SlideShare a Scribd company logo

Proactive Measures to Defeat Insider Threat

Andrew Case
Andrew Case

This presentation was delivered at RSA 2016 and discussed measures to defeat insider threat. It focused on real investigations that I have performed and how the victim companies could have prevented the associated harm.

Technology
1 of 23
Download to read offline
SESSION  ID:   #RSAC   Andrew  Case     Proac.ve  Measures  to  Mi.gate   Insider  Threat   HUM-­‐W03   Director  of  Research   Volexity   @a@rc    
#RSAC Insider  Threats  –  Sta.s.cs     2   ! PWC  2015:     ! Roughly  70%  of  incidents  at  financial  insMtuMons  involved  current   and  former  employees     ! 60%  at  industrial  manufacturing  organizaMons     ! Verizon  DBIR  2015:  20.6%  of  breaches  are  characterized  as   “insider  misuse”  
#RSAC Insider  Threat  Defenses  –  Passive/Default   3   ! Examples   ! ProducMon  systems  without  extra  logging  or  security  measures   ! No  automated  alerts  or  remote  logs  generated   ! Pros   ! Simplest  to    implement   ! Provides  the  evidence  needed  for  post-­‐mortem  forensics   ! Cons   ! Only  useful  aYer  damage  is  caused   ! Can  be  fully  disrupted  by  anM-­‐forensics     ! OYen  very  expensive  and  non-­‐repeatable    
#RSAC Insider  Threat  Defenses  -­‐  Detec.on   4   ! Examples   ! Log  file  accesses,  soYware  installaMon,  and  USB  device  usage   ! Generate  alerts  on  access  to  file  storage  services  (e.g.,  Dropbox)   ! Pros   ! If  implemented  correctly,  finds  acMvity  before  it  causes  harm   ! Less  inhibiMng  than  full  prevenMon   ! Cons   ! If  implemented  incorrectly,  finds  acMvity  aYer  irreparable  harm     ! Requires  acMve  effort  by  the  security  team  
#RSAC Insider  Threat  Defenses  -­‐  Preven.on   5   ! Examples   ! Prevent  all  removable  media  from  being  used   ! Block  access  to  personal  email  and  file  storage  services   ! Block  end-­‐users  from  installing  soYware   ! Pros   ! Stops  a  technique  before  it  can  be  used   ! Cheapest  once  implemented   ! Cons   ! OYen  clashes  with  a  company’s  office  culture   ! Can  inhibit  department-­‐specific  producMvity    
#RSAC Applica.on  to  Real  World  Cases   6   ! We  will  now  look  at  several  real-­‐world  insider-­‐threat  cases  that  I   invesMgated   ! Combined,  the  insiders  took  over  100  million  dollars  of  IP/ customers  from  their  previous  employers  (my  clients)   ! As  I  describe  these  cases,  think  about  how  your  company  would   currently  fare  against  such  malicious  acMvity  and  what,  if  any,   mechanism(s)  you  have  in  place  to  detect  the  acMvity  before   irreparable  harm  is  done  
#RSAC The  Bank  Heist  -­‐  Background   7   ! Employee  of  a  financial  insMtuMon  sees  greener  pastures  at  a   compeMtor   ! Contacts  compeMtor  about  bringing  him  and  his  team  to  the   compeMtor   ! Along  with  their  very  wealthy  clients   ! Proceeds  to  take  nearly  every  document  related  to  the  clients,   his  team’s  records,  and  client  management  forms    
#RSAC The  Bank  Heist  –  Forensic  Analysis   8   ! File  servers  and  internal  web  apps  were  scraped  for  sensiMve   informaMon   ! Moved  data  out  of  organizaMon  control  through  USB,  personal   email,  and  prinMng   ! Files  were  locally  deleted  aYer  being  exfiltrated   ! The  forensic  Mmeline  showed  over  100  files  taken  and  the   precise  Mmes  that  the  acMons  occurred  
#RSAC Proac.ve  Measures  –  File  Search   9   ! Secure  Network  Architecture     ! Monitoring  File  Share  Accesses    
#RSAC Proac.ve  Measures  –  File  Exfiltra.on   10   ! USB   ! PrinMng/Scanning   ! Personal  Email   ! Cloud  Storage*   *  This  case  is  several  years  old  and  cloud  services  were  not  very   popular  then  but  are  used  extensively  in  modern,  similar  scenarios  
