The 7 Deadly Sins of Insiders:

Why They Become ThreatsOctober 9, 2019

The 7 Deadly Sins of Insiders: Why They Become Threats

Today’s web conference is generously sponsored by:

ObserveIThttps://www.observeit.com/

The 7 Deadly Sins of Insiders: Why They Become Threats

Moderator

Ken Dunham brings more than 28 years of business, technical and leadership experience in cyber security, incidentresponse and cyber threat intelligence to his position as senior director of technical cyber threat intelligence for Optiv.

In this role, he is responsible for the strategy and technical leadership to mature Optiv’s data integration and innovation ofintelligence-based security solutions. He also runs his own advanced intelligence response company, 4D5A Security LLC,and a non-profit for incident responders around the world called Rampart Research.

Mr. Dunham has a long history of innovation for nascent technologies and solutions such as creation of training programsfor U2, Warthog, and Predator systems for the USAF, responsible disclosure (iDEFENSE), and cyber threat intelligence(iSIGHT Partners). He is a widely published author with thousands of security articles and multiple books on topics rangingfrom Darknet disclosures to mobile threats and mitigation of malware.

Ken Dunham, Senior Director, Technical Cyber Threat Intelligence, Optiv

The 7 Deadly Sins of Insiders: Why They Become Threats

Speaker

Chris is a dedicated and passionate security professional with more than 20 years of IT security industry experience. Chris is responsible for ObserveIT’s information and operational security strategy. His prior experience includes serving as VP of Security Service at Cybereason where he built and operated a Managed Detection and Response service. In his prior roles Chris spent 13 years at Novartis Pharmaceuticals where he served as Head of Security and was responsible for information security, risk, and security operations. During his tenure at Novartis, he spent several years managing internal investigations within the Ethics & Compliance division, held position as Director of a global Detection & Response team, and worked within the Legal department as an Associate Director of e-Discovery. Chris has also held senior technology positions at Ricoh Corporation.

Chris Bush, Head of Security, ObserveIT

Backdrop for this webinar• So, what’s under the hood:

• ITR discusses the state of the Insider Threat referencing 5 years of breach investigation data;

• Identifies varied internal threat actors, outlining their motivations and methods;

• Takes a deep dive into the risks and potential abuses associated with privileged access;

• Offers practical advice on implementing policies and controls to mitigate insider threats.

Break it down…➢Our focus:

❑The top seven most common insider threat focus areas;

❑Insider Threat motivators;

❑The risks associated with each type of insider threat;

❑Real-world examples of these threats in action;

❑Countermeasures to defend against each specific type of threat.

What makes the insider threat different?

• They operate from a position of trust;

• They have intimate knowledge of organizational policies, processes, and procedures;

• Our defenses traditionally point outward;

• Little to no technical expertise required;

• Hard to detect when you’re not looking.

IF ANY COMPANY THINKS THEY DON’T HAVE AN INSIDER THREAT PROBLEM , THEY AREN’T

LOOKING.

- Cyber Security Leader at Fortune 500 Company

➢Definition:

• Unintentional leakage of sensitive data

➢Motives:

• Recklessness/convenience• Untrained/distracted• Disgruntled/revenge• But also… Trying to do the best job

possible

➢Risks:

• IP compromise/exposure• Reputational Damage• Financial loss• PII compromise/exposure• Loss of competitive advantage

Accidental Leak

misuse ➢Definition:

• Any use of enterprise resources in ways that bypass or ignore security protocols; violate policy; are unrelated to the employee’s job; are illegal

➢Motives:

• Recklessness/convenience• Untrained/distracted• Disgruntled/revenge

➢Risks:

• IP compromise/exposure• Reputational Damage• Financial loss• PII compromise/exposure• Loss of competitive advantage

Misuse

fraud ➢Definition:

• Using insider access to divert/modify/steal company financial resources for personal gain

➢Motives:

• Personal profit• Disgruntled/revenge• Inspired by a cause• Competitive advantage (e.g., revenue,

market share)• Disruption of a global business in

support of a stat-sponsored initiative

➢Risks:

• Financial loss• Reputational damage• Loss of competitive advantage

Fraud

Data theft➢ Definition:

• Stealing information or intellectual property. The insider steals either protected or unprotected data (structured or unstructured). for personal gain, convenience, or out of anger.

➢Motives:

• Personal profit• Disgruntled/revenge• Inspired by a cause• Competitive advantage (e.g., revenue,

market share)• Disruption of a global business in support of

a stat-sponsored initiative

➢ Risks:

• Financial loss• Reputational damage• Loss of competitive advantage

Data Theft

sabotage ➢Definition:

• Intentional destruction of company resources, including information assets, so they cannot be recovered and used.

➢Motives:

• Acting with an illogical purpose or behavior

• Disgruntled/revenge• Inspired by a cause• Competitive advantage (e.g., revenue,

market share)• Disruption of a global business in

support of a stat-sponsored initiative

➢Risks:

• Financial loss• Reputational damage• Data loss• Loss of competitive advantage

Sabotage

➢ Definition:

• Accidental or deliberate introduction of malware or vulnerability into a product (hardware or software).

➢ Motives:

• Disrupt the integrity & availability of a system• Unauthorized access to a system once authorized

access has been revoked• Disgruntled/revenge• Inspired by a cause• Competitive advantage (e.g., revenue, market share)• Disruption of a global business in support of a stat-

sponsored initiative

➢ Risks:

• System corruption or damage• Financial loss• Reputational damage• Identity fraud• Data loss

Product Alteration

➢ Definition:

• Systemic and targeted extraction of corporate information by a trusted insider that gives the attacker a strategic economic, military, or public relations advantage.

➢Motives:

• Personal profit• Disgruntled/revenge• Inspired by a cause• Coercion• Competitive advantage (e.g., revenue,

market share)• Disruption of a global business in support of

a stat-sponsored initiative

➢ Risks:

• Data loss• Financial loss• Reputational damage• Loss of competitive advantage• Regulatory scrutiny

Espionage

Countermeasures

➢ Human Resource Management

➢ Financial & Accounting Management

➢ Security Awareness Program

➢ Software Development Life Cycle (SDLC)

➢ DRP & BCP

➢ Risk Management Framework

Implement & Maintain Policies & Procedures

➢ Human Resource Controls

➢ Security Access Principles

➢ Security Awareness Program

Implement Personnel Security Measures

➢ Endpoint Security

➢ Threat Hunting

➢ Identity & Access Management

➢ Vulnerability Management

➢ Pentesting

➢ Incident Response❑ Digital Forensics

Implement Technical Security Capabilities

➢Data Ownership

➢Data Classification

➢Data Protection

➢Data Retention

➢Data Disposal

Implement Data Security Measures

21

01

02

03

04

05

ELECT A CHAMPION

BUILD AN INSIDER THREAT TEAM

DEVELOP A BUSINESS PLAN AND PROCESS

ESTABLISH A PLAYBOOK

CREATE AN INTEGRATED INSIDER THREAT HUB

PEOPLE

PROCESS TECHNOLOGY

BUILD AN INSIDER THREAT PROGRAM

ORGANIZE THE RIGHT

TEAM

CEO

LEGAL

INTERNAL AUDIT

CHIEF RISK

OFFICER

CHIEF PRIVACYOFFICER

CIO

CHIEF COMPLIANCE

OFFICER

CHIEF INFORMATION

SECURITY OFFICER

HUMAN RESOURCES

SUPPORT PROGRAM

STEERING COMMITTEE MEMBERS