The problem of insider security threats is not a new one, but with the recent whistle-blowing cases in the US it has been into sharp relief for organisations who have sensitive data and wish to protect it from exposure or compromise.

1. Insider Threats:
Lessons from Snowden
Piers Wilson
Tier-3 Huntsman® - Head of Product Management

2. About Tier-3 / Huntsman
2
• Tier-3
– Australian/UK based
security software
company
– Established 1999
– Pioneer of Behavioural
Anomaly Detection
(BAD) technology within
SIEM products
• Huntsman
– Intelligent SIEM solution
– Full event correlation and behavioural
profiling, anomaly detection and alerting
– Automatic response capability
– Targeted at security-critical large
enterprises and government
– In-built compliance monitoring support
for PCI-DSS, ISO27001, GPG13, FISMA
– Multi-tenancy support
© 2013 Tier-3 Pty Limited. All rights reserved.

3. Protective security has a role
3
• A barrier between those who
have access and those who
don’t:
– Encryption means those that need access will
get it, and those that don’t do not
– Access controls limit what data users can access
and what they can do with it
– Firewalls constrain the types of network traffic
systems can exchange
• Often controls are several layers
deep:
– Network
– Server
– Application
– End point
© 2013 Tier-3 Pty Limited. All rights reserved.

4. The insider threat picture is complex
4© 2013 Tier-3 Pty Limited. All rights reserved.
"You're dealing
with authorized
users doing
authorized things
for malicious
purposes.”
Patrick Reidy, CISO
for the FBI
Insider
Threats
Physical
Electronic
Ethical
Deliberate
Accidental
Whistle
blowing
Insider
community
Motivation
Genuine
losses
Media
Fame
Breaching
data
Negligence
Revenge
Network
USB/Disk
Paper
Granting
access/tail gating
Verbal
Normal
users
System
admins
External parties
Relationship
Customers Contractors Staff
Journalists
Trojans/
APTs
Social media
Waterholes

5. Insider threats are
5© 2013 Tier-3 Pty Limited. All rights reserved.
• Multi-dimensional
• Can circumvent protective controls
• Wider than just “Insiders”
– Contractors, Journalists, Whistle-blowers
– Advanced Persistent Threats / Trojans - the “weaponising” of
insiders
– Social media risks, “over share”, leaked secrets, exposed plans /
locations / staff / details
• Insiders can cause, or be culpable in causing,
breaches

6. Insider threats are a common theme in
security surveys
6© 2013 Tier-3 Pty Limited. All rights reserved.
Threat actor
categories
across
47,000+
security
incidents
Sources:
PwC/BIS UK information security breaches survey 2013, Verizon data breach report 2013, Comptia Information
Security Trends 2012

7. What are the components of the solution
7© 2013 Tier-3 Pty Limited. All rights reserved.
Endpoint &
content-aware
controlsSystem activity,
network traffic
and
behavioural
analysis
Robust activity
monitoring &
correlation
Privileged &
admin accounts
Awareness,
education and
“publicity”
Context and
threat
intelligence

8. Control privileged & admin accounts
8© 2013 Tier-3 Pty Limited. All rights reserved.
Solutions do exist to control privileged accounts and the
process of granting/revoking access for changes and
incidents:
• Some systems are not under your “direct” control such as cloud
applications, managed networks or 3rd parties
• It is difficult to control what people do with the privileged access
they have
What works for the NSA might not be as workable in the
commercial sector
• Dual control can be expensive, with high overheads
Administrators have wide ranging power, access and
knowledge so oversight is still needed

9. End-point and content-aware controls
9© 2013 Tier-3 Pty Limited. All rights reserved.
These control data being extracted, exported or stolen
• There are several ways you can lose control of your data
– Beyond the access permissions, encryption, ISMS in your environment
– When exchanged on CD, USB, network, Dropbox, social media, email,
home PC’s, mobile devices, cloud or in unstructured storage
• Businesses need to enable people to transmit/exchange data
flexibly
Limitations
• End-point/DLP/Proxy solutions may not fully address the risk
– encryption can mask data flows / remote systems won’t be protected
• Encryption of laptops/USB media only protects from unauthorised
access
• Controls need to be part of the wider security and reporting
environment
• The business view of what is, and isn’t, acceptable or risky is not