#RSAC Abuse  of  Power  -­‐  Background   11   ! Plant  manager  at  a  manufacturing  company  was  using  “down   Mme”  of  the  company’s  machines  to  run  a  side  business   ! He  purchased  some  materials  on  his  own,  some  were  ordered   through  the  company’s  accounts   ! Was  only  caught  through  a  machine  malfuncMon  
#RSAC Abuse  of  Power  –  Forensic  Analysis   12   ! The  rogue  manager  had  logged  into  control  systems  during  non-­‐ client  billable  hours   ! The  manager  scheduled  manufacturing  jobs  outside  of  any   legiMmate  work  order   ! The  manager  deleted  associated  files  in  a  failed  a@empt  to  cover   his  tracks  
#RSAC Proac.ve  Measures  –  Accounts  &  Systems   13   ! Technical  measures   ! Monitor  user  logins   ! Monitor  system  usage   ! Business  measures   ! No  criMcal  business  processes  should  be  controlled  by  one  person    
#RSAC Offline  Exfiltra.on  -­‐  Background   14   ! VicMm  organizaMon  had  very  Mght  data  exfiltraMon  controls   ! Laptops  uMlized  full  disk  encrypMon  (FDE)   ! ...  but  desktops  did  not!   ! Path  to  exfiltraMon:   1.  Copy  sensiMve  files  to  desktop  during  business  hours   2.  Remove  hard  drive  before  leaving  and  take  home   3.  Offline  mount  hard  drive  and  copy  files  
#RSAC Offline  Exfiltra.on  –  Forensic  Analysis   15   ! If  done  properly,  this  leaves  no  traces  for  (reasonable)  forensics   to  find   ! The  employee  in  this  instance  could  create,  modify,  and  delete   files  from  the  disk  at  will   ! Was  only  caught  aYer  making  other  “mistakes”  and  confessing   to  the  disk  removal    
#RSAC Proac.ve  Measures    -­‐  Full  Disk  Encryp.on   16   ! UMlize  FDE  for  everything!   ! Be  wary  of  offline  decrypt  capabiliMes   ! The  user  knows  his/her  own  password…  
#RSAC An.-­‐Forensics  -­‐  Background   17   ! Two  key  employees  leave  the  vicMm  company  simultaneously   ! Soon  aYer,  important  clients  end  contracts   ! Previous  employees’  equipment  invesMgated  for  signs  of   improper  client  interacMons    
#RSAC An.-­‐Forensics  –  Forensics  Analysis   18   ! Employees  uMlized  heavy  anM-­‐forensics   ! Both  factory  reset  their  company  provided  Android  phones   ! Employee  1  ran  CCleaner  before  returning  his  computer     ! Employee  2  replaced  the  hard  drive  with  one  bought  from   Amazon  
#RSAC An.-­‐Forensics  –  Proac.ve  Measures   19   ! Tracking  applicaMon  downloads  and  installs   ! ApplicaMon  whitelisMng  
#RSAC Proac.ve  Measures  –  Employee  Termina.on   20   ! Companies  work  against  themselves  by  not  properly  assessing   and  preserving  employee  equipment  (laptops,  desktops,  phones,   tablets)  post  terminaMon   ! These  policies,  or  lack  thereof,  can  inhibit  forensic  invesMgaMon,   legal  proceeding,  and  recovery  and  understanding  of  stolen  data    
#RSAC Bad  Policy  Examples   21   ! Re-­‐install/re-­‐purpose  systems  immediately  upon  employee   terminaMon   ! No  check  of  all  system  components  against  IT  inventory   ! No  check  of  historical  removable  media  usage  
#RSAC Get  Proac.ve  Against  Insider  Threat   22   ! Within  a  month  you  should  be  able  to  idenMfy:   ! Deficiencies  that  could  allow  for  exfiltraMon   ! Deficiencies  in  key  employee  oversight   ! Policy  deficiencies  related  to  employee  terminaMon   ! Within  three  months  be  able  to:   ! Remediate  criMcal  deficiencies   ! Have  a  working  plan  to  remediate  all  deficiencies  
#RSAC Wrapping  Up  &  Q/A   23   ! If  you  aren’t  being  proacMve  then  you  are  just  waiMng  to  become   a  vicMm   ! While  insider  threats  are  the  most  prevalent,  they  are  also  the   most  preventable  through  proacMve  policy  and  technical   controls   ! Contact  info:   ! acase@volexity.com  (3DE6E0C8)   ! @a@rc  

