Identify and Stop Insider Threats


Published on

Traits exhibited by your best, smartest, and hardest working employee can be the same as those of the malicious (or sometimes even unwitting) insider.

Learn how to:
* Spot an insider threats
* Identify their network activity
*Incorporate best practices to protect your organization from the insider threat

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Identify and Stop Insider Threats

  1. 1. Insider Threat Matthew McKinley, Technical Product Marketing (770) 225-6500
  2. 2. Insider Threat Matthew McKinley, Technical Product Marketing (770) 225-6500
  3. 3. • Why am I interested in Insider Threat? – Motives – Types • Who commits insider computer crimes and why do they do it? • An observation • Using StealthWatch to combat different insider threats – The Kill Chain – How can we see Insider Threats? – Use Cases • Lancope Pro Tip 3 Overview © 2012 Lancope, Inc. All rights reserved.
  4. 4. 4 Why am I interested in Insider Threats? © 2012 Lancope, Inc. All rights reserved. AlgoSec Survey of 182 IT Security Professionals
  5. 5. • Verizon 2012 Data Breach Investigations Report • 2012 – 98% stemmed from external agents – 4% implicated internal employees • 2011 – 92% stemmed from external agents – 17% implicated insiders • 2010 – 70% stemmed from external agents – 48% were caused by insiders • Hacking in 2012 – 3% involved SQL Injection – 55% involved default credentials – 40% involved stolen credentials – 29% involved brute force or dictionary attacks 5 Why Insider Threats? – The Verizon Breach Report © 2012 Lancope, Inc. All rights reserved.
  6. 6. 6 What are the motives? © 2012 Lancope, Inc. All rights reserved.
  7. 7. • 12 years of history • Over 700 insider threat cases • IT Sabotage – Average: $1.7 million – Mean: $50,000 • IP Theft – Average: $13.5 million – Mean: $337,000 7 Insider Threats © 2012 Lancope, Inc. All rights reserved.
  8. 8. • Much of the practice of computer security has to do with making sure the doors are locked. We spent little effort trying to find out if the bad guys are in. – We tend to assume that if the bad guys are in, its game over. • Systems will stop working or money will be instantly stolen. (This isn’t always true.) – It is useful to disrupt ongoing attacks even if you can’t prevent them. • StealthWatch can help 8 An Observation © 2012 Lancope, Inc. All rights reserved.
  9. 9. • A sophisticated attack on a network involves a series of steps • Traditional thinking views any system compromise as a successful breach • Any successful action taken to stop an infection prior to data exfiltration can be considered a win • This is the Kill Chain concept introduced by Mike Cloppert at Lockheed • StealthWatch provides visibility at each stage of the chain 9 Visibility through out the Kill Chain © 2012 Lancope, Inc. All rights reserved. Recon Exploitation (Social Engineering?) Initial Infection Internal Pivot Data Preparation & Exfiltration Command and Control
  10. 10. • Seeing user activity – Who, what, when, where • Detecting data exfiltration – Filtering suspicious events from normal network “noise” • Detecting bad actors on the network • Detecting other behavioral anomalies – When activity on the network deviates from established norms, this can be a sign of attack – When hosts on the network behave in ways that they normally wouldn’t or shouldn’t 10 Seeing the Insider Threat What’s in the bag, Mr.?
  11. 11. • Knowing – Who it was – what do you know about this user? – What they were using – was it an approved device? – When they logged on – was it late at night? – Where they logged on from – Locally? VPN? • …is critical to combating the insider threat • Cisco ISE Integration and the StealthWatch IDentity solution provide this visibility 11 Monitoring User Activity Who? What?When? Where?
  12. 12. • Who, what, when, and where is nice, but… – What were they doing? – NetFlow provides transactional information related to network events • StealthWatch correlates user information with flow records to add deeper context such as – Who they were communicating with – What apps they were using 12 Monitoring User Activity Data from NetFlowApplication data
  13. 13. • Activity at strange times and strange durations can be suspect • Alarms and thresholds automate the discovery process 13 Detecting Data Exfiltration 5 hour SSH connection?? • Who was it? • How have they behaved in the past? • StealthWatch answers these questions
  14. 14. • Pivot from charts to detail – the benefits of users + flow • You’re not alone – pre-configured and configurable alarms 14 Detecting Data Exfiltration Who? How Long? To whom? How much?
  15. 15. • NetFlow allows you to see all transactions on the network, without having to decide what’s to be ignored • Automated tools such as the worm tracker identify the source and path of spreading malware • The Concern Index highlights hosts that are behaving “oddly” 15 Bad Actors on the Network
  16. 16. • Alarms and informative graphics combine to provide visibility into problems without the hassle of digging them out mountains of data 16 Bad Actors on the Network Alarm info Source and spread of a worm
  17. 17. • StealthWatch can help you: – Perform targeted monitoring of employees who are “on the HR radar” – Unusual Access Times (Could be any account) – Access after termination (!) (accounts or open sessions) – Monitor access to specific parts of the network • Host Groups – Monitor behaviors that show malicious activity • SYN Floods • Scanning 17 Use Case: Detecting IT Sabotage © 2012 Lancope, Inc. All rights reserved. See access from here To here
  18. 18. • StealthWatch can help you: – Monitor access to sensitive areas of the network with • Host Groups – Logins coming from another user’s machine (different user logins to different systems from the same address) – Long flows from sensitive servers to outside hosts • Used in data loss detection 18 Use Case: Detecting Fraud © 2012 Lancope, Inc. All rights reserved.
  19. 19. • Key window – 30 days before and after resignation/termination • 54% of CERT’s exfiltration cases occurred over the network (most email) • StealthWatch can help you spot: – Email with large attachments to third party destinations – Large amounts of traffic to the printer – Useful for data Infiltration and Exfiltration 19 Use Case: Detect Theft of Intellectual Property © 2012 Lancope, Inc. All rights reserved.
  20. 20. • IT cannot address insider threat by itself – People have a tendency to think that IT is solely responsible for all computer security issues. • Legal: Are policies in place? Are they realistic? Does legal support IT practices? • HR: Who is coming and going? Who has workplace issues? Are there soft solutions? • IT: Is the privacy of end users adequately protected? • What impact on workplace harmony are policies, monitoring, and enforcement having? • Are you applying policies consistently? 20 Lancope Pro Tip: Combating Insider Threat is a multidisciplinary challenge © 2012 Lancope, Inc. All rights reserved. IT LEGALHR
  21. 21. Thank You Matthew McKinley, Technical Product Marketing +1 (770) 225-6500