ibm x-force threat intelligence: why insider threats challenge critical business processes
TRANSCRIPT
© 2012 IBM Corporation
IBM Security Systems
1© 2015 IBM Corporation
IBM X-Force:Insights from the 2Q 2015 X-Force
Threat Intelligence Quarterly
© 2015 IBM Corporation
IBM Security
2
IBM X-Force® Research and Development
Vulnerability
Protection
IP
Reputation
Anti-Spam
Malware
Analysis
Web
Application
Control
URL / Web
Filtering
The IBM X-Force Mission
Monitor and evaluate the rapidly changing threat landscape
Research new attack techniques and develop protection for tomorrow’s security challenges
Educate our customers and the general public
Integrate and distribute Threat Protection and Intelligence to make IBM solutions smarter
Expert analysis and data sharing on the global threat landscape
Zero-day
Research
© 2015 IBM Corporation
IBM Security
3
IBM X-Force monitors and analyzes the changing threat landscape
20,000+ devices
under contract
15B+ events
managed per day
133 monitored
countries (MSS)
3,000+ security
related patents
270M+ endpoints
reporting malware
25B+ analyzed
web pages and images
12M+ spam and
phishing attacks daily
89K+ documented
vulnerabilities
860K+ malicious
IP addresses
Millions of unique
malware samples
© 2015 IBM Corporation
IBM Security
44 Source: IBM X-Force Threat Intelligence Quarterly – 1Q 2015 and 2014 IBM Chief Information Security Officer Assessment
83% of CISOs say that the challenge posed by external threats has increased in the last three years
Near Daily Leaks
of Sensitive Data
40% increase in reported data
breaches and incidents
Relentless Use
of Multiple Methods
800,000,000+ records were leaked, while the future
shows no sign of change
“Insane” Amounts of Records
Breached
42% of CISOsclaim the risk from external threats
increased dramatically from prior years.
© 2015 IBM Corporation
IBM Security
5
According to Ponemon Institute, the cost of these breaches is on the rise
Source: Ponemon Institute Cost of Data Breach Study
$136 $145
$154
1 2 3
Series1
Net change over 1 year = 6%
Net change over 2 years = 12%
Cost per record*
$136$154
$136$3.8M
23%
Global average
12%
Global average
increase over two years
increase over two years
5
Cost per incident*
© 2015 IBM Corporation
IBM Security
6
Recent data from IBM Security Services shows 55% of all attacks were found to be carried out by malicious insiders or inadvertent actors
Source: IBM 2015 Cyber Security Intelligence Index, Figure 4
© 2015 IBM Corporation
IBM Security
7
New classifications of Insider Threats
Disgruntled employees
Malicious insiders
Inadvertent insiders Quasi-insiders
Traditionally, “insider threats” meant disgruntled or negligent
employees were inflicting harm to the company’s assets; today many
different classifications have come forward
© 2015 IBM Corporation
IBM Security
8
Modern trends in enterprise computing increase the attack surface of people with trusted access
• Trusted users with privileged access to
systems housing critical business, PII
and monetary assets
• The digital connectivity of IoT opens up
new entry points into physical systems.
• Third party contractors or suppliers can
widen the attack surface
• Inadvertent insiders can merely click a
malicious link
Social Media
Trends Attack Vectors
Big data
Mobility Cloud
© 2015 IBM Corporation
IBM Security
9
Spam origination efforts have become so distributed that not one country exceeds 8% of the total volume for very long.
Source: IBM X-Force Threat Intelligence Quarterly, 2Q 2015
© 2015 IBM Corporation
IBM Security
10
Any insider, even those with the best of intentions, can inadvertently aid in an attack by clicking on a malicious link sent in a phishing email.
Source: IBM X-Force Threat Intelligence Quarterly, 2Q 2015
© 2015 IBM Corporation
IBM Security
11
Network administrators can take a few basic steps to fend off malicious spam attachments
Keep your spam and virus filters up to date.
Block executable attachments. In regular business
environments it is unusual to send executable attachments.
Most spam filters can be configured to block executable files
even when they are within zip attachments.
Use mail client software that allows disabling automatic
rendering of attachments and graphics, and preloading of
links—and then disable them.
Educate users on potential danger of spam, and actions to
take
© 2015 IBM Corporation
IBM Security
12
User education on spam should focus on skepticism and common sense
Before opening emails, clicking on
links or opening the attachment, users
should ask some simple questions:
• Do I know the sender?
• Did I expect this email and this
attachment?
• Does it make sense that the
attachment is zipped, and is the
format appropriate for this type of
message and attachment type?
• Which file type is in the zip file?
Executable, screensavers, and
unknown file types are more likely to
host malicious code.
Spammers use social engineering to
mask malicious links, making emails
mimic standard messages from:
eCommerce
sites
$Banks or
Financial
Institutions
Corporate internal systems such
as fax and copy machines
© 2015 IBM Corporation
IBM Security
13
People can be the weakest link in securing valuable data
© 2015 IBM Corporation
IBM Security
14
Privileged IDs are growing, so control the associated risk
Administrative tasks are assigned to a large pool of staff or
contractors with frequent changes.
Some employees such as developers need occasional or one-time
privileged access to specific resources to perform maintenance
tasks.
Destroys user
accountability
Can interfere with
regulatory compliance
1
2
Several trends are escalating the numbers of privileged IDs within organizations:
Creating shared IDs circumvents
the need to continually add and
delete accounts as users come
and go, but is a bad practice.
1
2
© 2015 IBM Corporation
IBM Security
15
Grant user entitlements appropriately and keep them updated
User entitlements should be updated to adapt
to changes, especially when workers change
roles or leave the organization.
Conduct regular
audits of user
entitlements2
Authorize users
based on the least
access privilege
they require?1
© 2015 IBM Corporation
IBM Security
16
Manage and monitor users for both security and compliance
Monitor and audit IDs to highlight anomalies or
misuse of account privileges
Application monitoring with
application-layer network visibility
Use strong authentication that
relies on sound policy for identity
assurance.
© 2015 IBM Corporation
IBM Security
17
Physical security is just as important as digital monitoring
Maintaining a rigorous security posture that considers not just digital
but also physical security is key to protect against insider threats.
© 2015 IBM Corporation
IBM Security
18
Applying a broad range of security practices can help minimize insider threats
Address gaps in physical security
Set mail and spam settings to minimize
damage from malicious spam and attachments
Educate users on potential danger of
spam, and actions to take
Use identity governance solutions to help classify
users by roles and access requirements
Grant user entitlements appropriately and keep
them updated
Manage and monitor users for both security
and compliance.
© 2015 IBM Corporation
IBM Security
19
Connect with IBM X-Force Research & Development
Find more on SecurityIntelligence.com
IBM X-Force Threat Intelligence Quarterly and other research reports:http://www.ibm.com/security/xforce/
Twitter@ibmsecurity and @ibmxforce
IBM X-Force Security Insights Blog
www.SecurityIntelligence.com/topics/x-force
Watch SecurityIntelligence.com/Events for the
registration for a July 23 webinar with X-Force
researcher Robert Freeman!
© 2015 IBM Corporation
IBM Security
20
www.ibm.com/security
© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
www.ibm.com/security
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.