SlideShare a Scribd company logo

You've caught an Insider Threat, now what? The Human Side of Insider Threat Investigations

Download as PPTX, PDF
ObserveIT
ObserveIT

This slideshow from this webinar will help insider threat program managers, security officers and others involved in insider threat detection to proactively interview an insider threat and communicate with Human Resources. After this webinar, you will know: How to prepare for an insider threat discussion with an employee or contractor How to provide an insider threat incident rating to determine the correct action How to work with your HR department both before and after an incident You will also walk away with a sample conversation plan and sample questions to ask an insider threat.

Software
1 of 23
Doug Sampson, Founder & CEO at Soteritech The Human Side of Insider Threat Investigations Copyright 2016 Soteritech LLC
● Assume: Robust Program Installed ● Our Scenario… A Threat is Detected Context
Dashboard
Examples ● Repeated access attempts ● Secret discussions at lunch ● Confidential emails sent home ● Cell phone in the SCIF ● Documents to competitors ● Why do people turn? ● So what’s next? A Threat Detected
● Notification comes in ● Triage within 10 minutes ● Initial level assigned ● Green (low risk potential, no further investigation needed) ● Yellow (unsure risk potential, needs immediate initial investigation) ● Red (sure risk, needs immediate investigation and action) The Hub
● Person’s behavior is deemed normal for his or her job function and responsibility level ● Examples Green
● Questionable behavior that deserves further investigation. ● Widest reporting of incidents ● Could be broken down further ● Broad range of ● Communication ● Collection ● Consequence ● Examples Yellow
● Behavior unacceptable and against company policy ● Significant information gathering (proof) ● Severe consequences ● Examples Red
Communicate with certain groups based on severity scale ● Green – maintain internal log ● Yellow – involve HR, IT, Security Office, Legal and Exec (possibly Govt - COTR) depending on level ● Red – involve HR, IT, Legal, Security Office, Exec, COTR (if applicable) and Authorities Hub Communication
● Green – none ● Yellow – mild to moderate/intense ● Red – intense/severe Employee Communication
Know your organization’s policies and stance ● Employee Agreement ● Rules of Behavior ● Handling of Trade Secrets ● Employee Training ● Manager/Exec Training ● Consequences ITPM Responsibility Know Where You Stand
● Do Your Homework… Investigate quickly ● Collect data – start case ● Engage with HR, Legal, Finance, IT, Exec-Level ● Possibly… talk to manager/supervisor depending on situation ● Engage the right people, and ● Prepare to have a frank conversation with the employee ITPM Activity
● Logistics ● Who to have involved? ● How to prepare? ● What if they go sour? ● What to do? Conversations
● Pre-discussion preparations ● Situational awareness ● Discussion Part 1: Accusation ● Discussion Part 2: Consequences ● Successful outcomes ● Un-successful outcomes ● Monitoring Yellow Stage 1 Scenario: Attempting to access unauthorized shared drive folders
● Pre-discussion preparations ● Situational awareness ● Discussion Part 1: Accusation ● Discussion Part 2: Consequences ● Successful outcomes ● Un-successful outcomes ● Monitoring Yellow Stage 2 Scenario: Employee overhead talking about the new rocket guidance kit to a fellow employee at a local restaurant
● Pre-discussion preparations ● Situational awareness ● Discussion Part 1: Accusation ● Discussion Part 2: Consequences ● Successful outcomes ● Un-successful outcomes ● Monitoring Yellow Stage 3 Scenario: Sending confidentical work emails home
Yellow Stage 4 Scenario: Getting caught in a SCIF with an unauthorized PED ● Pre-discussion preparations ● Situational awareness ● Discussion Part 1: Accusation ● Discussion Part 2: Consequences ● Successful outcomes ● Un-successful outcomes ● Monitoring
Yellow Stage 5 Scenario: Being witnessed giving classified documents/hardware/thumb drives to competitors/foreign nationals ● Pre-discussion preparations ● Situational awareness ● Discussion Part 1: Accusation ● Discussion Part 2: Consequences ● Successful outcomes ● Un-successful outcomes ● Monitoring
● HUB communications ● Pre-discussion preparations ● Situational awareness ● Discussion Parts 1&2 ● Successful outcomes ● Un-successful outcomes Red Scenario: Leaving the premises with prototype radar sensors
Conversation Decision Tree Accusation - Are you aware? YesNo Provide Proof – Do you understand consequences? YesNo Explain improvement plan – Do you accept? YesNo Explain unacceptable behavior – Do you accept? YesNo Explain consequences – Do you understand? YesNo Explain improvement plan – Do you accept? YesNo Explain consequences – Do you understand? YesNo
Conversation Plan
● Simulation/Role Play ● Repetition How to Get Better at the Conversation
Doug Sampson Soteritech, LLC (@soteritech) doug.Sampson@soteritech.com 571-393-3801 Questions David Mai ObserveIT(observeIT.com) david.mai@observeit.com 617-946-0243

