Insider threats - Lessons from Snowden (ISF UK Chapter)
-
Upload
tier-3-huntsman -
Category
Technology
-
view
398 -
download
0
description
Transcript of Insider threats - Lessons from Snowden (ISF UK Chapter)
Insider Threats:Lessons from Snowden
Piers WilsonTier-3 Huntsman® - Head of Product Management
2© 2013 Tier-3 Pty Limited. All rights reserved.
About Tier-3 / Huntsman
• Tier-3– Australian/UK based
security software company
– Established 1999– Pioneer of
Behavioural Anomaly Detection (BAD) technology within SIEM products
• Huntsman– Intelligent SIEM solution– Full event correlation and
behavioural profiling, anomaly detection and alerting
– Automatic response capability– Targeted at security-critical large
enterprises and government– In-built compliance monitoring
support for PCI-DSS, ISO27001, GPG13, FISMA
– Multi-tenancy support
Protective security has a role
3
• A barrier between those who have access and those who don’t:– Encryption means those that need access
will get it, and those that don’t do not– Access controls limit what data users can
access and what they can do with it– Firewalls constrain the types of network
traffic systems can exchange
• Often controls are several layers deep:– Network– Server– Application– End point
© 2013 Tier-3 Pty Limited. All rights reserved.
4
The insider threat picture is complex
© 2013 Tier-3 Pty Limited. All rights reserved.
"You're dealing with authorized users doing authorized things for malicious purposes.”
Patrick Reidy, CISO for the FBI
Insider
Threats
Physical
Electronic
Ethical
Deliberate
Accidental
Whistle blowing
Insider communi
ty
Motivation
Genuine losses
Media
Fame
Breaching data
Negligence
Revenge
Network
USB/Disk
Paper
Granting access/tail
gating
Verbal
Normal users
System admins
External parties
Relationship
Customers Contractors Staff
Journalists
Trojans/ APTs
Social mediaWaterhole
s
5© 2013 Tier-3 Pty Limited. All rights reserved.
Insider threats are
• Multi-dimensional• Can circumvent protective controls• Wider than just “Insiders”
– Contractors, Journalists, Whistle-blowers– Advanced Persistent Threats / Trojans - the
“weaponising” of insiders– Social media risks, “over share”, leaked secrets, exposed
plans / locations / staff / details
• Insiders can cause, or be culpable in causing, breaches
6
Insider threats are a common theme in security surveys
© 2013 Tier-3 Pty Limited. All rights reserved.
Threat actor categories across 47,000+ security incidents
Sources:PwC/BIS UK information security breaches survey 2013, Verizon data breach report 2013, Comptia Information Security Trends 2012
7© 2013 Tier-3 Pty Limited. All rights reserved.
What are the components of the solution
Endpoint & content-aware
controlsSystem activity, network
traffic and behavioural
analysis
Robust activity
monitoring & correlation
Privileged & admin
accounts
Awareness, education
and “publicity”
Context and threat
intelligence
8© 2013 Tier-3 Pty Limited. All rights reserved.
Control privileged & admin accounts
Solutions do exist to control privileged accounts and the process of granting/revoking access for changes and incidents:• Some systems are not under your “direct” control such
as cloud applications, managed networks or 3rd parties• It is difficult to control what people do with the
privileged access they have
What works for the NSA might not be as workable in the commercial sector• Dual control can be expensive, with high overheads
Administrators have wide ranging power, access and knowledge so oversight is still needed
9© 2013 Tier-3 Pty Limited. All rights reserved.
End-point and content-aware controls
These control data being extracted, exported or stolen• There are several ways you can lose control of your data
– Beyond the access permissions, encryption, ISMS in your environment
– When exchanged on CD, USB, network, Dropbox, social media, email, home PC’s, mobile devices, cloud or in unstructured storage
• Businesses need to enable people to transmit/exchange data flexibly
Limitations• End-point/DLP/Proxy solutions may not fully address the risk
– encryption can mask data flows / remote systems won’t be protected
• Encryption of laptops/USB media only protects from unauthorised access
• Controls need to be part of the wider security and reporting environment
• The business view of what is, and isn’t, acceptable or risky is not always obvious
10© 2013 Tier-3 Pty Limited. All rights reserved.
