SlideShare a Scribd company logo

Insider threats - Lessons from Snowden (ISF UK Chapter)

Download as PPTX, PDF
Huntsman Security
Huntsman Security

The problem of insider security threats is not a new one, but with the recent whistle-blowing cases in the US it has been into sharp relief for organisations who have sensitive data and wish to protect it from exposure or compromise.

Technology
1 of 16
Insider Threats: Lessons from Snowden Piers Wilson Tier-3 Huntsman® - Head of Product Management
About Tier-3 / Huntsman 2 • Tier-3 – Australian/UK based security software company – Established 1999 – Pioneer of Behavioural Anomaly Detection (BAD) technology within SIEM products • Huntsman – Intelligent SIEM solution – Full event correlation and behavioural profiling, anomaly detection and alerting – Automatic response capability – Targeted at security-critical large enterprises and government – In-built compliance monitoring support for PCI-DSS, ISO27001, GPG13, FISMA – Multi-tenancy support © 2013 Tier-3 Pty Limited. All rights reserved.
Protective security has a role 3 • A barrier between those who have access and those who don’t: – Encryption means those that need access will get it, and those that don’t do not – Access controls limit what data users can access and what they can do with it – Firewalls constrain the types of network traffic systems can exchange • Often controls are several layers deep: – Network – Server – Application – End point © 2013 Tier-3 Pty Limited. All rights reserved.
The insider threat picture is complex 4© 2013 Tier-3 Pty Limited. All rights reserved. "You're dealing with authorized users doing authorized things for malicious purposes.” Patrick Reidy, CISO for the FBI Insider Threats Physical Electronic Ethical Deliberate Accidental Whistle blowing Insider community Motivation Genuine losses Media Fame Breaching data Negligence Revenge Network USB/Disk Paper Granting access/tail gating Verbal Normal users System admins External parties Relationship Customers Contractors Staff Journalists Trojans/ APTs Social media Waterholes
Insider threats are 5© 2013 Tier-3 Pty Limited. All rights reserved. • Multi-dimensional • Can circumvent protective controls • Wider than just “Insiders” – Contractors, Journalists, Whistle-blowers – Advanced Persistent Threats / Trojans - the “weaponising” of insiders – Social media risks, “over share”, leaked secrets, exposed plans / locations / staff / details • Insiders can cause, or be culpable in causing, breaches
Insider threats are a common theme in security surveys 6© 2013 Tier-3 Pty Limited. All rights reserved. Threat actor categories across 47,000+ security incidents Sources: PwC/BIS UK information security breaches survey 2013, Verizon data breach report 2013, Comptia Information Security Trends 2012
What are the components of the solution 7© 2013 Tier-3 Pty Limited. All rights reserved. Endpoint & content-aware controlsSystem activity, network traffic and behavioural analysis Robust activity monitoring & correlation Privileged & admin accounts Awareness, education and “publicity” Context and threat intelligence
Control privileged & admin accounts 8© 2013 Tier-3 Pty Limited. All rights reserved. Solutions do exist to control privileged accounts and the process of granting/revoking access for changes and incidents: • Some systems are not under your “direct” control such as cloud applications, managed networks or 3rd parties • It is difficult to control what people do with the privileged access they have What works for the NSA might not be as workable in the commercial sector • Dual control can be expensive, with high overheads Administrators have wide ranging power, access and knowledge so oversight is still needed
End-point and content-aware controls 9© 2013 Tier-3 Pty Limited. All rights reserved. These control data being extracted, exported or stolen • There are several ways you can lose control of your data – Beyond the access permissions, encryption, ISMS in your environment – When exchanged on CD, USB, network, Dropbox, social media, email, home PC’s, mobile devices, cloud or in unstructured storage • Businesses need to enable people to transmit/exchange data flexibly Limitations • End-point/DLP/Proxy solutions may not fully address the risk – encryption can mask data flows / remote systems won’t be protected • Encryption of laptops/USB media only protects from unauthorised access • Controls need to be part of the wider security and reporting environment • The business view of what is, and isn’t, acceptable or risky is not
Robust monitoring, correlation and analysis 10© 2013 Tier-3 Pty Limited. All rights reserved. It is vital to: • Generate logs AND • Include systems, networks, applications • Incorporate central oversight of other security controls AND • Collect them centrally, away from the source AND • Analyse and correlate the contents AND • Protect access to logs and audit trails AND • Separate duties between users, admins, auditors If any of these fail the detective/investigative options erode rapidly
Network traffic & behavioural analysis 11© 2013 Tier-3 Pty Limited. All rights reserved. It is important to be able to monitor activity based, not on rules, but on deviance from a normal profile: • Monitor how people operate – what they do, where, how often • Understand how systems work “contextually” • Track variable (multiple) baselines of the different data dimensions • Recognise anomalies (statistics, thresholds, deviations) Early/proactive detection allows an analyst to investigate and diagnose incidents Predictive behaviour analysis (i.e. trying to predict when someone is going to misuse systems or steal data) is no better than randomly predicting insider misuse “ ... the FBI moved toward a behavioural detection methodology that has proved far more effective” (source: FBI research) “Even if all you can measure is the telemetry to look at prints from a print server, you can look at things like what's the volume, how many and how big are the files, and how often do they do print” Patrick Reidy, FBI
Awareness: What is the point? 12© 2013 Tier-3 Pty Limited. All rights reserved. Simple Awareness alone won’t defend against: • Deliberate attacks • Targeted social-engineering or a spear-phishing attack that has been made convincing enough • The effects of normal human psychology and behaviours: • Whether people care about it • Or remember three months on • Or understand why it is important • Or are tied to a habit or a group behaviour that is different • Misuse by people who have knowledge of control weaknesses Visible and publicised oversight mechanisms will: • Be more memorable than point-in-time eLearning training messages • Deter malicious thefts or attacks where control and oversight is obvious • Support deterrence, detection and resolution • Forcing behaviours and actions which are more evident • Enable “accidents” to be used for future education initiatives • You can target awareness activities better • You can create security “rumble strips”
Threat intelligence: the insider context 13© 2013 Tier-3 Pty Limited. All rights reserved.
Intelligent monitoring is important 14© 2013 Tier-3 Pty Limited. All rights reserved. 1 You need to monitor security controls and their operation anyway, compliance with security standards demands it, auditors will ask for it and good practice dictates it • PCI-DSS, ISO27001, BIS “10 steps”, GPG13, FISMA agree 4 An accidental breach could have several causes; but will often be an unusual or significant series of events which may be able to be codified in advance, or following an incident • Monitoring technology may help to diagnose and prevent future occurrences 3The monitoring of activity and logs provides the evidence businesses need to take action (civil, criminal, HR) even if the process of detection comes from another source 2 The presence of “visible” or “publicised” monitoring controls and an established track record of detection, is a big deterrent to the malicious insider • Detecting and preventing or to otherwise taking action against a culprit 5 Robust monitoring shows what is going on within an organisation which means oversight processes can be based on the audit records, rather than having to expose the original data within investigative activity
Endpoint & content-aware controlsSystem activity, network traffic and behavioural analysis Robust activity monitoring & correlation Privileged & admin accounts Awareness, education and “publicity” Context and threat intelligence Solution coverage 15© 2013 Tier-3 Pty Limited. All rights reserved.
Copyright © Tier-3 Pty Ltd, 2013. All rights 16 Questions Contact us at: info@tier-3.com +44 (0) 208 433 6790 +61 (0) 2 9419 3200 More information at: Download our insider threat whitepaper www.tier-3.com @tier3huntsman