Recommended

Time management
Time managementTime management
Time management
Sam Hampton
 
2014: The Year of the Data Breach
2014: The Year of the Data Breach2014: The Year of the Data Breach
2014: The Year of the Data Breach
ObserveIT
 
Tylenol oral
Tylenol oralTylenol oral
Tylenol oral
dayi09
 
The Human Side of Service
The Human Side of ServiceThe Human Side of Service
The Human Side of Service
James Watson
 
The Human Side of Software Development
The Human Side of Software DevelopmentThe Human Side of Software Development
The Human Side of Software Development
guy_davis
 
Presenting Tomorrow Know Tylenol!!
Presenting Tomorrow Know Tylenol!!Presenting Tomorrow Know Tylenol!!
Presenting Tomorrow Know Tylenol!!
Courtney Elise
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
Andrew Case
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes
ObserveIT
 

Recommended

Time management
Time managementTime management
Time management
Sam Hampton
 
2014: The Year of the Data Breach
2014: The Year of the Data Breach2014: The Year of the Data Breach
2014: The Year of the Data Breach
ObserveIT
 
Tylenol oral
Tylenol oralTylenol oral
Tylenol oral
dayi09
 
The Human Side of Service
The Human Side of ServiceThe Human Side of Service
The Human Side of Service
James Watson
 
The Human Side of Software Development
The Human Side of Software DevelopmentThe Human Side of Software Development
The Human Side of Software Development
guy_davis
 
Presenting Tomorrow Know Tylenol!!
Presenting Tomorrow Know Tylenol!!Presenting Tomorrow Know Tylenol!!
Presenting Tomorrow Know Tylenol!!
Courtney Elise
 
Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider Threat
Andrew Case
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes
ObserveIT
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat Experiences
Napier University
 
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Raffael Marty
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider Threat
Imperva
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
Crisis management (Event Management and Corporate Communication)
Crisis management (Event Management and Corporate Communication)Crisis management (Event Management and Corporate Communication)
Crisis management (Event Management and Corporate Communication)
Palvi Jaswal
 
Expert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessExpert FSO Insider Threat Awareness
Expert FSO Insider Threat Awareness
Eric Schiowitz
 
Countering insider threat attacks - CDE themed call launch 14 May 2013
Countering insider threat attacks - CDE themed call launch 14 May 2013Countering insider threat attacks - CDE themed call launch 14 May 2013
Countering insider threat attacks - CDE themed call launch 14 May 2013
Defence and Security Accelerator
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Phil Legg
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
PECB
 
NIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapNIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmap
WAJAHAT IQBAL
 
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric ColeObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
Lancope, Inc.
 
The human side of enterprise reading assmt
The human side of enterprise reading assmtThe human side of enterprise reading assmt
The human side of enterprise reading assmt
Shannon Wilson (CISSP, Net+, Sec+)
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Tripwire
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
Lancope, Inc.
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
AlienVault
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
Management Theory
Management TheoryManagement Theory
Management Theory
Joefil Jocson
 
Incident investigation
Incident investigationIncident investigation
Incident investigation
aufumy
 
WW
WWWW
WW
Cheryl Litwinczuk
 
DevOps Incident Handling - Making friends not enemies.
DevOps Incident Handling - Making friends not enemies.DevOps Incident Handling - Making friends not enemies.
DevOps Incident Handling - Making friends not enemies.
Server Density
 

More Related Content

Viewers also liked

Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat Experiences
Napier University
 
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Raffael Marty
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider Threat
Imperva
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
Tarun Gupta,CRISC CISSP CISM CISA BCCE
 