Recommended

Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider ThreatMurray Security Services
 

Recommended

Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection RecommendationsAlienVault
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
Insider threat v3
Insider threat v3Insider threat v3
Insider threat v3Lancope, Inc.
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider ThreatMurray Security Services
 
Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatPriyanka Aash
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 
Ht t17
Ht t17Ht t17
Ht t17SelectedPresentations
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Insider Threat
Insider ThreatInsider Threat
Insider ThreatAndy Thompson
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And SecurityConstantine Karbaliotis
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziKashif Semple
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionObserveIT
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityDavid Mai, MBA
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
Comprehensive Data Leak Prevention
Comprehensive Data Leak PreventionComprehensive Data Leak Prevention
Comprehensive Data Leak PreventionTanvir Hashmi
 
Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat ExperiencesNapier University
 
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaRaffael Marty
 

More Related Content

What's hot

Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatPriyanka Aash
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!centralohioissa
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziKashif Semple
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionObserveIT
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityDavid Mai, MBA
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
Comprehensive Data Leak Prevention
Comprehensive Data Leak PreventionComprehensive Data Leak Prevention
Comprehensive Data Leak PreventionTanvir Hashmi
 

What's hot (20)

Proactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider ThreatProactive Measures to Mitigate Insider Threat
Proactive Measures to Mitigate Insider Threat
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes
 
Ht t17
Ht t17Ht t17
Ht t17
 
Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!Jim Wojno: Incident Response - No Pain, No Gain!
Jim Wojno: Incident Response - No Pain, No Gain!
 
Insider Threat
Insider ThreatInsider Threat
Insider Threat
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat Detection
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To Prepare
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level Priority
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of Attack
 
Comprehensive Data Leak Prevention
Comprehensive Data Leak PreventionComprehensive Data Leak Prevention
Comprehensive Data Leak Prevention
 

Viewers also liked

Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaRaffael Marty
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatImperva
 
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...You've caught an Insider Threat, now what? The Human Side of Insider Threat I...
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...ObserveIT
 
Expert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessExpert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessEric Schiowitz
 
Countering insider threat attacks - CDE themed call launch 14 May 2013
Countering insider threat attacks - CDE themed call launch 14 May 2013Countering insider threat attacks - CDE themed call launch 14 May 2013
Countering insider threat attacks - CDE themed call launch 14 May 2013Defence and Security Accelerator
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Phil Legg
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutLancope, Inc.
 
NIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapNIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapWAJAHAT IQBAL
 
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric ColeObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric ColeObserveIT
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseTripwire
 

Viewers also liked (11)

Insider Threat Experiences
Insider Threat ExperiencesInsider Threat Experiences
Insider Threat Experiences
 
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - SevillaInsider Threat – The Visual Conviction - FIRST 2007 - Sevilla
Insider Threat – The Visual Conviction - FIRST 2007 - Sevilla
 
The Insider's Guide to the Insider Threat
The Insider's Guide to the Insider ThreatThe Insider's Guide to the Insider Threat
The Insider's Guide to the Insider Threat
 
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...You've caught an Insider Threat, now what? The Human Side of Insider Threat I...
You've caught an Insider Threat, now what? The Human Side of Insider Threat I...
 
Expert FSO Insider Threat Awareness
Expert FSO Insider Threat AwarenessExpert FSO Insider Threat Awareness
Expert FSO Insider Threat Awareness
 
Countering insider threat attacks - CDE themed call launch 14 May 2013
Countering insider threat attacks - CDE themed call launch 14 May 2013Countering insider threat attacks - CDE themed call launch 14 May 2013
Countering insider threat attacks - CDE themed call launch 14 May 2013
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
NIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmapNIST - Cybersecurity Framework mindmap
NIST - Cybersecurity Framework mindmap
 
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric ColeObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
ObserveIT - Unintentional Insider Threat featuring Dr. Eric Cole
 
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of CompromiseInsider Threat Kill Chain: Detecting Human Indicators of Compromise
Insider Threat Kill Chain: Detecting Human Indicators of Compromise
 

Similar to Proactive Measures to Defeat Insider Threat

Topic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxTopic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxjuliennehar
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementRedZone Technologies
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerGFI Software
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectivePositive Hack Days
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015Paul Ferrillo
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsCisco Canada
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsAdrian Sanabria
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesJerry Harding
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapalibuildersreviews
 
What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?IBM Security
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4TEKMONKS
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4Rohit Kapoor
 