10. Robust monitoring, correlation and analysis
10© 2013 Tier-3 Pty Limited. All rights reserved.
It is vital to:
• Generate logs
AND
• Include systems, networks, applications
• Incorporate central oversight of other security
controls
AND
• Collect them centrally, away from the source
AND
• Analyse and correlate the contents
AND
• Protect access to logs and audit trails
AND
• Separate duties between users, admins,
auditors
If any of these fail the detective/investigative options erode rapidly

11. Network traffic & behavioural analysis
11© 2013 Tier-3 Pty Limited. All rights reserved.
It is important to be able to monitor activity based, not on rules,
but on deviance from a normal profile:
• Monitor how people operate – what they do, where, how often
• Understand how systems work “contextually”
• Track variable (multiple) baselines of the different data dimensions
• Recognise anomalies (statistics, thresholds, deviations)
Early/proactive detection allows an analyst to investigate
and diagnose incidents
Predictive behaviour analysis (i.e. trying to predict when someone is going to misuse
systems or steal data) is no better than randomly predicting insider misuse
“ ... the FBI moved toward a behavioural detection methodology that has proved far more
effective” (source: FBI research)
“Even if all you can measure is the
telemetry to look at prints from a
print server, you can look at things
like what's the volume, how many
and how big are the files, and how
often do they do print”
Patrick Reidy, FBI

12. Awareness: What is the point?
12© 2013 Tier-3 Pty Limited. All rights reserved.
Simple Awareness alone won’t defend against:
• Deliberate attacks
• Targeted social-engineering or a spear-phishing
attack that has been made convincing enough
• The effects of normal human psychology and
behaviours:
• Whether people care about it
• Or remember three months on
• Or understand why it is important
• Or are tied to a habit or a group behaviour that is
different
• Misuse by people who have knowledge of control
weaknesses
Visible and publicised oversight mechanisms
will:
• Be more memorable than point-in-time eLearning
training messages
• Deter malicious thefts or attacks where control
and oversight is obvious
• Support deterrence, detection and resolution
• Forcing behaviours and actions which are more
evident
• Enable “accidents” to be used for future education
initiatives
• You can target awareness activities better
• You can create security “rumble strips”

13. Threat intelligence: the insider context
13© 2013 Tier-3 Pty Limited. All rights reserved.

14. Intelligent monitoring is important
14© 2013 Tier-3 Pty Limited. All rights reserved.
1
You need to monitor security controls and their operation
anyway, compliance with security standards demands it,
auditors will ask for it and good practice dictates it
• PCI-DSS, ISO27001, BIS “10 steps”, GPG13, FISMA
agree
4
An accidental breach could have several causes;
but will often be an unusual or significant series of
events which may be able to be codified in
advance, or following an incident
• Monitoring technology may help to diagnose and
prevent future occurrences
3The monitoring of activity and logs provides the evidence
businesses need to take action (civil, criminal, HR) even
if the process of detection comes from another source
2
The presence of “visible” or “publicised” monitoring
controls and an established track record of
detection, is a big deterrent to the malicious
insider
• Detecting and preventing or to otherwise taking
action against a culprit
5
Robust monitoring shows what is going on within an
organisation which means oversight processes can be
based on the audit records, rather than having to expose
the original data within investigative activity

15. Endpoint &
content-aware
controlsSystem activity,
network traffic
and
behavioural
analysis
Robust activity
monitoring &
correlation
Privileged &
admin accounts
Awareness,
education and
“publicity”
Context and
threat
intelligence
Solution coverage
15© 2013 Tier-3 Pty Limited. All rights reserved.

16. Copyright © Tier-3 Pty Ltd, 2013. All rights
16
Questions
Contact us at:
info@tier-3.com
+44 (0) 208 433 6790 +61 (0) 2 9419 3200
More information at:
Download our insider threat whitepaper
www.tier-3.com @tier3huntsman