Amir Yampel - Necsia IT Consulting€¦ · 2 MEETING GDPR REQUIREMENTS WITH OBSERVEIT Prevent...

I n s i d e r T h r e a t a n d i t s i m p a c t o n G D P R

Amir Yampel

2

MEETING GDPR REQUIREMENTS WITH OBSERVEIT

Prevent unauthorized processing of PII

Article 5

In case of a breach, notify the supervising authority within 72 hours

Article 33

Adopt technology and processes to regularly assess your GDPR compliance

Article 32

Adopt technology and processes to demonstrate GDPR compliance

Articles 24, 39

Implement technology to ensure that personal data is only processed for specified purposes. Processing

includes availability, accessibility to PII. [EG. prevent data exfiltration]

Article 4, 25

Increase awareness/ training for staff involved in processing operations/ related audits

Article 39 - DPO

WHO ARE YOU MOST CONCERNED ABOUT???

3

Hackers?

Or

Trusted Users?

4

CONTRACTORFEDERAL RECORDS

DEVELOPERDESIGN DOCUMENTS

PRIVILEGED USERCUSTOMER DATA

CONTRACTORPATIENT RECORDS

YOUR BIGGEST ASSET IS ALSO YOUR BIGGEST RISK

5

YOUR BIGGEST ASSET IS YOUR BIGGEST RISK (DATA BREACHES)

Data source:Breachlevelindex & Crowd Research Partners, 2017

74%OF ORGANIZATIONS

FEEL VULNERABLE TO

INSIDERS

GROWING NUMBER OF EMPLOYEES AND

CONTRACTORS WITH MORE ACCESS AND

FREEDOM

3MRECORDS ARE

STOLEN EVERY DAY

http://breachlevelindex.com/

http://crowdresearchpartners.com/wp-content/uploads/2016/09/Insider-Threat-Report-2016.pdf

PII , CREDENTIALS, AND IP ARE TOP TARGETS (GDPR IS

ABOUT PII)

26%

26%

29%

30%

30%

31%

Website defacement

Payment/credit card data

Corporate financial data

Intellectual property

Authentication credentials (user IDs and passwords, otherforms of credentials)

Personally identifiable information (name, address,phone, Social Security number)

Q: “What types of data were potentially compromised or breached in the past 12 months?”

PII

PII

PII (partial)

IN YOUR OPINION, MOST SECURITY INCIDENTS ARE:

7

Malicious?

Or

Unintentional?

TYPICAL MOTIVATIONS AND INTENTIONS

Malicious• Financial gain, financial distress

• Disgruntled employees, work conflict

• Revenge

• Rogue System Administrator

• Corporate Spy

• fear − layoffs

Unintentional Policy Breaches• Under-resourced, just trying to do their job

• Negligence

• Undertrained Staff

• Accidental

PAM SIEM

DLP

UAM UEBA

GARTNER VIEW OF DLP AS STANDALONE TECHNOLOGY ( 09/2017)

10

GDPR CHALLENGES: DO YOU HAVE VISIBILITY OVER PII?

Your Customers

Collect PII

Report

Audit

Your Organization

Data Protection Officer

Users accessing

your data

Sensitive

Customer

Data

Communicate

Introducing Insider Threat Monitoring & Prevention

Flexible

PREVENTIONEducate and enforce

polices to prevent Insider Threats

Rapid

TIME TO VALUE

Lightweight agent made for the

enterprise and is easy to deploy

Real Time

DETECTION

Hundreds of preconfigured indicators built by industry

experts and leverages rich analytics

Comprehensive

VISIBILITY

Full context around user activity across

endpoints, applications & files

Data

Activity

The Only Solution to Unify

Rich

AnalyticsUser

Monitoring + +

With A Single Lightweight Endpoint Agent

R I C H M E T A D A T A P R O V I D E S U S E R C O N T E X T

• Gain context for user actions and detect insider threat risk with easy-to-search and understand metadata

• ObserveIT tells you what the user is doing vs telling you what the computer is doing

Visibility


Flexible



Rapid

TIME TO VALUE



Real Time

DETECTION



Comprehensive

VISIBILITY



Data

Activity


Rich

AnalyticsUser

Monitoring + +


. . .WITH HUNDREDS OF PRE -CONFIGURED INSIDER THREAT USE CASES

UNAUTHORIZED ACCESS

Remote access, Sharing accounts & passwords, privileged escalation

ACCIDENTAL ACTIONSUnapproved application use,

Configuration mistakes, Unauthorized web browsing

UNAUTHORIZED ACTIVITYBypassing security controls, Backdoor creation, Running malicious software

DATA EXFILTRATION

Print, USB, Cloud Applications, Email


Flexible



Rapid

TIME TO VALUE



Real Time

DETECTION



Comprehensive

VISIBILITY



Data

Activity


Rich

AnalyticsUser

Monitoring + +


C H O O S E H O W Y O U W A N T T O R E S P O N D T O R I S K

Different levels of response, from notifications to session terminating according to

• Risk level

• User profile \ role \ permissions \ location , etc.