Crisis management (Event Management and Corporate Communication)
Crisis management (Event Management and Corporate Communication)Crisis management (Event Management and Corporate Communication)
Crisis management (Event Management and Corporate Communication)
Palvi Jaswal
 
Expert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessExpert FSO Insider Threat Awareness
Expert FSO Insider Threat Awareness
Eric Schiowitz
 
Countering insider threat attacks - CDE themed call launch 14 May 2013
Countering insider threat attacks - CDE themed call launch 14 May 2013Countering insider threat attacks - CDE themed call launch 14 May 2013
Countering insider threat attacks - CDE themed call launch 14 May 2013
Defence and Security Accelerator
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Phil Legg
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
PECB
 
NIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapNIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmap
WAJAHAT IQBAL
 
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric ColeObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
Lancope, Inc.
 
The human side of enterprise reading assmt
The human side of enterprise reading assmtThe human side of enterprise reading assmt
The human side of enterprise reading assmt
Shannon Wilson (CISSP, Net+, Sec+)
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Tripwire
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
Lancope, Inc.
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
AlienVault
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
Zivaro Inc
 
Management Theory
Management TheoryManagement Theory
Management Theory
Joefil Jocson
 

Viewers also liked (19)

Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat Experiences
 
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider Threat
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
Crisis management (Event Management and Corporate Communication)
Crisis management (Event Management and Corporate Communication)Crisis management (Event Management and Corporate Communication)
Crisis management (Event Management and Corporate Communication)
 
Expert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessExpert FSO Insider Threat Awareness
Expert FSO Insider Threat Awareness
 
Countering insider threat attacks - CDE themed call launch 14 May 2013
Countering insider threat attacks - CDE themed call launch 14 May 2013Countering insider threat attacks - CDE themed call launch 14 May 2013
Countering insider threat attacks - CDE themed call launch 14 May 2013
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
NIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapNIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmap
 
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric ColeObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3
 
The human side of enterprise reading assmt
The human side of enterprise reading assmtThe human side of enterprise reading assmt
The human side of enterprise reading assmt
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
Management Theory
Management TheoryManagement Theory
Management Theory
 

Similar to You've caught an Insider Threat, now what? The Human Side of Insider Threat Investigations

Incident investigation
Incident investigationIncident investigation
Incident investigation
aufumy
 
WW
WWWW
WW
Cheryl Litwinczuk
 
DevOps Incident Handling - Making friends not enemies.
DevOps Incident Handling - Making friends not enemies.DevOps Incident Handling - Making friends not enemies.
DevOps Incident Handling - Making friends not enemies.
Server Density
 
Failing faster
Failing fasterFailing faster
Failing faster
Lee Ragans, PMP
 
Gist planning
Gist planning Gist planning
Gist planning
Itamar Gilad
 
Design assignment-revised
Design assignment-revisedDesign assignment-revised
Design assignment-revised
Joshua Rochotte
 
I am a digital project manager (and so can you!)
I am a digital project manager (and so can you!)I am a digital project manager (and so can you!)
I am a digital project manager (and so can you!)
Forum One
 
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Cory Scott
 
Outward Facing Software Projects
Outward Facing Software ProjectsOutward Facing Software Projects
Outward Facing Software Projects
nate.lowry
 
LSC Technology Initiative Grant Conference 2015 | Session Materials - TIG 201...
LSC Technology Initiative Grant Conference 2015 | Session Materials - TIG 201...LSC Technology Initiative Grant Conference 2015 | Session Materials - TIG 201...
LSC Technology Initiative Grant Conference 2015 | Session Materials - TIG 201...
Legal Services Corporation
 
Kill Your Productivity - As Efficient as Possible
Kill Your Productivity - As Efficient as PossibleKill Your Productivity - As Efficient as Possible
Kill Your Productivity - As Efficient as Possible
anynines GmbH
 
EMR Usabililty
EMR UsabililtyEMR Usabililty
EMR Usabililty
Jeffery Belden
 

Similar to You've caught an Insider Threat, now what? The Human Side of Insider Threat Investigations (12)

Incident investigation
Incident investigationIncident investigation
Incident investigation
 
WW
WWWW
WW
 
DevOps Incident Handling - Making friends not enemies.
DevOps Incident Handling - Making friends not enemies.DevOps Incident Handling - Making friends not enemies.
DevOps Incident Handling - Making friends not enemies.
 
