Insider Threats Dashboard is focused on “lateral movement” within the network. Server to server within the datacenter and host to host within a VLAN or segment
Hover your mouse over the Insider Threats Total Bytes of 1.07T of lateral movement accounting for every packet within the network
Hover your mouse over the application traffic and highlight the SQL traffic spike just before 17:00 and visibility into all applications
Hover your mouse over the Host Audit table in bottom left and talk about accounting for all traffic any host has received from other internal servers and data exfiltration
Hover your mouse over the Insider Threat Events in top right corner and talk about triggering events when there is Data Hoarding and Data Exfiltration
Hover your mouse over the pie chart in the bottom right calling out the Top Insider Threat
Click on the Insider Threat Details to flip to the next slide and start talking about details of the insider threat story
Insider Threats Dashboard is focused on “lateral movement” within the network. Server to server within the datacenter and host to host within a VLAN or segment
Hover your mouse over the Alarm to talk about what each means.
Hover your mouse over the Source column and discuss the source of the attack
Hover your mouse over the Details and discuss the behavioral model. This will give you the value expected or policy maximum vs observed. The policy max prevents over learning to catch threats.
Hover your mouse over the mitigation column to talk about how a block can be initiated to an inline device such as ASA firewall, null0 to router, and we’ve added ability to quarantine with ISE.
Click on any source IP of 10.201.0.23 to proceed
Hover your mouse over the Identity, DHCP, & Host Notes and discuss details of context provided: user username, MAC address, Device Type, Switch port, and security group tag
Click your mouse on the “Alarms” tab for details.
Hover your mouse over and discuss the top flow along with supporting quick view. Call out the direction of traffic and that the application is P2P file over 53/udp (common DNS port)
Hover you mouse over the second flow and discuss the large SQL transfer between the terminal server and the database server
Click back on the “Insider Threats” dashboard tab to demonstrate drilling into SQL traffic from the dashboard.
In summary this slide illustrates the stages of the attack. The visual on the bottom help illustrate the flows above with time tables, applications, and amount of data transferred.
2:15 PM Edward logs into terminal server
3:40 PM Edward pulls down 38 GB of data
5:12 PM Edward begins pushing the data out of the network using P2P file through DNS.
With early warning the attack could have been stopped at multiple stages.