Insider Threats:Lessons from Snowden

Piers WilsonTier-3 Huntsman® - Head of Product Management

2© 2013 Tier-3 Pty Limited. All rights reserved.

About Tier-3 / Huntsman

• Tier-3– Australian/UK based

security software company

– Established 1999– Pioneer of

Behavioural Anomaly Detection (BAD) technology within SIEM products

• Huntsman– Intelligent SIEM solution– Full event correlation and

behavioural profiling, anomaly detection and alerting

– Automatic response capability– Targeted at security-critical large

enterprises and government– In-built compliance monitoring

support for PCI-DSS, ISO27001, GPG13, FISMA

– Multi-tenancy support

Protective security has a role

3

• A barrier between those who have access and those who don’t:– Encryption means those that need access

will get it, and those that don’t do not– Access controls limit what data users can

access and what they can do with it– Firewalls constrain the types of network

traffic systems can exchange

• Often controls are several layers deep:– Network– Server– Application– End point

© 2013 Tier-3 Pty Limited. All rights reserved.

4

The insider threat picture is complex

© 2013 Tier-3 Pty Limited. All rights reserved.

"You're dealing with authorized users doing authorized things for malicious purposes.”

Patrick Reidy, CISO for the FBI

Insider

Threats

Physical

Electronic

Ethical

Deliberate

Accidental

Whistle blowing

Insider communi

ty

Motivation

Genuine losses

Media

Fame

Breaching data

Negligence

Revenge

Network

USB/Disk

Paper

Granting access/tail

gating

Verbal

Normal users

System admins

External parties

Relationship

Customers Contractors Staff

Journalists

Trojans/ APTs

Social mediaWaterhole

s

5© 2013 Tier-3 Pty Limited. All rights reserved.

Insider threats are

• Multi-dimensional• Can circumvent protective controls• Wider than just “Insiders”

– Contractors, Journalists, Whistle-blowers– Advanced Persistent Threats / Trojans - the

“weaponising” of insiders– Social media risks, “over share”, leaked secrets, exposed

plans / locations / staff / details

• Insiders can cause, or be culpable in causing, breaches

6

Insider threats are a common theme in security surveys

© 2013 Tier-3 Pty Limited. All rights reserved.

Threat actor categories across 47,000+ security incidents

Sources:PwC/BIS UK information security breaches survey 2013, Verizon data breach report 2013, Comptia Information Security Trends 2012

7© 2013 Tier-3 Pty Limited. All rights reserved.

What are the components of the solution

Endpoint & content-aware

controlsSystem activity, network

traffic and behavioural

analysis

Robust activity

monitoring & correlation

Privileged & admin

accounts

Awareness, education

and “publicity”

Context and threat

intelligence

8© 2013 Tier-3 Pty Limited. All rights reserved.

Control privileged & admin accounts

Solutions do exist to control privileged accounts and the process of granting/revoking access for changes and incidents:• Some systems are not under your “direct” control such

as cloud applications, managed networks or 3rd parties• It is difficult to control what people do with the

privileged access they have

What works for the NSA might not be as workable in the commercial sector• Dual control can be expensive, with high overheads

Administrators have wide ranging power, access and knowledge so oversight is still needed

9© 2013 Tier-3 Pty Limited. All rights reserved.

End-point and content-aware controls

These control data being extracted, exported or stolen• There are several ways you can lose control of your data

– Beyond the access permissions, encryption, ISMS in your environment

– When exchanged on CD, USB, network, Dropbox, social media, email, home PC’s, mobile devices, cloud or in unstructured storage

• Businesses need to enable people to transmit/exchange data flexibly

Limitations• End-point/DLP/Proxy solutions may not fully address the risk

– encryption can mask data flows / remote systems won’t be protected

• Encryption of laptops/USB media only protects from unauthorised access

• Controls need to be part of the wider security and reporting environment

• The business view of what is, and isn’t, acceptable or risky is not always obvious

10© 2013 Tier-3 Pty Limited. All rights reserved.

Robust monitoring, correlation and analysis

It is vital to:• Generate logsAND• Include systems, networks, applications• Incorporate central oversight of other

security controlsAND• Collect them centrally, away from the

sourceAND• Analyse and correlate the contentsAND• Protect access to logs and audit trailsAND• Separate duties between users, admins,

auditorsIf any of these fail the detective/investigative options erode rapidly

11© 2013 Tier-3 Pty Limited. All rights reserved.

Network traffic & behavioural analysis

It is important to be able to monitor activity based, not on rules,but on deviance from a normal profile:• Monitor how people operate – what they do, where, how often• Understand how systems work “contextually”• Track variable (multiple) baselines of the different data dimensions• Recognise anomalies (statistics, thresholds, deviations)

Early/proactive detection allows an analyst to investigateand diagnose incidents

Predictive behaviour analysis (i.e. trying to predict when someone is going to misuse systems or steal data) is no better than randomly predicting insider misuse

“ ... the FBI moved toward a behavioural detection methodology that has proved far more effective” (source: FBI research)

“Even if all you can measure is the telemetry to look at prints from a print server, you can look at things like what's the volume, how many and how big are the files, and how often do they do print”

Patrick Reidy, FBI

12© 2013 Tier-3 Pty Limited. All rights reserved.

Awareness: What is the point?

Simple Awareness alone won’t defend against:

• Deliberate attacks

• Targeted social-engineering or a spear-phishing attack that has been made convincing enough

• The effects of normal human psychology and behaviours:• Whether people care about it• Or remember three months on• Or understand why it is important• Or are tied to a habit or a group behaviour

that is different

• Misuse by people who have knowledge of control weaknesses

Visible and publicised oversight mechanisms will:

• Be more memorable than point-in-time eLearning training messages

• Deter malicious thefts or attacks where control and oversight is obvious

• Support deterrence, detection and resolution• Forcing behaviours and actions which are

more evident

• Enable “accidents” to be used for future education initiatives• You can target awareness activities better• You can create security “rumble strips”

13© 2013 Tier-3 Pty Limited. All rights reserved.

Threat intelligence: the insider context

14

Intelligent monitoring is important

© 2013 Tier-3 Pty Limited. All rights reserved.

1You need to monitor security controls and their operation anyway, compliance with security standards demands it, auditors will ask for it and good practice dictates it• PCI-DSS, ISO27001, BIS “10 steps”, GPG13,

FISMA agree

4 An accidental breach could have several causes; but will often be an unusual or significant series of events which may be able to be codified in advance, or following an incident• Monitoring technology may help to

diagnose and prevent future occurrences

3 The monitoring of activity and logs provides the evidence businesses need to take action (civil, criminal, HR) even if the process of detection comes from another source

2The presence of “visible” or “publicised” monitoring controls and an established track record of detection, is a big deterrent to the malicious insider• Detecting and preventing or to otherwise

taking action against a culprit

5 Robust monitoring shows what is going on within an organisation which means oversight processes can be based on the audit records, rather than having to expose the original data within investigative activity

15© 2013 Tier-3 Pty Limited. All rights reserved.

Endpoint & content-aware

controlsSystem activity, network

traffic and behavioural

analysis

Robust activity

monitoring & correlation

Privileged & admin

accounts

Awareness, education

and “publicity”

Context and threat

intelligence

Solution coverage

Copyright © Tier-3 Pty Ltd, 2013. All rights reserved.

16

QuestionsContact us at:

info@tier-3.com+44 (0) 208 433 6790 +61 (0) 2 9419 3200

More information at:Download our insider threat whitepaper

www.tier-3.com @tier3huntsman