2. 2
SpectorSoft
2
• Insider threat, targeted attack, financial fraud detection
• Focused on patterns of human behavior
• Understanding normal & flagging anomalies that indicate threat
User Behavior Analytics
User Activity Monitoring
• Collection and inspection of activity data (logs)
• Hi-risk, response, investigations, post-mortems
• Rich contextual data source
3. 3
User Behavior Analytics
3
• All about making you more secure
• Threats are not only external
• Average time to detect an insider threat?
• 32 days
• Average time to respond?
• 17 days
• Budgets are not aligned with reality
• 52% perceive negligent employees as cause
of significant damage
• 44% spend are spending 10% or less on
solutions that focus on insider threats
• Over 40% don’t even know what they
spend
Statistics taken from Insider Threats and the Need for Fast and Directed
Response - A SANS Survey.
4. 4
Not in my backyard
4
3.8 50% $100k - $2M+
* Crowd-based research in cooperation with the 260,000+ member
Information Security Community on LinkedIn
16. 16
Closing Thoughts
– Estimates suggest that 70% of the value of the average
business is held within information systems
– Less than 3% of all info tech & security $ are spent
protecting or safeguarding electonic or hard copy
proprietary information*
– The vast majority of these $ are spent in an effort to keep
outsiders out*
– Little is done to protect proprietary information from the
untrained or disgruntled employee.*
*Dan Smartwood, former Director of Information Safeguarding
at Walt Disney Corp, testifying before Congress
17. 17
What next?
• Review your history of security problems
– What % were caused by external v insider?
• Look at your budget
– What % are you spending on insider security
• Review your incident response plan
– Does it have special provisions for an insider incident
• http://webinar.spectorsoft.com/insider-threats-find-early-fix-
fast
• Focus on detection
18. 18
Benefit from UBA
Download:
www.spector360recon.com/trial/
Increasing Security & Productivity through Insider Intelligence:
http://bit.ly/1MPoIgF
“By 2018, organizations that monitor and analyze a broad spectrum or employee
activities will experience 50% fewer insider data breaches than organizations that
monitor internal communications only.”
Market Guide for Employee-Monitoring Products and Services
Andrew Walls, Research Vice President, Gartner Research, 25 February 2015
Editor's Notes
Founded in 1998
User Activity Monitoring and User Behavior Analytics
Thousands of corporate, government, and non-profit customers; millions of endpoints
If you are not looking, you simply do not know. Don’t be lulled into a false sense of security because you have not detected a insider threat UNLESS you have focused efforts on insider threat detection.
Known knows, known unknowns, unkown unknows.
Survey also showed that the
56% of respondents who answered “yes” we have had an attack or “no” we have not – said yes we have.
Average of 3.8 attacks per org.
50% of those who could put a number on remediation estimated between $100k and over $2M.
Disgruntled: Ricky Joe Mitchell sentenced to 4 years in Fed prison. Admitted that he reset all network servers to factory settings intentionally when he heard he was to be fired. EverVest was unable to fully communicate or conduct business for 30 days, and spent hundreds of thousands of dollars trying to recover historical data. Also ordered to pay $428k in restitution.
Entitled: So common amongst sales and “creators” (for example: marketing, coders, strategic direction setters). Surveys show that 1 out of 2 employees think it’s OK to take corporate data with them when they leave, and a full 40% of those that says it’s OK further think it’s OK to use it at their next position. Ours and Symantec.
Ringleader: Lyft. Late last year. COO allegedly took strategic product plans, financials, forecasts – and went to Uber! No word @ last look how he physically got there … which service he used. No specific insight into this one but presents as classic case of insider who felt entitled to information that he had a hand in creating (signed off on) and would be of use to him down the road.
Imposter: Anthem. Jan 2015. source of breach seemed to be a compromised login credential. Attacker(s) ran a database query using sys admin credentials. Then they uploaded data to a cloud storage service. How many document file-sharing services are used in your company? Official and shadow? Do you know how they are used?
Mole: CME Group software engineer – last name Yang – worked at company 11 years. Sometime late in the 10th year / early in the 11th year – working in concert with 2 unnamed business partners (not employees) he planned to start a rival company. Downloaded more than 10,000 files containing source code to his work computer, transferred them to USB, and walked them out. Think he would have been flagged as behaving anomalously?
What risk do your insiders pose? (click)
Think about the positions in your company – each one comes with some level of risk . Think of one or two now and assign them a risk value.
TO help you assess your risk, remember:
1) Everyone has risk - Can be the low level clerk in acctg with access to credit card data, all the way up to the VP of sales with access to all your customer records – and everything in between. (next slide)
That your organization currently has an insider threat of some sort is a near
certainty. Therefore, you have to approach security with the assumption that an insider
threat has already compromised you and focus your energy on detection.
Preventing insider attacks is important and a key part of security; however, organizations
often fool themselves into believing that they can stop all such attacks.
Repeat the following sentence three times: “Your organization is and will be compromised by
insiders.”
Insiders—whether malicious or merely negligent—are a continuous and
constant problem for IT security; thinking otherwise is naïve.
Dr. Eric Cole, SAMS Faculty Fellow. Recognized security expert. 20 patents. Former CTO McAfee and Chief Scientist for Lockheed Martin.
Lower risk – UBA
Higher risk – UBA and UAM
Our approach to User Behavior Analytics, or UBA, focuses on detecting data exfiltration potential, so you can prevent it.
We’ve worked hard to make UBA usable … no big professional services bills, no steep learning curves, and no difficulty tuning the solution to fit your needs.
As you can see, getting started is as simple as selecting the users or groups you want to analyze behavior for, highlighting the specific behaviors you are most interested in,
And tuning the alert sensitivity to align to your requirements. Here the red dots represent the number of alerts you would receive based on each sensitivity setting. (next slide)