Robust monitoring, correlation and analysis
It is vital to:• Generate logsAND• Include systems, networks, applications• Incorporate central oversight of other
security controlsAND• Collect them centrally, away from the
sourceAND• Analyse and correlate the contentsAND• Protect access to logs and audit trailsAND• Separate duties between users, admins,
auditorsIf any of these fail the detective/investigative options erode rapidly
11© 2013 Tier-3 Pty Limited. All rights reserved.
Network traffic & behavioural analysis
It is important to be able to monitor activity based, not on rules,but on deviance from a normal profile:• Monitor how people operate – what they do, where, how often• Understand how systems work “contextually”• Track variable (multiple) baselines of the different data dimensions• Recognise anomalies (statistics, thresholds, deviations)
Early/proactive detection allows an analyst to investigateand diagnose incidents
Predictive behaviour analysis (i.e. trying to predict when someone is going to misuse systems or steal data) is no better than randomly predicting insider misuse
“ ... the FBI moved toward a behavioural detection methodology that has proved far more effective” (source: FBI research)
“Even if all you can measure is the telemetry to look at prints from a print server, you can look at things like what's the volume, how many and how big are the files, and how often do they do print”
Patrick Reidy, FBI
12© 2013 Tier-3 Pty Limited. All rights reserved.
Awareness: What is the point?
Simple Awareness alone won’t defend against:
• Deliberate attacks
• Targeted social-engineering or a spear-phishing attack that has been made convincing enough
• The effects of normal human psychology and behaviours:• Whether people care about it• Or remember three months on• Or understand why it is important• Or are tied to a habit or a group behaviour
that is different
• Misuse by people who have knowledge of control weaknesses
Visible and publicised oversight mechanisms will:
• Be more memorable than point-in-time eLearning training messages
• Deter malicious thefts or attacks where control and oversight is obvious
• Support deterrence, detection and resolution• Forcing behaviours and actions which are
more evident
• Enable “accidents” to be used for future education initiatives• You can target awareness activities better• You can create security “rumble strips”
13© 2013 Tier-3 Pty Limited. All rights reserved.
Threat intelligence: the insider context
14
Intelligent monitoring is important
© 2013 Tier-3 Pty Limited. All rights reserved.
1You need to monitor security controls and their operation anyway, compliance with security standards demands it, auditors will ask for it and good practice dictates it• PCI-DSS, ISO27001, BIS “10 steps”, GPG13,
FISMA agree
4 An accidental breach could have several causes; but will often be an unusual or significant series of events which may be able to be codified in advance, or following an incident• Monitoring technology may help to
diagnose and prevent future occurrences
3 The monitoring of activity and logs provides the evidence businesses need to take action (civil, criminal, HR) even if the process of detection comes from another source
2The presence of “visible” or “publicised” monitoring controls and an established track record of detection, is a big deterrent to the malicious insider• Detecting and preventing or to otherwise
taking action against a culprit
5 Robust monitoring shows what is going on within an organisation which means oversight processes can be based on the audit records, rather than having to expose the original data within investigative activity
15© 2013 Tier-3 Pty Limited. All rights reserved.
Endpoint & content-aware
controlsSystem activity, network
traffic and behavioural
analysis
Robust activity
monitoring & correlation
Privileged & admin
accounts
Awareness, education
and “publicity”
Context and threat
intelligence
Solution coverage
Copyright © Tier-3 Pty Ltd, 2013. All rights reserved.
16
QuestionsContact us at:
[email protected]+44 (0) 208 433 6790 +61 (0) 2 9419 3200
More information at:Download our insider threat whitepaper
www.tier-3.com @tier3huntsman