• Application


Flexible



Rapid

TIME TO VALUE



Real Time

DETECTION



Comprehensive

VISIBILITY



Data

Activity


Rich

AnalyticsUser

Monitoring + +


U S E C A S E : D A T A E X F I L T R A T I O N

Accessing cloud storage local folder (Dropbox) to transfer

sensitive information out

Email attachments to personal email accounts

Proprietary Data

Printing sensitive documents

Copying sensitive files & folders to a private

storage device

T ITL ES & URL S

P RINT

INS TA L L ING NEW S OF TW A RE

RUNNING MA L IC IOUS TOOL S

B ROW S ING I L L EGA L W EB S ITES

IRREGUL A R MA C H INE A C C ES S

TA MP ERING W ITH S YS TEM / S EC URITY TOOL S

C UT / C OP Y P A S TE

KEY L OGGING

D B A A C T IV ITY

P RINT S C REEN

C OP Y / MOV E

C OP Y TO C L OUD

EMA ILA TTA C H MENT

C OP Y TO US B

UP L OA D TO S OC IA L W EB S ITE

MS - OF F IC E C RM F IN A P P S D EV A P P S

D B A TOOL S

EX P L ORERC L I

OUTL OOK GMA IL F B S KYP EA PPLI C A T I O N S

US ER A C T I VI T Y

F I LE T R A C KI N G

EX F I LT R A T I O N PO I N T S

O T HER S US PI C I O US US ER B EHA VI O R

C REA TE RENA MED EL ETE

Z IP / ENC RYP T

D OW NL OA D F ROM W EB / A P P L IC A T ION

C OP Y F ROM NETW ORK S H A RES

DATA EXFILTRATION : COMPREHENSIVE VIS IB IL ITY

DANA RONP R O P R I E T A R Y T R A D E RN O R T H A M E R I C A

Exporting Vendor List Report

from the Financial Portal

1

Hiding tracks by renaming the

report to a naïve file name

2

EXAMPLE: MONITOR DATA EXFILTRATION OF SENSITIVE IP

F IN A P P S

DANA RONP R O P R I E T A R Y T R A D E RN O R T H A M E R I C A

D OW NL OA D F ROM W EB / A P P L IC A T ION

C REA TE RENA MED EL ETE

C OP Y TO C L OUD

INS TA L L ING NEW S OF TW A RE

3

Installing Dropbox

client on personal

laptop

4Upload the Vendor List report to Dropbox

by copying to local sync folder

R I S K S C O R E

75

S o l u t i o n O v e r v i e w

2

4

MEETING GDPR REQUIREMENTS WITH OBSERVEIT

Prevent unauthorized processing of PII

Article 5

In case of a breach, notify the supervising authority within 72 hours

Article 33

Adopt technology and processes to regularly assess your GDPR compliance

Article 32

Adopt technology and processes to demonstrate GDPR compliance

Articles 24, 39

Implement technology to ensure that personal data is only processed for specified purposes.

Processing includes availability, accessibility to PII. [EG. prevent data exfiltration]

Article 4, 25

Increase awareness/ training for staff involved in processing operations/ related audits

Article 39 - DPO

2

5

EMPLOYEE PRIVACY

Obtain an “umbrella agreement” or ensure you use:

• Anonymization

• Metadata only (record upon breach)

• “4-eyes” concept

• Selective monitoring (who?/ what?)

• Audit the auditors

• Encrypted data

• Inform users

OBSERVEIT ARCHITECTURE

AGENTS

A P P - S E R V E R D A T A B A S E

METADATA

N O R E B O O T

1 % C P U

1 H O U R S T A N D U P

S I L E N T I N S T A L L

100 ’S OF OUT-OF-THE-BOX RULES ( GDPR )

• Data exfiltration

• Bypassing security controls

• Careless behavior

• Creating backdoor

• Application data theft

• Copyright infringement

• Data infiltration (bringing in troubles)

