Unintentional Insider Threat featuring Dr. Eric Cole
1. UNINTENTIONAL INSIDER THREAT:
Top Employee Security Mistakes That
Put Your Data at Risk
by Dr. Eric Cole
ecole@secureanchor.com
www.secureanchor.com
Secure Anchor is All Cyber Defense, All of the Time.
PREVENT – DETECT - RESPOND
2. Insiders Are Responsible for 90% of Security Incidents *
Mailicious
∙ Fraud/Data Theft
∙ Inappropriate access
∙ Disgruntled employee
Unintentional
∙ Misuse of systems
∙ Log-in/log-out failures
∙ Cloud storage
71%29%
* Verizon 2015 Data Breach Investigations Report
* Kaspersky Lab 2016 Security Risks Special Report
Are You Focused on the Correct Area?
3. Nature of Insider Threat
Two main forms of insider threat
● Deliberate/malicious insider
● Accidental/Unintentional insider
Why do insiders become targets?
As external targets become more difficult,
attackers find insiders are an easier avenue to
compromise.
4. The real threat and biggest risk to confidential data is the
negligent employee, more commonly categorized as the
unintentional insider threat.
5. All it Takes is One Click
From an endpoint security perspective, the two most dangerous
applications on the planet are: email and web browsers
6. Insider Threat Current State
Insider threats are on
IT’s radar
Spending on insider
threats will increase
The financial impact is
significant
Organizations fail to
focus on solutions
Insider threat often the
cause of damage
Prevention is more a state
of mind than a reality
7. Assessing Vulnerability to Insiders
● What information would an adversary target?
● What systems contain the information that attackers would target?
● Who has access to critical information?
● What would be the easiest way to compromise an insider?
● What measures or solutions can IT use to prevent/detect these attacks?
● Does our current budget appropriately address insider threats?
● What would a security roadmap that includes insider threats look like for our
organization?
8. How well is your organization
doing with insider threats?
Write your organization’s report card and
focus on the lowest scoring areas.
*** Findings from a recent survey on Insider Threat
9. How to Effectively Manage Insider Threats
Having Clear Visibility into Employee Actions is Critical.
Lifecycle
Proactive Reactive
Notify Employees of
Company Policy
Rapidly discern mailicious
from benign actions
Get a “Stack Ranked” view
of riskiest users
Warnings out-of-policy actions
will be recorded and reviewed
10. Having Clear Visibility into Employee Actions is Critical
Log Files are Not the Answer
● Too much data to interpret
● Time and manpower to understand
● Can only infer conclusions
User Activity Recording is Key
● Instantly understandable by anyone
● Irrefutable evidence of user actions
11. Notify employees of
company policy
violation in real-time
and context
● Inform employees of
potential policy
violations, as they occur
● A proven approach to
cutting the number of
security incidents in half
Educate
12. ● Warn users against
proceeding with
dangerous or of out-of-
policy activities
● Warn policy violations
will be recorded and
reviewed
● Mailicious users are 80%
less likely to continue
Deter
Show warnings out-of-policy behavior will be
recorded and reviewed
13. ● Easy and intuitive - User-
centric view
● Discover the riskiest
users, and gain deep
visibility into their
present and past
● Streamlined Incident
Response - investigate a
handful of risky users
instead of thousands
tedious false
alerts/discrete events
Detect
Data exfiltration
Tipping point
Capture and hide data
14. ● Video session replay
provides context to
rapidly discern mailicious
from benign actions
● Accelerate investigations
from weeks/months to
minutes/hours
Investigate
15. Typical Deployment ● Doesn’t impact stability of maschine
● Scalable beyond thousands of devices
* ObserveIT is not kernel-based, at a user-mode level
Agent
Agent
Agent
* Offline mode enabled
Switch
HTTP
Traffic
ObserveIT Application Server
SQL
Traffic
Database Server ObserveIT Web Console
ObserveIT Admin
16. The Benefits of Addressing the Insider Threat
Quicker resolution and enforcement of company policies, which creates a more secure and
compliant environment around your protected information
● A steep decline in the number of inappropriate accesses
● A reduction in the amount of time spent detecting and investigation
incidents
● A heightened awareness of security throughout the organization
● A dramatic shift in the culture of security and compliance
● More efficient compliance with regulatory requirements
● Achievement of security goals with no additional staff resources
17. ObserveIT Delivers Instant ROI – Reducing Security Incidents
1000
800
600
400
200
0
Educate Deter Detect Investigate
Incidents
Notify employees of
company policy
Warn policy violations their actions
will be recorded and reviewed
Get a “Stack Ranked” view of riskiest
users
Rapidly discern mailicious from
benign actions
18. Fact: Your Authorized Users Represent Your Greatest Risk!
Insider threats are far more difficult to detect and
prevent than external attacks.
Insider Threat Report
75% of insider threats go unnoticed.
CERT Insider Threat Center
Insider Threats are twice as costly and damaging as
external threats.
CERT Insider Threat Center
Attack Detection
Insider Attacks
External Attacks
32 Months
0
5
10
15
20
25
30
35
6 Months
19. Conclusion
● Perform damage assessment of threats
● Map past and current investment against threats
● Determine exposure to insider threats
● Create attack models to identify exposures
● Identify root-cause vulnerabilities
● Block and remove the vector of the attack
● Control flow of inbound delivery methods
● Filter on executable, mail and web links
● Monitor and look for anomalies in outbound activity