Recommended

SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001Donald E. Hester
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security lalithambiga kamaraj
 

Recommended

SECURITY AND CONTROL
SECURITY AND CONTROLSECURITY AND CONTROL
SECURITY AND CONTROLshinydey
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness TrainingDaniel P Wallace
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityDr. Loganathan R
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001Information Technology Security A Brief Overview 2001
Information Technology Security A Brief Overview 2001Donald E. Hester
 
Network Security: Physical security
Network Security: Physical security Network Security: Physical security
Network Security: Physical security lalithambiga kamaraj
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider ThreatMurray Security Services
 
10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises10 Security issues facing NZ Enterprises
10 Security issues facing NZ EnterprisesNigel Hanson
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1misecho
 
Mis
MisMis
Mismisecho
 
Computer Security Policy
Computer Security PolicyComputer Security Policy
Computer Security Policyeverestsky66
 
What every executive needs to know about information technology security
What every executive needs to know about information technology securityWhat every executive needs to know about information technology security
What every executive needs to know about information technology securityLegal Services National Technology Assistance Project (LSNTAP)
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
information security technology
information security technologyinformation security technology
information security technologygarimasagar
 
Mis
MisMis
Mismisecho
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Computing safety
Computing safetyComputing safety
Computing safetytitoferrus
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecurityLock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecuritySmartCompliance
 
