the 7 deadly sins of insiders: why they become threats · 2019. 10. 9. · the 7 deadly sins of...
TRANSCRIPT
The 7 Deadly Sins of Insiders:
Why They Become ThreatsOctober 9, 2019
The 7 Deadly Sins of Insiders: Why They Become Threats
Today’s web conference is generously sponsored by:
ObserveIThttps://www.observeit.com/
The 7 Deadly Sins of Insiders: Why They Become Threats
Moderator
Ken Dunham brings more than 28 years of business, technical and leadership experience in cyber security, incidentresponse and cyber threat intelligence to his position as senior director of technical cyber threat intelligence for Optiv.
In this role, he is responsible for the strategy and technical leadership to mature Optiv’s data integration and innovation ofintelligence-based security solutions. He also runs his own advanced intelligence response company, 4D5A Security LLC,and a non-profit for incident responders around the world called Rampart Research.
Mr. Dunham has a long history of innovation for nascent technologies and solutions such as creation of training programsfor U2, Warthog, and Predator systems for the USAF, responsible disclosure (iDEFENSE), and cyber threat intelligence(iSIGHT Partners). He is a widely published author with thousands of security articles and multiple books on topics rangingfrom Darknet disclosures to mobile threats and mitigation of malware.
Ken Dunham, Senior Director, Technical Cyber Threat Intelligence, Optiv
The 7 Deadly Sins of Insiders: Why They Become Threats
Speaker
Chris is a dedicated and passionate security professional with more than 20 years of IT security industry experience. Chris is responsible for ObserveIT’s information and operational security strategy. His prior experience includes serving as VP of Security Service at Cybereason where he built and operated a Managed Detection and Response service. In his prior roles Chris spent 13 years at Novartis Pharmaceuticals where he served as Head of Security and was responsible for information security, risk, and security operations. During his tenure at Novartis, he spent several years managing internal investigations within the Ethics & Compliance division, held position as Director of a global Detection & Response team, and worked within the Legal department as an Associate Director of e-Discovery. Chris has also held senior technology positions at Ricoh Corporation.
Chris Bush, Head of Security, ObserveIT
Backdrop for this webinar• So, what’s under the hood:
• ITR discusses the state of the Insider Threat referencing 5 years of breach investigation data;
• Identifies varied internal threat actors, outlining their motivations and methods;
• Takes a deep dive into the risks and potential abuses associated with privileged access;
• Offers practical advice on implementing policies and controls to mitigate insider threats.
Break it down…➢Our focus:
❑The top seven most common insider threat focus areas;
❑Insider Threat motivators;
❑The risks associated with each type of insider threat;
❑Real-world examples of these threats in action;
❑Countermeasures to defend against each specific type of threat.
What makes the insider threat different?
• They operate from a position of trust;
• They have intimate knowledge of organizational policies, processes, and procedures;
• Our defenses traditionally point outward;
• Little to no technical expertise required;
• Hard to detect when you’re not looking.
IF ANY COMPANY THINKS THEY DON’T HAVE AN INSIDER THREAT PROBLEM , THEY AREN’T
LOOKING.
- Cyber Security Leader at Fortune 500 Company
➢Definition:
• Unintentional leakage of sensitive data
➢Motives:
• Recklessness/convenience• Untrained/distracted• Disgruntled/revenge• But also… Trying to do the best job
possible
➢Risks:
• IP compromise/exposure• Reputational Damage• Financial loss• PII compromise/exposure• Loss of competitive advantage
Accidental Leak
misuse ➢Definition:
• Any use of enterprise resources in ways that bypass or ignore security protocols; violate policy; are unrelated to the employee’s job; are illegal
➢Motives:
• Recklessness/convenience• Untrained/distracted• Disgruntled/revenge
➢Risks:
• IP compromise/exposure• Reputational Damage• Financial loss• PII compromise/exposure• Loss of competitive advantage
Misuse
fraud ➢Definition:
• Using insider access to divert/modify/steal company financial resources for personal gain
➢Motives:
• Personal profit• Disgruntled/revenge• Inspired by a cause• Competitive advantage (e.g., revenue,
market share)• Disruption of a global business in
support of a stat-sponsored initiative
➢Risks:
• Financial loss• Reputational damage• Loss of competitive advantage
Fraud
Data theft➢ Definition:
• Stealing information or intellectual property. The insider steals either protected or unprotected data (structured or unstructured). for personal gain, convenience, or out of anger.
➢Motives:
• Personal profit• Disgruntled/revenge• Inspired by a cause• Competitive advantage (e.g., revenue,
market share)• Disruption of a global business in support of
a stat-sponsored initiative
➢ Risks:
• Financial loss• Reputational damage• Loss of competitive advantage
Data Theft
sabotage ➢Definition:
• Intentional destruction of company resources, including information assets, so they cannot be recovered and used.
➢Motives:
• Acting with an illogical purpose or behavior
• Disgruntled/revenge• Inspired by a cause• Competitive advantage (e.g., revenue,
market share)• Disruption of a global business in
support of a stat-sponsored initiative
➢Risks:
• Financial loss• Reputational damage• Data loss• Loss of competitive advantage
Sabotage
➢ Definition:
• Accidental or deliberate introduction of malware or vulnerability into a product (hardware or software).
➢ Motives:
• Disrupt the integrity & availability of a system• Unauthorized access to a system once authorized
access has been revoked• Disgruntled/revenge• Inspired by a cause• Competitive advantage (e.g., revenue, market share)• Disruption of a global business in support of a stat-
sponsored initiative
➢ Risks:
• System corruption or damage• Financial loss• Reputational damage• Identity fraud• Data loss
Product Alteration
➢ Definition:
• Systemic and targeted extraction of corporate information by a trusted insider that gives the attacker a strategic economic, military, or public relations advantage.
➢Motives:
• Personal profit• Disgruntled/revenge• Inspired by a cause• Coercion• Competitive advantage (e.g., revenue,
market share)• Disruption of a global business in support of
a stat-sponsored initiative
➢ Risks:
• Data loss• Financial loss• Reputational damage• Loss of competitive advantage• Regulatory scrutiny
Espionage
Countermeasures
➢ Human Resource Management
➢ Financial & Accounting Management
➢ Security Awareness Program
➢ Software Development Life Cycle (SDLC)
➢ DRP & BCP
➢ Risk Management Framework
Implement & Maintain Policies & Procedures
➢ Human Resource Controls
➢ Security Access Principles
➢ Security Awareness Program
Implement Personnel Security Measures
➢ Endpoint Security
➢ Threat Hunting
➢ Identity & Access Management
➢ Vulnerability Management
➢ Pentesting
➢ Incident Response❑ Digital Forensics
Implement Technical Security Capabilities
➢Data Ownership
➢Data Classification
➢Data Protection
➢Data Retention
➢Data Disposal
Implement Data Security Measures
21
01
02
03
04
05
ELECT A CHAMPION
BUILD AN INSIDER THREAT TEAM
DEVELOP A BUSINESS PLAN AND PROCESS
ESTABLISH A PLAYBOOK
CREATE AN INTEGRATED INSIDER THREAT HUB
PEOPLE
PROCESS TECHNOLOGY
BUILD AN INSIDER THREAT PROGRAM
ORGANIZE THE RIGHT
TEAM
CEO
LEGAL
INTERNAL AUDIT
CHIEF RISK
OFFICER
CHIEF PRIVACYOFFICER
CIO
CHIEF COMPLIANCE
OFFICER
CHIEF INFORMATION
SECURITY OFFICER
HUMAN RESOURCES
SUPPORT PROGRAM
STEERING COMMITTEE MEMBERS