ca tech forum 16 presentation -cybersecurity - how do i know when im doing enough by heath nieddu
TRANSCRIPT
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Just enough cybersecurity: an insider threat perspective
August 11th, 2016, Ca Tech Forum
• Optiv, oCISO, Solutions Research & Development
2Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
• Insider Threat: No easy button
– Who are insider threats– A functional model to describe
how much– Elevating our thinking on security
investment
Heath Nieddu, CISSP, MBASenior Information Security AnalystOptiv [email protected]@HeathNieddu (twitter)
Agenda (15 minutes or so)
3Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
•Percent of cases related to each motive (CMCERT)
–Fraudsters: 37%–System Saboteurs: 21%–Espionage: 19%–IP Thieves: 14%–Misc: 8%
•VDBIR: around 20%•Kroll: 75% of companies suffer fraud, 80% form insider
•CMCERT: 16% of insider activity occurs in government organizations (Cole, 2005)
•CMCERT: 2012, avg. $1.7 million, over half, under $50k (CG, CH2)
Who are insider threats and what’s the impact?
4Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
How much is enough for insider threats?
Common responses
A) Nothing in particularB) Broad but concerted, andC) Behavior anomaly detection
5Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
One dimensional thinking
•Transactional
•Security as insurance cost of doing business
•Alternatives within this approach:–Benchmark spending
•2.5-6% of IT, but growing–Follow regulation–Certifications–External audits–Buy insurance
Is “How much?” the right question?
6Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Two dimensional thinking
•Efficiency with a mix of investments.
•Where and what are crown jewels?
Tech 34%
People33%
Process33%
“What kinds of cybersecurity?”
7Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
“Put your money where you’re business drivers are”
Source: “SANS Security Spending Trends 2016”
8Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
“What risk posture?”
Three dimensional thinking
•Picking options to achieve risk posture
HOW TO ESTABLISH APPROPRIATE POSTURE IN INSIDER THREAT?
10Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Program Maturity Model: What level? What posture?
Aware
Insider threat is viewed as an incident response issue. An incident probably raised the level of awareness by the CISO and SOC staff.
ReactiveInsider threat is viewed as a problem that needs extra attention. Historical incidents are known and guide the program state.
Adaptive
Insider threat is approached with a secondary, iterative wave of remediation and plans are implemented.
Purposeful
Insider threat management is a pillar of security strategy.
Strategic
Insider threat management is an enabler of business strategy.
11Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Functional Maturity Model
12Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Expressing Risk Posture in Terms of MaturityAware React Adapt Purposeful Strategic
Program Governance 5
Identity Management 3
Data Access Governance 4
Detection and Response 2
13Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
“It depends” : Decisions points that allow you to shape your risk posture
•Gravity of potential damage caused by the compromise of critical assets and vulnerability of those assets
•Organizationally broad or focused•Cultural themes•Level of effort by security team•Risk appetite of culture
14Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Measuring success
• Percent of identified critical data actively managed (data owner, classification, controls applied and monitored, and fresh access program implemented and audited)
• Impact reduction (with main assumptions highlighted for periodic review)• Dormant identity rate• Rate of insider initiated incidents• Privileged user monitoring rate• Employee reporting false positive rate• Anomaly detection alerting false positive rate• Business alignment ratio (number of mutual objectives)• Insider threat incident review rate• Sensitive Access Roles Rotation
15Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
2003 2013
Benchmarking Performance Instead of Spend
Status Raw Incident/Pop
Charged 94 .32Convicted 87 .3AwaitingTrial
38 .13
Status Raw Incident/Pop
Charged 133 .42Convicted 119 .38AwaitingTrial
68 .22
Public Corruption of State Officials (Dep of Justice)
16Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Contact
Heath NiedduSenior Research Analyst, [email protected]@HeathNieddu (twitter)
Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Thank you.
Goal: Create a strategy that incorporates all aspects of insider threat models, into a single maturity model and security program framework.
Developing a Framework
19Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Resources for this work
•Four focus groups with over 20 security directors, CISOs and engineers
•Plus, internal Optiv and external experts on peer review•The CERT Guide to Insider Threats, 2012•Kroll Global Fraud Report•Verizon DBIR, Trend of deliberate, malicious insiders as the initial vector of attack
•Insider Threats, Eric Cole, 2006
20Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.
Recent titles over the last 12 months
•All at Optiv.com > Resources > Library > [right-hand drop-down] Solutions Research & Development
•“Insider Threat Brief”•“Internet of Things Brief”•“Insider Threat Solution Primer”•“Insider Threat Solution Blueprint” – Not publically released•“Ensuring M&A Success with IAM”•“Practicing Security is Like Early Medicine”•“Identity Defined Security Primer”