22 need-for-security
22 need-for-security22 need-for-security
22 need-for-securityAl Balqa Applied University
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat ExperiencesNapier University
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and TrainingPriyank Hada
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Huntsman Security
 

More Related Content

What's hot

10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises10 Security issues facing NZ Enterprises
10 Security issues facing NZ EnterprisesNigel Hanson
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1misecho
 
Computer Security Policy
Computer Security PolicyComputer Security Policy
Computer Security Policyeverestsky66
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure OrganizationsHelpSystems
 
information security technology
information security technologyinformation security technology
information security technologygarimasagar
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Computing safety
Computing safetyComputing safety
Computing safetytitoferrus
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecurityLock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecuritySmartCompliance
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and TrainingPriyank Hada
 

What's hot (20)

SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 
10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises10 Security issues facing NZ Enterprises
10 Security issues facing NZ Enterprises
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
 
Chapter 10, part 1
Chapter 10, part 1Chapter 10, part 1
Chapter 10, part 1
 
Mis
MisMis
Mis
 
Computer Security Policy
Computer Security PolicyComputer Security Policy
Computer Security Policy
 
What every executive needs to know about information technology security
What every executive needs to know about information technology securityWhat every executive needs to know about information technology security
What every executive needs to know about information technology security
 
7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations7 Habits of Highly Secure Organizations
7 Habits of Highly Secure Organizations
 
information security technology
information security technologyinformation security technology
information security technology
 
Mis
MisMis
Mis
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasures
 
Computing safety
Computing safetyComputing safety
Computing safety
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data SecurityLock it or Lose It: Why Every Company Should be Concerned About Data Security
Lock it or Lose It: Why Every Company Should be Concerned About Data Security
 
22 need-for-security
22 need-for-security22 need-for-security
22 need-for-security
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat Experiences
 
Security Awareness and Training
Security Awareness and TrainingSecurity Awareness and Training
Security Awareness and Training
 

Similar to Insider threats - Lessons from Snowden (ISF UK Chapter)

Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Huntsman Security
 
01-introductiontosecurity-111122004432-phpapp02.pdf
01-introductiontosecurity-111122004432-phpapp02.pdf01-introductiontosecurity-111122004432-phpapp02.pdf
01-introductiontosecurity-111122004432-phpapp02.pdfRiyaSonawane
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012RECIPA
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Huntsman Security
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)Zara Nawaz
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxdotco
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxTechnocracy2
 
Internet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsInternet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsHuntsman Security
 
Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)Huntsman Security
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber securityAnimesh Roy
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...cyberprosocial
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight BackMTG IT Professionals
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 

Similar to Insider threats - Lessons from Snowden (ISF UK Chapter) (20)

Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)Monitoring security in the externalised organisation (Auscert 2013)
Monitoring security in the externalised organisation (Auscert 2013)
 
IDS Research
IDS ResearchIDS Research
IDS Research
 
01-introductiontosecurity-111122004432-phpapp02.pdf
01-introductiontosecurity-111122004432-phpapp02.pdf01-introductiontosecurity-111122004432-phpapp02.pdf
01-introductiontosecurity-111122004432-phpapp02.pdf
 
17 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_201217 info sec_ma_imt_27_2_2012
17 info sec_ma_imt_27_2_2012
 
Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...Intelligence-based computer network defence: Understanding the cyber kill cha...
Intelligence-based computer network defence: Understanding the cyber kill cha...
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
 
Window of Compromise
Window of CompromiseWindow of Compromise
Window of Compromise
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Security & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptxSecurity & Risk Mgmt_WK1.pptx
Security & Risk Mgmt_WK1.pptx
 
Internet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of thingsInternet of Things: Dealing with the enterprise network of things
Internet of Things: Dealing with the enterprise network of things
 
Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)Hidden security and privacy consequences around mobility (Infosec 2013)
Hidden security and privacy consequences around mobility (Infosec 2013)
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
Safeguarding Your Business: Understanding, Preventing, and Responding to Data...
 
