides
Cybersecurity Powerpoint Presentation Slides
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
 
Five Mistakes of Incident Response
Five Mistakes of Incident ResponseFive Mistakes of Incident Response
Five Mistakes of Incident Response
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton ChuvakinSomething Fun About Using SIEM by Dr. Anton Chuvakin
Something Fun About Using SIEM by Dr. Anton Chuvakin
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...Security Awareness Training: Are We Getting Any Better at Organizational and ...
Security Awareness Training: Are We Getting Any Better at Organizational and ...
 
7 steps you can take now to protect your data
7 steps you can take now to protect your data7 steps you can take now to protect your data
7 steps you can take now to protect your data
 
Needs of a Modern Incident Response Program
Needs of a Modern Incident Response ProgramNeeds of a Modern Incident Response Program
Needs of a Modern Incident Response Program
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
 
Ht t17
Ht t17Ht t17
Ht t17
 
Data Loss Threats and Mitigations
Data Loss Threats and MitigationsData Loss Threats and Mitigations
Data Loss Threats and Mitigations
 

Similar to 10 Tips to Strengthen Your Insider Threat Program

SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
Splunk
 
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
Daniel Rivas
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
EC-Council
 
The tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdfThe tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdf
noelbuddy
 
2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11
mrmwood
 
Effective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics TechniquesEffective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics Techniques
ijtsrd
 

Similar to 10 Tips to Strengthen Your Insider Threat Program (20)

Stackfield Cloud Security 101
Stackfield Cloud Security 101Stackfield Cloud Security 101
Stackfield Cloud Security 101
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
 
A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOs
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back
 
SplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunkLive! Splunk for Insider Threats and Fraud Detection
SplunkLive! Splunk for Insider Threats and Fraud Detection
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Ways to Safeguard Your Business from a Data Breach
Ways to Safeguard Your Business from a Data BreachWays to Safeguard Your Business from a Data Breach
Ways to Safeguard Your Business from a Data Breach
 
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
7 Highly Risky Habits of Small to Medium-Sized Nonprofits: IT Security Pitfalls
 
Securing Your Intellectual Property: Preventing Business IP Leaks
Securing Your Intellectual Property: Preventing Business IP LeaksSecuring Your Intellectual Property: Preventing Business IP Leaks
Securing Your Intellectual Property: Preventing Business IP Leaks
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
The tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdfThe tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdf
 
2.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-112.5 safety and security of data in ict systems 13 12-11
2.5 safety and security of data in ict systems 13 12-11
 
Building security into the internetofthings
Building security into the internetofthingsBuilding security into the internetofthings
Building security into the internetofthings
 
Effective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics TechniquesEffective Data Erasure and Anti Forensics Techniques
Effective Data Erasure and Anti Forensics Techniques
 
Secure End User
Secure End UserSecure End User
Secure End User
 
Data in the Wild: Survival Guide
Data in the Wild: Survival GuideData in the Wild: Survival Guide
Data in the Wild: Survival Guide
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?
 
The Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent ThemThe Top Ten Insider Threats And How To Prevent Them
The Top Ten Insider Threats And How To Prevent Them
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Quantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation ComputingQuantum Leap in Next-Generation Computing
Quantum Leap in Next-Generation Computing
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
TEST BANK For Principles of Anatomy and Physiology, 16th Edition by Gerard J....
 

