ca tech forum 16 presentation -cybersecurity - how do i know when im doing enough by heath nieddu

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

Just enough cybersecurity: an insider threat perspective

August 11th, 2016, Ca Tech Forum

• Optiv, oCISO, Solutions Research & Development

2Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

• Insider Threat: No easy button

– Who are insider threats– A functional model to describe

how much– Elevating our thinking on security

investment

Heath Nieddu, CISSP, MBASenior Information Security AnalystOptiv [email protected]@HeathNieddu (twitter)

Agenda (15 minutes or so)


•Percent of cases related to each motive (CMCERT)

–Fraudsters: 37%–System Saboteurs: 21%–Espionage: 19%–IP Thieves: 14%–Misc: 8%

•VDBIR: around 20%•Kroll: 75% of companies suffer fraud, 80% form insider

•CMCERT: 16% of insider activity occurs in government organizations (Cole, 2005)

•CMCERT: 2012, avg. $1.7 million, over half, under $50k (CG, CH2)

Who are insider threats and what’s the impact?


How much is enough for insider threats?

Common responses

A) Nothing in particularB) Broad but concerted, andC) Behavior anomaly detection


One dimensional thinking

•Transactional

•Security as insurance cost of doing business

•Alternatives within this approach:–Benchmark spending

•2.5-6% of IT, but growing–Follow regulation–Certifications–External audits–Buy insurance

Is “How much?” the right question?


Two dimensional thinking

•Efficiency with a mix of investments.

•Where and what are crown jewels?

Tech 34%

People33%

Process33%

“What kinds of cybersecurity?”


“Put your money where you’re business drivers are”

Source: “SANS Security Spending Trends 2016”


“What risk posture?”

Three dimensional thinking

•Picking options to achieve risk posture

HOW TO ESTABLISH APPROPRIATE POSTURE IN INSIDER THREAT?


Program Maturity Model: What level? What posture?

Aware

Insider threat is viewed as an incident response issue. An incident probably raised the level of awareness by the CISO and SOC staff.

ReactiveInsider threat is viewed as a problem that needs extra attention. Historical incidents are known and guide the program state.

Adaptive

Insider threat is approached with a secondary, iterative wave of remediation and plans are implemented.

Purposeful

Insider threat management is a pillar of security strategy.

Strategic

Insider threat management is an enabler of business strategy.


Functional Maturity Model


Expressing Risk Posture in Terms of MaturityAware React Adapt Purposeful Strategic

Program Governance 5

Identity Management 3

Data Access Governance 4

Detection and Response 2


“It depends” : Decisions points that allow you to shape your risk posture

•Gravity of potential damage caused by the compromise of critical assets and vulnerability of those assets

•Organizationally broad or focused•Cultural themes•Level of effort by security team•Risk appetite of culture


Measuring success

• Percent of identified critical data actively managed (data owner, classification, controls applied and monitored, and fresh access program implemented and audited)

• Impact reduction (with main assumptions highlighted for periodic review)• Dormant identity rate• Rate of insider initiated incidents• Privileged user monitoring rate• Employee reporting false positive rate• Anomaly detection alerting false positive rate• Business alignment ratio (number of mutual objectives)• Insider threat incident review rate• Sensitive Access Roles Rotation


2003 2013

Benchmarking Performance Instead of Spend

Status Raw Incident/Pop

Charged 94 .32Convicted 87 .3AwaitingTrial

38 .13

Status Raw Incident/Pop

Charged 133 .42Convicted 119 .38AwaitingTrial

68 .22

Public Corruption of State Officials (Dep of Justice)


Contact

Heath NiedduSenior Research Analyst, [email protected]@HeathNieddu (twitter)

Goal: Create a strategy that incorporates all aspects of insider threat models, into a single maturity model and security program framework.

Developing a Framework


Resources for this work

•Four focus groups with over 20 security directors, CISOs and engineers

•Plus, internal Optiv and external experts on peer review•The CERT Guide to Insider Threats, 2012•Kroll Global Fraud Report•Verizon DBIR, Trend of deliberate, malicious insiders as the initial vector of attack

•Insider Threats, Eric Cole, 2006


Recent titles over the last 12 months

•All at Optiv.com > Resources > Library > [right-hand drop-down] Solutions Research & Development

•“Insider Threat Brief”•“Internet of Things Brief”•“Insider Threat Solution Primer”•“Insider Threat Solution Blueprint” – Not publically released•“Ensuring M&A Success with IAM”•“Practicing Security is Like Early Medicine”•“Identity Defined Security Primer”

ca tech forum 16 presentation -cybersecurity - how do i know when im doing enough by heath nieddu

Government & Nonprofit