Information security
Information securityInformation security
Information security
 
Information Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based ApproachInformation Leakage - A knowledge Based Approach
Information Leakage - A knowledge Based Approach
 
6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back6 Biggest Cyber Security Risks and How You Can Fight Back
6 Biggest Cyber Security Risks and How You Can Fight Back
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 

More from Huntsman Security

Infosecurity Europe 2016 - Low-friction Security
Infosecurity Europe 2016 - Low-friction SecurityInfosecurity Europe 2016 - Low-friction Security
Infosecurity Europe 2016 - Low-friction SecurityHuntsman Security
 
Infosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseInfosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseHuntsman Security
 
Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman Security
 
Huntsman - Internet of things (for IAP2015)
Huntsman - Internet of things (for IAP2015)Huntsman - Internet of things (for IAP2015)
Huntsman - Internet of things (for IAP2015)Huntsman Security
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPHuntsman Security
 
Using automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsUsing automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsHuntsman Security
 

More from Huntsman Security (6)

Infosecurity Europe 2016 - Low-friction Security
Infosecurity Europe 2016 - Low-friction SecurityInfosecurity Europe 2016 - Low-friction Security
Infosecurity Europe 2016 - Low-friction Security
 
Infosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security responseInfosec 2015 - Using threat intelligence to improve security response
Infosec 2015 - Using threat intelligence to improve security response
 
Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)Huntsman - Threat intelligence (for IAP2015)
Huntsman - Threat intelligence (for IAP2015)
 
Huntsman - Internet of things (for IAP2015)
Huntsman - Internet of things (for IAP2015)Huntsman - Internet of things (for IAP2015)
Huntsman - Internet of things (for IAP2015)
 
Infosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSPInfosec 2014 - Considerations when choosing an MSSP
Infosec 2014 - Considerations when choosing an MSSP
 
Using automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsUsing automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operations
 

Recently uploaded

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Insider threats - Lessons from Snowden (ISF UK Chapter)