10 Tips to Strengthen Your Insider Threat Program

  • 1. 10 tipsTO STRENGTHEN YOUR INSIDER THREAT PROGRAM
  • 2. Get the RIGHT Data It’s not enough to have a lot of data. You need data specifically tailored to detecting insider threats. 1
  • 3. Here’s just some of the data you need in order to accurately detect insider threats: qUnusual rate of copying/moving files, locally or on servers qPrinting sensitive data, to a local or networked printer qUploads/downloads on the corporate network qUploads/downloads OFF the corporate network qCopying/pasting sensitive data to a website qUnusual file renames qUnusual use of virtual machines qUnusual disconnects from the corporate network qUse of hacking tools
  • 4. Here’s just some of the data you need in order to accurately detect insider threats: qAttempts to disable or tamper with security tools (like DLP) qUse of portable applications qUnauthorized use of shared/admin accounts qUnusual admin activity (scripts, file activity, etc.) qMachines running applications in an unusual location qMachines saving to an unusual location qUnusual use of network capture/proxy/analysis tools qUnusual local or network movement of virtual machines
  • 5. None of these are detected by network- based tools or log files. Many insider threat tools attempt to reverse-engineer their visibility from existing data sources (like log files.) But in most cases, that isn’t enough. Make sure you’re collecting the right data, or threats will slip through the cracks. … and that’s just a SMALL sample!
  • 6. Detect all types of threats We consistently see certain types of insider threats slip through the cracks. For example... 2
  • 7. These are some threats that often slip through the cracks: ØCREDENTIAL MISUSE | Make sure you’re able to detect suspicious activity from admin/privileged users. ØCREDENTIAL THEFT | Many organizations can’t reliably tell when an outsider has stolen user credentials. ØADVANCED DATA EXFILTRATION | Can you detect data exfiltration from a user who’s covered their tracks? ØLATERAL MOVEMENT | A crucial warning sign of an infiltrator or malware – not to be missed.
  • 8. Don’t forget intent It’s not enough to know that a threat exists. Your response hinges on how much you know about the context. 3
  • 9. Intent is a huge factor. Look at these three examples: A login from a totally new location or an account logged into multiple session at once. Suggested Intent: Possible credential theft. A user downloading and renaming an unusually large amount of files using Incognito Mode. Suggested Intent: A data thief trying to cover their tracks A publicly accessible Google Drive link that was emailed to a coworker. Suggested Intent: An employee accidentally leaving data exposed.
  • 10. All three of these scenarios result in potential data loss… But context proves they are very different, with very different remediation needs. This is why you need full context around your findings.
  • 11. Here’s the recipe for context: Data related to User Activities The sequence of user activities Are those activities abnormal for that user? Properly capturing context is crucial to any insider threat program.
  • 12. Build a forensic trail The cold, hard truth: You probably will have a security incident at some point. When it happens, you need to know how. 4
  • 13. Make sure that after a breach, you can answer important questions like: Ø What files went missing? Ø Which endpoints were infected by this malicious application? Ø How did the attacker move laterally? Ø How long has this attack been in progress? Ø Which users were involved in the event?
  • 14. Catch early signs Would-be data thieves almost always follow certain patterns of behavior. Catch these, and you can stop theft before it happens. 5
  • 15. The insider threat kill chain goes like this: - Step 1 - RECONNAISSANCE Investigation before data theft. - Step 2 - CIRCUMVENTION Disabling or avoiding security measures. - Step 3 - AGGREGATION Collecting all of the data to be stolen in one place.
  • 16. The insider threat kill chain goes like this: - Step 4 - OBFUSCATION The culprit covers their tracks to avoid detection. - Step 5 - EXFILTRATION The actual moment of data theft, when the data leaves the organization.
  • 17. Detecting earlier steps in the kill chain can give you a crucial advantage. By learning the signs warning signs that insider data theft will likely take place, you can potentially stop a breach before it happens.
  • 18. Don’t sacrifice privacy Employees are becoming less and less tolerant of heavy surveillance… …and, in some places, so is the law. 6
  • 19. Here are Some tips on balancing privacy and security: 1. IF POSSIBLE, AVOID HEAVY EMPLOYEE MONITORING …like tools that take screenshots or video capture. Not only do these make users uncomfortable, they also tend to be very heavy –and they make GDPR compliance difficult. If you do need these tools, try limiting their deployment.
  • 20. Here are Some tips on balancing privacy and security: 2. COLLECT META-DATA WHEREVER POSSIBLE The right meta-data can give you plenty of insights without the invasive quality of heavier data like screenshots or video. Bonus: They’re much lighter on your endpoints and network.
  • 21. Here are Some tips on balancing privacy and security: 3. ANONYMIZE PERSONAL IDENTIFYING INFORMATION By anonymizing all personal identifying information, you avoid the privacy issue completely. What’s more, anonymizing your data makes it much easier to achieve GDPR compliance, if your organization does business in the EU.
  • 22. Watch policy violations Bad actors don’t just do one bad thing. Pay attention to IT policy violations, as they can be indicators of something worse. 7
  • 23. Our analysts often find that policy violations are indicators of other dangerous behavior. Look for activity like: Ø Gambling / Gaming Ø Online Shopping/Selling (We once even discovered an employee selling company property on Ebay!) Ø Inappropriate Web Browsing Ø Personal Webmail Use (which can also be a phishing risk in its own right) Ø Pirated Software
  • 24. See off-network Today, employees are more mobile than ever. Focusing on the corporate network isn’t enough anymore. 8
  • 25. Today’s enterprises are permeable: Cloud Hosting & Applications Work from Home ColocationsWork from Coffee Shop BYO DevicesMobile
  • 26. You can no longer expect data to remain in your organization at all times. Getting off-network visibility is crucial understanding how your data moves and protecting from theft.
  • 27. maximize your resources Any tool is only as good as your team’s ability to manage it. Prioritize making the most of your resources! 9
  • 28. One major way to be more efficient is to reduce false positives. Here are some tips: ØALERTS BASED ON BEHAVIOR, NOT STATIC RULES | Tools that alert on user behavior rather than blanket rules cut through the noise faster. ØALERT OR SCORE STACKING | Stacking scores or alerts means that the most urgent threats rise to the top. ØIDENTIFY PRIORITIES INTERNALLY | Identify the highest risk areas, users, or data types in your org. and customize your tools to focus there. ØUNDERSTAND ACCURACY IS BASED IN DATA | Alert accuracy ultimately comes from the quality of the data. If you have the wrong data, you’ll get lots of noise.
  • 29. Balance visibility & performance We all agree that tools that are too cumbersome aren’t useful. But, giving up visibility isn’t the answer, either. 10
  • 30. “Performance is a non-issue, because I strictly limit endpoint agents!” Now, you might be thinking... You’re not alone. Lots of people combat performance issues by turning to agentless solutions instead. But unfortunately, it’s not so simple…
  • 31. Remember that list of user activities? From earlier in this presentation? You need that kind of visibility (and more!) to detect insider threats. And here’s the complicated part: You can only get it from the endpoint…
  • 32. But don’t fear! There are endpoint visibility- based tools that respect performance. ØTry setting an overall endpoint performance goal instead of limiting the strict number of agents on machines. This gives you much more flexibility. ØFor example, your team could limit the CPU usage of combined agents to 8%, max. ØTest, test, test! Before committing to a product, test it extensively within your environment and benchmark its performance for yourself. ØPay attention to scalability. Even agentless solutions often run into major deployment problems. ØAvoid solutions that collect and store heavy data like videos and images.
  • 33. Still lost? We can help! Dtex is purpose-made to detect insider threats. Contact Us at Info@DtexSystems.com