Failing faster
Failing fasterFailing faster
Failing faster
 
Gist planning
Gist planning Gist planning
Gist planning
 
Design assignment-revised
Design assignment-revisedDesign assignment-revised
Design assignment-revised
 
I am a digital project manager (and so can you!)
I am a digital project manager (and so can you!)I am a digital project manager (and so can you!)
I am a digital project manager (and so can you!)
 
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
Tactical Application Security: Getting Stuff Done - Black Hat Briefings 2015
 
Outward Facing Software Projects
Outward Facing Software ProjectsOutward Facing Software Projects
Outward Facing Software Projects
 
LSC Technology Initiative Grant Conference 2015 | Session Materials - TIG 201...
LSC Technology Initiative Grant Conference 2015 | Session Materials - TIG 201...LSC Technology Initiative Grant Conference 2015 | Session Materials - TIG 201...
LSC Technology Initiative Grant Conference 2015 | Session Materials - TIG 201...
 
Kill Your Productivity - As Efficient as Possible
Kill Your Productivity - As Efficient as PossibleKill Your Productivity - As Efficient as Possible
Kill Your Productivity - As Efficient as Possible
 
EMR Usabililty
EMR UsabililtyEMR Usabililty
EMR Usabililty
 

More from ObserveIT

Observe it v67 webinar v5
Observe it v67 webinar v5Observe it v67 webinar v5
Observe it v67 webinar v5
ObserveIT
 
ObserveIT Version 6.7 Release Highlights
ObserveIT Version 6.7 Release HighlightsObserveIT Version 6.7 Release Highlights
ObserveIT Version 6.7 Release Highlights
ObserveIT
 
Insider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and ProtectionInsider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and Protection
ObserveIT
 
How to Implement an Insider Threat Program
How to Implement an Insider Threat ProgramHow to Implement an Insider Threat Program
How to Implement an Insider Threat Program
ObserveIT
 
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsPhish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
ObserveIT
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity Management
ObserveIT
 
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security StrategyObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
ObserveIT
 
Cloud Security Allianz Webinar
Cloud Security Allianz WebinarCloud Security Allianz Webinar
Cloud Security Allianz Webinar
ObserveIT
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat Detection
ObserveIT
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
ObserveIT
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?
ObserveIT
 
Prevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringPrevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity Monitoring
ObserveIT
 
Ins and outs of ObserveIT
Ins and outs of ObserveITIns and outs of ObserveIT
Ins and outs of ObserveIT
ObserveIT
 
Super User or Super Threat?
Super User or Super Threat?Super User or Super Threat?
Super User or Super Threat?
ObserveIT
 
Data Protection Webinar
Data Protection WebinarData Protection Webinar
Data Protection Webinar
ObserveIT
 
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
ObserveIT
 
Xerox: Improving Data & App Security
Xerox: Improving Data & App SecurityXerox: Improving Data & App Security
Xerox: Improving Data & App Security
ObserveIT
 
3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder
ObserveIT
 
3 Tips for Managing Risky User Activity in 2015
3 Tips for Managing Risky User Activity in 20153 Tips for Managing Risky User Activity in 2015
3 Tips for Managing Risky User Activity in 2015
ObserveIT
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and Solaris
ObserveIT
 

More from ObserveIT (20)

Observe it v67 webinar v5
Observe it v67 webinar v5Observe it v67 webinar v5
Observe it v67 webinar v5
 
ObserveIT Version 6.7 Release Highlights
ObserveIT Version 6.7 Release HighlightsObserveIT Version 6.7 Release Highlights
ObserveIT Version 6.7 Release Highlights
 
Insider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and ProtectionInsider Threat Law: Balancing Privacy and Protection
Insider Threat Law: Balancing Privacy and Protection
 
How to Implement an Insider Threat Program
How to Implement an Insider Threat ProgramHow to Implement an Insider Threat Program
How to Implement an Insider Threat Program
 
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other RegulationsPhish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
Phish, Spoof, Scam: Insider Threats, the GDPR & Other Regulations
 
ObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity ManagementObserveIT Webinar: Privileged Identity Management
ObserveIT Webinar: Privileged Identity Management
 
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security StrategyObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
ObserveIT Customer Webcast: AIG Pioneers User-Centric Security Strategy
 
Cloud Security Allianz Webinar
Cloud Security Allianz WebinarCloud Security Allianz Webinar
Cloud Security Allianz Webinar
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat Detection
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?
 
Prevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity MonitoringPrevent Insider Threats with User Activity Monitoring
Prevent Insider Threats with User Activity Monitoring
 
Ins and outs of ObserveIT
Ins and outs of ObserveITIns and outs of ObserveIT
Ins and outs of ObserveIT
 
Super User or Super Threat?
Super User or Super Threat?Super User or Super Threat?
Super User or Super Threat?
 
Data Protection Webinar
Data Protection WebinarData Protection Webinar
Data Protection Webinar
 
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
User Activity Monitoring: Identify and Manage the Risk of Your Users - ISACA ...
 
Xerox: Improving Data & App Security
Xerox: Improving Data & App SecurityXerox: Improving Data & App Security
Xerox: Improving Data & App Security
 
3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder3 steps to 4x the risk coverage of CA ControlMinder
3 steps to 4x the risk coverage of CA ControlMinder
 
3 Tips for Managing Risky User Activity in 2015
3 Tips for Managing Risky User Activity in 20153 Tips for Managing Risky User Activity in 2015
3 Tips for Managing Risky User Activity in 2015
 
Whitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and SolarisWhitepaper: User Audit Options for Linux and Solaris
Whitepaper: User Audit Options for Linux and Solaris
 

Recently uploaded

Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
Remote DBA Services
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
Alina Yurenko
 
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
ssuserad3af4
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
ToXSL Technologies
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
Rakesh Kumar R
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
TheSMSPoint
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
Patrick Weigel
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
dakas1
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
rodomar2
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
mz5nrf0n
 
Requirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional SafetyRequirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional Safety
Ayan Halder
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
Alberto Brandolini
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
Peter Muessig
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
Łukasz Chruściel
 
Top 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptxTop 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptx
devvsandy
 

Recently uploaded (20)

Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 
Oracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptxOracle Database 19c New Features for DBAs and Developers.pptx
Oracle Database 19c New Features for DBAs and Developers.pptx
 
All you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVMAll you need to know about Spring Boot and GraalVM
All you need to know about Spring Boot and GraalVM
 
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
316895207-SAP-Oil-and-Gas-Downstream-Training.pptx
 
How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?How Can Hiring A Mobile App Development Company Help Your Business Grow?
How Can Hiring A Mobile App Development Company Help Your Business Grow?
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
How to write a program in any programming language
How to write a program in any programming languageHow to write a program in any programming language
How to write a program in any programming language
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
Transform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR SolutionsTransform Your Communication with Cloud-Based IVR Solutions
Transform Your Communication with Cloud-Based IVR Solutions
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
WWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders AustinWWDC 2024 Keynote Review: For CocoaCoders Austin
WWDC 2024 Keynote Review: For CocoaCoders Austin
 
一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理一比一原版(USF毕业证)旧金山大学毕业证如何办理
一比一原版(USF毕业证)旧金山大学毕业证如何办理
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CDKuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
KuberTENes Birthday Bash Guadalajara - Introducción a Argo CD
 
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
原版定制美国纽约州立大学奥尔巴尼分校毕业证学位证书原版一模一样
 
Requirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional SafetyRequirement Traceability in Xen Functional Safety
Requirement Traceability in Xen Functional Safety
 
Modelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - AmsterdamModelling Up - DDDEurope 2024 - Amsterdam
Modelling Up - DDDEurope 2024 - Amsterdam
 
UI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design SystemUI5con 2024 - Bring Your Own Design System
UI5con 2024 - Bring Your Own Design System
 
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf2024 eCommerceDays Toulouse - Sylius 2.0.pdf
2024 eCommerceDays Toulouse - Sylius 2.0.pdf
 
Top 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptxTop 9 Trends in Cybersecurity for 2024.pptx
Top 9 Trends in Cybersecurity for 2024.pptx
 

You've caught an Insider Threat, now what? The Human Side of Insider Threat Investigations