  • 1. Insider Threats: Lessons from Snowden Piers Wilson Tier-3 Huntsman® - Head of Product Management
  • 2. About Tier-3 / Huntsman 2 • Tier-3 – Australian/UK based security software company – Established 1999 – Pioneer of Behavioural Anomaly Detection (BAD) technology within SIEM products • Huntsman – Intelligent SIEM solution – Full event correlation and behavioural profiling, anomaly detection and alerting – Automatic response capability – Targeted at security-critical large enterprises and government – In-built compliance monitoring support for PCI-DSS, ISO27001, GPG13, FISMA – Multi-tenancy support © 2013 Tier-3 Pty Limited. All rights reserved.
  • 3. Protective security has a role 3 • A barrier between those who have access and those who don’t: – Encryption means those that need access will get it, and those that don’t do not – Access controls limit what data users can access and what they can do with it – Firewalls constrain the types of network traffic systems can exchange • Often controls are several layers deep: – Network – Server – Application – End point © 2013 Tier-3 Pty Limited. All rights reserved.
  • 4. The insider threat picture is complex 4© 2013 Tier-3 Pty Limited. All rights reserved. "You're dealing with authorized users doing authorized things for malicious purposes.” Patrick Reidy, CISO for the FBI Insider Threats Physical Electronic Ethical Deliberate Accidental Whistle blowing Insider community Motivation Genuine losses Media Fame Breaching data Negligence Revenge Network USB/Disk Paper Granting access/tail gating Verbal Normal users System admins External parties Relationship Customers Contractors Staff Journalists Trojans/ APTs Social media Waterholes
  • 5. Insider threats are 5© 2013 Tier-3 Pty Limited. All rights reserved. • Multi-dimensional • Can circumvent protective controls • Wider than just “Insiders” – Contractors, Journalists, Whistle-blowers – Advanced Persistent Threats / Trojans - the “weaponising” of insiders – Social media risks, “over share”, leaked secrets, exposed plans / locations / staff / details • Insiders can cause, or be culpable in causing, breaches
  • 6. Insider threats are a common theme in security surveys 6© 2013 Tier-3 Pty Limited. All rights reserved. Threat actor categories across 47,000+ security incidents Sources: PwC/BIS UK information security breaches survey 2013, Verizon data breach report 2013, Comptia Information Security Trends 2012
  • 7. What are the components of the solution 7© 2013 Tier-3 Pty Limited. All rights reserved. Endpoint & content-aware controlsSystem activity, network traffic and behavioural analysis Robust activity monitoring & correlation Privileged & admin accounts Awareness, education and “publicity” Context and threat intelligence
  • 8. Control privileged & admin accounts 8© 2013 Tier-3 Pty Limited. All rights reserved. Solutions do exist to control privileged accounts and the process of granting/revoking access for changes and incidents: • Some systems are not under your “direct” control such as cloud applications, managed networks or 3rd parties • It is difficult to control what people do with the privileged access they have What works for the NSA might not be as workable in the commercial sector • Dual control can be expensive, with high overheads Administrators have wide ranging power, access and knowledge so oversight is still needed
  • 9. End-point and content-aware controls 9© 2013 Tier-3 Pty Limited. All rights reserved. These control data being extracted, exported or stolen • There are several ways you can lose control of your data – Beyond the access permissions, encryption, ISMS in your environment – When exchanged on CD, USB, network, Dropbox, social media, email, home PC’s, mobile devices, cloud or in unstructured storage • Businesses need to enable people to transmit/exchange data flexibly Limitations • End-point/DLP/Proxy solutions may not fully address the risk – encryption can mask data flows / remote systems won’t be protected • Encryption of laptops/USB media only protects from unauthorised access • Controls need to be part of the wider security and reporting environment • The business view of what is, and isn’t, acceptable or risky is not
  • 10. Robust monitoring, correlation and analysis 10© 2013 Tier-3 Pty Limited. All rights reserved. It is vital to: • Generate logs AND • Include systems, networks, applications • Incorporate central oversight of other security controls AND • Collect them centrally, away from the source AND • Analyse and correlate the contents AND • Protect access to logs and audit trails AND • Separate duties between users, admins, auditors If any of these fail the detective/investigative options erode rapidly
  • 11. Network traffic & behavioural analysis 11© 2013 Tier-3 Pty Limited. All rights reserved. It is important to be able to monitor activity based, not on rules, but on deviance from a normal profile: • Monitor how people operate – what they do, where, how often • Understand how systems work “contextually” • Track variable (multiple) baselines of the different data dimensions • Recognise anomalies (statistics, thresholds, deviations) Early/proactive detection allows an analyst to investigate and diagnose incidents Predictive behaviour analysis (i.e. trying to predict when someone is going to misuse systems or steal data) is no better than randomly predicting insider misuse “ ... the FBI moved toward a behavioural detection methodology that has proved far more effective” (source: FBI research) “Even if all you can measure is the telemetry to look at prints from a print server, you can look at things like what's the volume, how many and how big are the files, and how often do they do print” Patrick Reidy, FBI
  • 12. Awareness: What is the point? 12© 2013 Tier-3 Pty Limited. All rights reserved. Simple Awareness alone won’t defend against: • Deliberate attacks • Targeted social-engineering or a spear-phishing attack that has been made convincing enough • The effects of normal human psychology and behaviours: • Whether people care about it • Or remember three months on • Or understand why it is important • Or are tied to a habit or a group behaviour that is different • Misuse by people who have knowledge of control weaknesses Visible and publicised oversight mechanisms will: • Be more memorable than point-in-time eLearning training messages • Deter malicious thefts or attacks where control and oversight is obvious • Support deterrence, detection and resolution • Forcing behaviours and actions which are more evident • Enable “accidents” to be used for future education initiatives • You can target awareness activities better • You can create security “rumble strips”
  • 13. Threat intelligence: the insider context 13© 2013 Tier-3 Pty Limited. All rights reserved.
  • 14. Intelligent monitoring is important 14© 2013 Tier-3 Pty Limited. All rights reserved. 1 You need to monitor security controls and their operation anyway, compliance with security standards demands it, auditors will ask for it and good practice dictates it • PCI-DSS, ISO27001, BIS “10 steps”, GPG13, FISMA agree 4 An accidental breach could have several causes; but will often be an unusual or significant series of events which may be able to be codified in advance, or following an incident • Monitoring technology may help to diagnose and prevent future occurrences 3The monitoring of activity and logs provides the evidence businesses need to take action (civil, criminal, HR) even if the process of detection comes from another source 2 The presence of “visible” or “publicised” monitoring controls and an established track record of detection, is a big deterrent to the malicious insider • Detecting and preventing or to otherwise taking action against a culprit 5 Robust monitoring shows what is going on within an organisation which means oversight processes can be based on the audit records, rather than having to expose the original data within investigative activity
  • 15. Endpoint & content-aware controlsSystem activity, network traffic and behavioural analysis Robust activity monitoring & correlation Privileged & admin accounts Awareness, education and “publicity” Context and threat intelligence Solution coverage 15© 2013 Tier-3 Pty Limited. All rights reserved.
  • 16. Copyright © Tier-3 Pty Ltd, 2013. All rights 16 Questions Contact us at: info@tier-3.com +44 (0) 208 433 6790 +61 (0) 2 9419 3200 More information at: Download our insider threat whitepaper www.tier-3.com @tier3huntsman

Editor's Notes

  1. Insider threats can be insidious... and there are several derivativesAccidental breaches/data lossesDeliberate extraction/theft/corruption of dataVictims of spear phishingWaterhole attacksTrojans running with user/administrator privilegePaper information etc...