insider threat problem insider threat management€¦ · capture and hide the data data...
TRANSCRIPT
![Page 1: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/1.jpg)
Insider Threat Management
People-centric Approach
ObserveIT Solution
Insider Threat Problem
Agenda
Presented by:
Elad Tzur
![Page 2: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/2.jpg)
Who is ObserveIT?
Over 1,200 Customers Worldwide
ObserveIT is the Global leader inInsider Threat Management
Boston, MA
Founded 2006
Bain Capital
![Page 3: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/3.jpg)
CHALLENGE WITH ADDRESSING INSIDER THREATS
“It’s Hard to Distinguish Abuse from Legitimate Use”
3 out of 4 InfoSec professionals say
260,000+ members
![Page 4: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/4.jpg)
People are the core of your business…
Business users IT users Contractors
![Page 5: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/5.jpg)
…they are also responsible for 90% of security incidents*
MALICIOUS NEGLIGENT
Bad actors Careless users
Good employee turning bad
Joined with no malicious intent
Authorized users doing unauthorized things
Imposing risk carelessly
Unaware of security policy
Create lots of noise and alert fatigue
*Verizon 2015 Data Breach Investigations Report
![Page 6: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/6.jpg)
There is no patch for people
• Abusing admin privileges• Bypassing security controls• Unnecessary access
• Using unauthorized cloud apps• Responding to phishing attempts • Accidental data leakage
Detect early indicators ofunauthorized behavior
Inform negligent users ofsecurity policy
To reduce the likelihood of incidents, you must:
Bad actors Unwitting users
![Page 7: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/7.jpg)
Bad actor
Unwitting user
Insider attack chain
Tipping Point – Going from good to bad
Searching for Data
Capture and Hide the data
Data Exfiltration
Send zip file over Wetransfer – off hours transfers
• Encrypt and rename file extensions• password protected zip file
• Uploading Files to an external cloud• message to competitor • Playing video games with lack of regard
• Password harvesting • Database Queries • unauthorized access to co-workers computers
Human Error
![Page 8: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/8.jpg)
Bad actor
Unwitting user
Detect negligent behavior
Inform user of security policy
Enforce behavior change
Human Error
Insider attack chain
![Page 9: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/9.jpg)
Stop wasting resources
Only notice 25% of Insider Threats*
Infinite amount of events to interpret
Based on log files (must infer conclusions)
Individual discrete incidents
Classified by severity
Before…Event-centric
*CERT Insider Threat Center
Thousands of hours
…AfterPeople-centric
Limited to the number of employees
Based on people’s actions (self-evident)
All incidents roll up to users
Prioritized by risk scoring
100% visibility of Insider Threats
Less than one FTE
Much more efficient
![Page 10: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/10.jpg)
People-centric approachPeople: 100,000
Act
Detect
Deter
People: 10,000
People: 1000
People: 50
Less than 1% will be high-risk and need investigation
On average, 10% of users will be risky
Deterrence will eliminate 90% of risky users
![Page 11: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/11.jpg)
GARTNER MARKET REVIEW:USER & ENTITY BEHAVIOR ANALYTICS
“most enterprises spend a majority of their security budget on preventionmeasures, such as firewalls, strong user authentication, intrusion prevention, antivirus systems and the like. Successful hackers have figured out how to beat these prevention systems. In addition, the attackers are often not detected once they intrude on a network, since many monitoring systems generate so many false alarms that intrusion alerts often remain unnoticed.
Most recent breaches involved hackers taking over existing user accounts, activities that UEBA systems are designed to detect.” (Gartner, 2015)
![Page 12: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/12.jpg)
REGULATIONS ARE COMING
• General Data Protection Regulation (GDPR) – Aims to become effective in 2016
• European Central Bank (ECB) & Eorpean Bank Authority (EBA) – New security regulations on Insider threat
• European Union Agency for Network and Information Security (ENISA) – New Guidelines for Security & Privacy
• European Commission (EC) – Regulation for Internet Payments (Logging all inside activities)
![Page 13: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/13.jpg)
USER RISK DASHBOARD
KNOW WHICH USERS ARE
PUTTING YOUR BUSINESS AT RISK AND WHY
![Page 14: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/14.jpg)
ObserveIT Solution
• Inform and enforce security policy
• Eliminate alert fatigue and noise
• Notify users that they are being recorded
• Simple, easy to view playback and metadata
• See who is doing what with visual forensics
• Assess malicious intent with irrefutable evidence
• No baselining required (to define “normal”)
• Canned alerts and packaged analytics for known risks
• Immediate detection of insider threats
• Immediate “Circuit Breaker” to unauthorized sessions
• Block and control risky activity
• Instant messaging to live sessions
DETER
INVESTIGATE
DETECT
PREVENT
![Page 15: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/15.jpg)
Session activity alerts
Session alert summary
![Page 16: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/16.jpg)
Investigate Who did What
![Page 17: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/17.jpg)
FILED-LEVEL APPLICATION MONITORING
MARKING TOOL:
DISTINGUISH ABUSIVE BEHAVIOR
FROM NORMAL USER ACTIVITY
![Page 18: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/18.jpg)
ObserveIT Deployment
Highly scalable beyond 100,000 devices
Only collects 100 MB per user per week
Only 0.1% impact on network
Less than 1% CPU overhead, only at the point of capture
![Page 19: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/19.jpg)
ADD USER CONTEXT TO YOUR ECOSYSTEM
User Context
SIEM IAMITSM
![Page 20: Insider Threat Problem Insider Threat Management€¦ · Capture and Hide the data Data Exfiltration Send zip file over Wetransfer –off hours transfers ... since many monitoring](https://reader033.vdocuments.mx/reader033/viewer/2022050114/5f4b2a53f5ac93347a694e21/html5/thumbnails/20.jpg)
THANK YOU