  • 1. Doug Sampson, Founder & CEO at Soteritech The Human Side of Insider Threat Investigations Copyright 2016 Soteritech LLC
  • 2. ● Assume: Robust Program Installed ● Our Scenario… A Threat is Detected Context
  • 4. Examples ● Repeated access attempts ● Secret discussions at lunch ● Confidential emails sent home ● Cell phone in the SCIF ● Documents to competitors ● Why do people turn? ● So what’s next? A Threat Detected
  • 5. ● Notification comes in ● Triage within 10 minutes ● Initial level assigned ● Green (low risk potential, no further investigation needed) ● Yellow (unsure risk potential, needs immediate initial investigation) ● Red (sure risk, needs immediate investigation and action) The Hub
  • 6. ● Person’s behavior is deemed normal for his or her job function and responsibility level ● Examples Green
  • 7. ● Questionable behavior that deserves further investigation. ● Widest reporting of incidents ● Could be broken down further ● Broad range of ● Communication ● Collection ● Consequence ● Examples Yellow
  • 8. ● Behavior unacceptable and against company policy ● Significant information gathering (proof) ● Severe consequences ● Examples Red
  • 9. Communicate with certain groups based on severity scale ● Green – maintain internal log ● Yellow – involve HR, IT, Security Office, Legal and Exec (possibly Govt - COTR) depending on level ● Red – involve HR, IT, Legal, Security Office, Exec, COTR (if applicable) and Authorities Hub Communication
  • 10. ● Green – none ● Yellow – mild to moderate/intense ● Red – intense/severe Employee Communication
  • 11. Know your organization’s policies and stance ● Employee Agreement ● Rules of Behavior ● Handling of Trade Secrets ● Employee Training ● Manager/Exec Training ● Consequences ITPM Responsibility Know Where You Stand
  • 12. ● Do Your Homework… Investigate quickly ● Collect data – start case ● Engage with HR, Legal, Finance, IT, Exec-Level ● Possibly… talk to manager/supervisor depending on situation ● Engage the right people, and ● Prepare to have a frank conversation with the employee ITPM Activity
  • 13. ● Logistics ● Who to have involved? ● How to prepare? ● What if they go sour? ● What to do? Conversations
  • 14. ● Pre-discussion preparations ● Situational awareness ● Discussion Part 1: Accusation ● Discussion Part 2: Consequences ● Successful outcomes ● Un-successful outcomes ● Monitoring Yellow Stage 1 Scenario: Attempting to access unauthorized shared drive folders
  • 15. ● Pre-discussion preparations ● Situational awareness ● Discussion Part 1: Accusation ● Discussion Part 2: Consequences ● Successful outcomes ● Un-successful outcomes ● Monitoring Yellow Stage 2 Scenario: Employee overhead talking about the new rocket guidance kit to a fellow employee at a local restaurant
  • 16. ● Pre-discussion preparations ● Situational awareness ● Discussion Part 1: Accusation ● Discussion Part 2: Consequences ● Successful outcomes ● Un-successful outcomes ● Monitoring Yellow Stage 3 Scenario: Sending confidentical work emails home
  • 17. Yellow Stage 4 Scenario: Getting caught in a SCIF with an unauthorized PED ● Pre-discussion preparations ● Situational awareness ● Discussion Part 1: Accusation ● Discussion Part 2: Consequences ● Successful outcomes ● Un-successful outcomes ● Monitoring
  • 18. Yellow Stage 5 Scenario: Being witnessed giving classified documents/hardware/thumb drives to competitors/foreign nationals ● Pre-discussion preparations ● Situational awareness ● Discussion Part 1: Accusation ● Discussion Part 2: Consequences ● Successful outcomes ● Un-successful outcomes ● Monitoring
  • 19. ● HUB communications ● Pre-discussion preparations ● Situational awareness ● Discussion Parts 1&2 ● Successful outcomes ● Un-successful outcomes Red Scenario: Leaving the premises with prototype radar sensors
  • 20. Conversation Decision Tree Accusation - Are you aware? YesNo Provide Proof – Do you understand consequences? YesNo Explain improvement plan – Do you accept? YesNo Explain unacceptable behavior – Do you accept? YesNo Explain consequences – Do you understand? YesNo Explain improvement plan – Do you accept? YesNo Explain consequences – Do you understand? YesNo
  • 22. ● Simulation/Role Play ● Repetition How to Get Better at the Conversation
  • 23. Doug Sampson Soteritech, LLC (@soteritech) doug.Sampson@soteritech.com 571-393-3801 Questions David Mai ObserveIT(observeIT.com) david.mai@observeit.com 617-946-0243