ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
Transcript of ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
UNINTENTIONAL INSIDER THREAT: Top Employee Security Mistakes That Put Your Data at Risk
UNINTENTIONAL INSIDER THREAT: Top Employee Security Mistakes That Put Your Data at Risk
by Dr. Eric Cole
[email protected] Anchor is All Cyber Defense, All of the Time.PREVENT DETECT - RESPOND
Insiders Are Responsible for 90% of Security Incidents *Mailicious
Fraud/Data Theft Inappropriate accessDisgruntled employee
UnintentionalMisuse of systemsLog-in/log-out failuresCloud storage
71%29%* Verizon 2015 Data Breach Investigations Report* Kaspersky Lab 2016 Security Risks Special Report
Are You Focused on the Correct Area?
Nature of Insider ThreatTwo main forms of insider threat Deliberate/malicious insider Accidental/Unintentional insider
Why do insiders become targets? As external targets become more difficult, attackers find insiders are an easier avenue to compromise.
The real threat and biggest risk to confidential data isthe negligent employee,more commonly categorized as the unintentional insider threat.
All it Takes is One ClickFrom an endpoint security perspective, the two most dangerous applications on the planet are: email and web browsers
Insider Threat Current StateInsider threats are on ITs radar
Spending on insider threats will increase
The financial impact is significantOrganizations fail to focus on solutionsInsider threat often the cause of damagePrevention is more a state of mind than a reality
Assessing Vulnerability to InsidersWhat information would an adversary target?What systems contain the information that attackers would target?Who has access to critical information?What would be the easiest way to compromise an insider?What measures or solutions can IT use to prevent/detect these attacks?Does our current budget appropriately address insider threats?What would a security roadmap that includes insider threats look like for our organization?
How well is your organization doing with insider threats?Write your organizations report card and focus on the lowest scoring areas.
*** Findings from a recent survey on Insider Threat
How to Effectively Manage Insider ThreatsHaving Clear Visibility into Employee Actions is Critical.
LifecycleProactiveReactiveEducateDeterDetectInvestigateNotify Employees of Company PolicyRapidly discern mailicious from benign actionsGet a Stack Ranked view of riskiest usersWarnings out-of-policy actions will be recorded and reviewed
Having Clear Visibility into Employee Actions is CriticalLog Files are Not the Answer Too much data to interpret Time and manpower to understand Can only infer conclusionsUser Activity Recording is Key Instantly understandable by anyoneIrrefutable evidence of user actions
Notify employees of company policy violation in real-time and contextInform employees of potential policy violations, as they occur
A proven approach to cutting the number of security incidents in half
Educate
Warn users against proceeding with dangerous or of out-of-policy activities
Warn policy violations will be recorded and reviewed
Mailicious users are 80% less likely to continueDeterShow warnings out-of-policy behavior will be recorded and reviewed
Easy and intuitive - User-centric view
Discover the riskiest users, and gain deep visibility into their present and past
Streamlined Incident Response - investigate a handful of risky users instead of thousands tedious false alerts/discrete eventsDetect
Data exfiltration
Tipping pointCapture and hide data
Video session replay provides context to rapidly discern mailicious from benign actions
Accelerate investigations from weeks/months to minutes/hoursInvestigate
Typical DeploymentDoesnt impact stability of maschineScalable beyond thousands of devices* ObserveIT is not kernel-based, at a user-mode level
Agent
Agent
Agent* Offline mode enabled
SwitchHTTP TrafficObserveIT Application ServerSQL TrafficDatabase ServerObserveIT Web ConsoleObserveIT Admin
The Benefits of Addressing the Insider ThreatQuicker resolution and enforcement of company policies, which creates a more secure and compliant environment around your protected information
A steep decline in the number of inappropriate accesses A reduction in the amount of time spent detecting and investigation incidents A heightened awareness of security throughout the organization A dramatic shift in the culture of security and compliance More efficient compliance with regulatory requirements Achievement of security goals with no additional staff resources
ObserveIT Delivers Instant ROI Reducing Security Incidents10008006004002000EducateDeterDetectInvestigateIncidents
Notify employees of company policyWarn policy violations their actions will be recorded and reviewedGet a Stack Ranked view of riskiest usersRapidly discern mailicious from benign actions
Fact: Your Authorized Users Represent Your Greatest Risk!Insider threats are far more difficult to detect and prevent than external attacks.Insider Threat Report
75% of insider threats go unnoticed. CERT Insider Threat Center
Insider Threats are twice as costly and damaging as external threats.CERT Insider Threat Center Attack Detection
Insider Attacks
External Attacks
32 Months051015202530356 Months
ConclusionPerform damage assessment of threatsMap past and current investment against threatsDetermine exposure to insider threatsCreate attack models to identify exposuresIdentify root-cause vulnerabilitiesBlock and remove the vector of the attackControl flow of inbound delivery methodsFilter on executable, mail and web linksMonitor and look for anomalies in outbound activity