Live Demo: Insider Threats
About AlienVault
AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against
today’s modern threats
Introductions
Garrett GrossSr. Technical Product Marketing Mgr
Mark AllenTechnical Sales Engineer
Agenda
• Insider Threats & Risk Factors
• Data exfiltration methods
• Tips to mitigate these threats
• Demo: using USM to detect insider threats
Insider Threat Types
• Naive insiders may be “tricked” by external
parties into providing data or passwords
they shouldn’t
• Careless insiders may make inappropriate
use of company network resources
• Malicious insiders are the least frequent,
but have the potential to cause significant
damage.
85%of insider privilege misuse
attacks used the corporate LAN…
Source: Verizon Data Breach Report, 2014
Insider Risk Factors
• Ineffective management of privileged users
• Inappropriate role and entitlement assignment
• Users unaware of vulnerabilities
• Poor information classification and policy enforcement
• Inadequate auditing and analytics
• Audit log complexity
• Reactive response
• No comprehensive written acceptable use policies
• General misuse of corporate network
Exfiltration
• Simple encrypted transmission
• HTTP/HTTP
• Posting to WordPress or other sites
• FTP/SFTP/SCP
• Slow & low
• Hide & Seek
• Images
• Video
• Audio (via VOIP)
• New Methods created every day
Dealing with possible insider threats
• Identity Management
• Not just black/white – user/admin access
• Data Controls
• Auditing
• Restrict access to those on a “need-to-know” basis
• Advanced Authentication
• Network groups
• Policies
Firewalls/Antivirus are not enough
• Firewalls are usually not the target – too difficult to effectively penetrate
• Endpoints are the target, usually via email, url redirects, misc malicious
files, etc.
• With 160,000 new malware
samples seen every day,
antivirus apps will not find
every threat
• Needs to be bolstered by
regular and comprehensive
monitoring
Prevent Detect & Respond
The basics are in place for most
companies…but this alone is a ‘proven’ failed
strategy.
New capabilities to develop
Get (Very) good at detection & response
@AlienVault
Asset Discovery• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software
Inventory
Vulnerability Assessment• Network Vulnerability Testing
• Remediation Verification
Threat Detection• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
Behavioral Monitoring• Log Collection
• Netflow Analysis
• Service Availability Monitoring
Security Intelligence• SIEM Event Correlation
• Incident Response
AlienVault Labs Threat Intelligence
• Weekly updates to correlation directives to detect emerging threats
• Recent updates to Data exfiltration-related threat intelligence:
• AV Malware, Ajax Security Team Data Exfiltration
• AV Malware, Operation Machete FTP exfiltration
• AV attack, malware sending exfiltrating command output
• AV Policy violation, BitTorrent P2P usage
• AV Misc, suspicious successful login from Tor anonymity
network
• AV Policy violation, Tor anonymity network usage
• *malware – 1,161 (03/2015)
Scenarios
• Vulnerable/Naive user
• Malware infection on end-user machine
• Vulnerable systems due to missed software updates
• Misuse
• BitTorrent
• Tor
• Malicious intent
• Users accessing info they shouldn’t be
• Data exfiltration
Now for some Q&A…
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Questions? [email protected]