Global ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgGlobal ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgChristopher R. Ward
 
Global Ransomware Client Alert
Global Ransomware Client AlertGlobal Ransomware Client Alert
Global Ransomware Client AlertRobyn Melnyk
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftCase IQ
 

Similar to Proactive Measures to Defeat Insider Threat (20)

Topic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docxTopic #17 IT Security ITSecurityIncidentsA.docx
Topic #17 IT Security ITSecurityIncidentsA.docx
 
Corona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat ManagementCorona| COVID IT Tactical Security Preparedness: Threat Management
Corona| COVID IT Tactical Security Preparedness: Threat Management
 
Prevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability ScannerPrevent Getting Hacked by Using a Network Vulnerability Scanner
Prevent Getting Hacked by Using a Network Vulnerability Scanner
 
Security Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC PerspectiveSecurity Opportunities A Silicon Valley VC Perspective
Security Opportunities A Silicon Valley VC Perspective
 
cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015cybersecurity_alert_feb_12_2015
cybersecurity_alert_feb_12_2015
 
Behind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced ThreatsBehind the Curtain: Exposing Advanced Threats
Behind the Curtain: Exposing Advanced Threats
 
Securing Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These YearsSecuring Systems - Still Crazy After All These Years
Securing Systems - Still Crazy After All These Years
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
An Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security PracticesAn Introduction to zOS Real-time Infrastructure and Security Practices
An Introduction to zOS Real-time Infrastructure and Security Practices
 
ProjectReport_Finalversion
ProjectReport_FinalversionProjectReport_Finalversion
ProjectReport_Finalversion
 
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdfamrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdf
 
What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?What’s the State of Your Endpoint Security?
What’s the State of Your Endpoint Security?
 
IP-guard Catalog
IP-guard CatalogIP-guard Catalog
IP-guard Catalog
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
Login cat tekmonks - v4
Login cat tekmonks - v4Login cat tekmonks - v4
Login cat tekmonks - v4
 
Network monitoring white paper
Network monitoring white paperNetwork monitoring white paper
Network monitoring white paper
 
Cloud Computing
Cloud ComputingCloud Computing
Cloud Computing
 
Global ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sgGlobal ransomware attacks_2017_final msw_g2_sg
Global ransomware attacks_2017_final msw_g2_sg
 
Global Ransomware Client Alert
Global Ransomware Client AlertGlobal Ransomware Client Alert
Global Ransomware Client Alert
 
The Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data TheftThe Inside Job: Detecting, Preventing and Investigating Data Theft
The Inside Job: Detecting, Preventing and Investigating Data Theft
 

More from Andrew Case

Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory ForensicsAndrew Case
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Andrew Case
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityAndrew Case
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Andrew Case
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsAndrew Case
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityAndrew Case
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationAndrew Case
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityAndrew Case
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineAndrew Case
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisAndrew Case
 

More from Andrew Case (12)

Next Generation Memory Forensics
Next Generation Memory ForensicsNext Generation Memory Forensics
Next Generation Memory Forensics
 
Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)Unmasking Careto through Memory Forensics (video in description)
Unmasking Careto through Memory Forensics (video in description)
 
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with VolatlityOMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
OMFW 2012: Analyzing Linux Kernel Rootkits with Volatlity
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
 
Hunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory ForensicsHunting Mac Malware with Memory Forensics
Hunting Mac Malware with Memory Forensics
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
Linux Memory Analysis with Volatility
Linux Memory Analysis with VolatilityLinux Memory Analysis with Volatility
Linux Memory Analysis with Volatility
 
Investigating Cooridinated Data Exfiltration
Investigating Cooridinated Data ExfiltrationInvestigating Cooridinated Data Exfiltration
Investigating Cooridinated Data Exfiltration
 
Workshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with VolatilityWorkshop - Linux Memory Analysis with Volatility
Workshop - Linux Memory Analysis with Volatility
 
Memory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual MachineMemory Analysis of the Dalvik (Android) Virtual Machine
Memory Analysis of the Dalvik (Android) Virtual Machine
 
De-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory AnalysisDe-Anonymizing Live CDs through Physical Memory Analysis
De-Anonymizing Live CDs through Physical Memory Analysis
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Proactive Measures to Defeat Insider Threat