• Hiding information and covering tracks

• Install/uninstall questionable software

• Performing unauthorized admin tasks

• Running malicious software

• Using unauthorized communication tools

• Time fraud

• Unacceptable use

• Unauthorized activity on servers

• Unauthorized data access

• Unauthorized machine access

• Searching for information

• Identity theft

• IT sabotage

• Performing privilege elevation

• Preparation for attack

• Shell attack

• Unauthorized shell opening

• System tampering

7 AWARDS IN 2017 AND COUNTING...

28

Best Insider Threat Solution

Best Cybersecurity Company

Best Forensics Solution

Best Risk Management Solution

Category: Endpoint Security

Best Extrusion Prevention Solution

Most Innovative Insider Threat Solution

29

T h a n k Y o u

Boston

London

Tel Aviv

L O C A T I O N S

www.observeit.com

Amir Yampel

[email protected]

C O N T A C T

mailto:[email protected]?subject=

U S E C A S E : U N A U T H O R I Z E D A C C E S S & E X F I L T R A T I O N

Connecting to critical systemsCustomers DB

Connecting during irregular hoursCustomers DB

Connecting from unauthorized clientCustomers DB

Extracts sensitive information from DB (PII &Financials)

Connecting to system as an unauthorized userCustomers DB

R I C H M E T A D A T A P R O V I D E S U S E R C O N T E X T

• Gain context for user actions and detect insider threat risk with easy-to-search and understand metadata

• ObserveIT tells you what the user is doing vs telling you what the computer is doing

Visibility

Visibility

• Gain a unique “over-the-shoulder” view of all employee, vendor and consultant activity

• Reduce investigation times from days to minutes

V I D E O C A P T U R E F O R H I G H R I S K S I T U A T I O N S

Detection

D E C R E A S E R I S K I M M E D I A T E L Y W I T H 2 0 0 P R E C O N F I G U R E D U S E C A S E S W I T H A L E R T S

• Leverage over 200 out-of-the-box Insider Threat use cases (alerts)

• Benefit from CERT-generated indicators

• 25 Categories customizable by user group:

‒ Data Exfiltration‒ Bypassing Security

Controls‒ Creating Backdoors‒ Identity Theft‒ Privilege Elevation‒ Unauthorized Admin

Activity‒ Malicious Software‒ Shell Attacks‒ System Tampering

• Complete view of user logins, accounts, endpoints and applications

• Uncover and investigate risky user activity through identification of anomalous behavior

Q U I C K L Y I D E N T I F Y A N O M A L O U S B E H A V I O R

Dynamic filters

User activity and working hours over time

Most used applications and

Websites

Detection

R E D U C E R I S K W I T H R E A L - T I M E E M P L O Y E E N O T I F I C A T I O N S

• Warn users against proceeding with out-of-policy activities

• Reduce non-compliant actions by implementing real-time warnings

Prevention

PREVENT USERS FROM VIOLATING POLICIES

Prevention

• Direct enforcement of company policies

• Optimize Security and IT processes by collecting user feedback before the application is closed or user is logged-off

A proactive and holistic approach to GDPR-compliance

• Total visibility, detection, and prediction of user-based risks

• Reduce risk by up to 50% through real-time education that increases awareness about personal data protection

• Bi-directional feedback and communication to raise internal awareness and increase compliance adoption

• Deterrence and Prevention of malicious insider threats including risks from 3rd-party vendors

• Rapid investigation of breaches within minutes, via irrefutable video evidence

S A T I S F Y C O M P L I A N C E R E Q U I R E M E N T SCompliance

• PCI-DSS

• SOX Section 404

• HIPAA

• FFIEC

• GDPR

I N T E G R A T E W I T H E C O S Y S T E M F O R G R E A T E R I N S I G H T S ( S I E M ) & S E C U R I T Y A U T O M A T I O N Integrations

7 AWARDS IN 2017 AND COUNTING...

41

Best Insider Threat Solution

Best Cybersecurity Company

Best Forensics Solution

Best Risk Management Solution

Category: Endpoint Security

Best Extrusion Prevention Solution

Most Innovative Insider Threat Solution

42

T h a n k Y o u

Boston

200 Clarendon Street, 21st Floor

Boston, MA 02116

Tel Aviv

Kiryat Atidim, Building #7, 4th Floor

Tel Aviv 61580

L O C A T I O N S

www.observeit.com

Amir Yampel

[email protected]

C O N T A C T

mailto:[email protected]?subject=

Amir Yampel - Necsia IT Consulting€¦ · 2 MEETING GDPR REQUIREMENTS WITH OBSERVEIT Prevent...

Documents

Transcript of Amir Yampel - Necsia IT Consulting€¦ · 2 MEETING GDPR REQUIREMENTS WITH OBSERVEIT Prevent...