  • 1. SESSION  ID:   #RSAC   Andrew  Case     Proac.ve  Measures  to  Mi.gate   Insider  Threat   HUM-­‐W03   Director  of  Research   Volexity   @a@rc    
  • 2. #RSAC Insider  Threats  –  Sta.s.cs     2   ! PWC  2015:     ! Roughly  70%  of  incidents  at  financial  insMtuMons  involved  current   and  former  employees     ! 60%  at  industrial  manufacturing  organizaMons     ! Verizon  DBIR  2015:  20.6%  of  breaches  are  characterized  as   “insider  misuse”  
  • 3. #RSAC Insider  Threat  Defenses  –  Passive/Default   3   ! Examples   ! ProducMon  systems  without  extra  logging  or  security  measures   ! No  automated  alerts  or  remote  logs  generated   ! Pros   ! Simplest  to    implement   ! Provides  the  evidence  needed  for  post-­‐mortem  forensics   ! Cons   ! Only  useful  aYer  damage  is  caused   ! Can  be  fully  disrupted  by  anM-­‐forensics     ! OYen  very  expensive  and  non-­‐repeatable    
  • 4. #RSAC Insider  Threat  Defenses  -­‐  Detec.on   4   ! Examples   ! Log  file  accesses,  soYware  installaMon,  and  USB  device  usage   ! Generate  alerts  on  access  to  file  storage  services  (e.g.,  Dropbox)   ! Pros   ! If  implemented  correctly,  finds  acMvity  before  it  causes  harm   ! Less  inhibiMng  than  full  prevenMon   ! Cons   ! If  implemented  incorrectly,  finds  acMvity  aYer  irreparable  harm     ! Requires  acMve  effort  by  the  security  team  
  • 5. #RSAC Insider  Threat  Defenses  -­‐  Preven.on   5   ! Examples   ! Prevent  all  removable  media  from  being  used   ! Block  access  to  personal  email  and  file  storage  services   ! Block  end-­‐users  from  installing  soYware   ! Pros   ! Stops  a  technique  before  it  can  be  used   ! Cheapest  once  implemented   ! Cons   ! OYen  clashes  with  a  company’s  office  culture   ! Can  inhibit  department-­‐specific  producMvity    
  • 6. #RSAC Applica.on  to  Real  World  Cases   6   ! We  will  now  look  at  several  real-­‐world  insider-­‐threat  cases  that  I   invesMgated   ! Combined,  the  insiders  took  over  100  million  dollars  of  IP/ customers  from  their  previous  employers  (my  clients)   ! As  I  describe  these  cases,  think  about  how  your  company  would   currently  fare  against  such  malicious  acMvity  and  what,  if  any,   mechanism(s)  you  have  in  place  to  detect  the  acMvity  before   irreparable  harm  is  done  
  • 7. #RSAC The  Bank  Heist  -­‐  Background   7   ! Employee  of  a  financial  insMtuMon  sees  greener  pastures  at  a   compeMtor   ! Contacts  compeMtor  about  bringing  him  and  his  team  to  the   compeMtor   ! Along  with  their  very  wealthy  clients   ! Proceeds  to  take  nearly  every  document  related  to  the  clients,   his  team’s  records,  and  client  management  forms    
  • 8. #RSAC The  Bank  Heist  –  Forensic  Analysis   8   ! File  servers  and  internal  web  apps  were  scraped  for  sensiMve   informaMon   ! Moved  data  out  of  organizaMon  control  through  USB,  personal   email,  and  prinMng   ! Files  were  locally  deleted  aYer  being  exfiltrated   ! The  forensic  Mmeline  showed  over  100  files  taken  and  the   precise  Mmes  that  the  acMons  occurred  
  • 9. #RSAC Proac.ve  Measures  –  File  Search   9   ! Secure  Network  Architecture     ! Monitoring  File  Share  Accesses    
  • 10. #RSAC Proac.ve  Measures  –  File  Exfiltra.on   10   ! USB   ! PrinMng/Scanning   ! Personal  Email   ! Cloud  Storage*   *  This  case  is  several  years  old  and  cloud  services  were  not  very   popular  then  but  are  used  extensively  in  modern,  similar  scenarios  
  • 11. #RSAC Abuse  of  Power  -­‐  Background   11   ! Plant  manager  at  a  manufacturing  company  was  using  “down   Mme”  of  the  company’s  machines  to  run  a  side  business   ! He  purchased  some  materials  on  his  own,  some  were  ordered   through  the  company’s  accounts   ! Was  only  caught  through  a  machine  malfuncMon  
  • 12. #RSAC Abuse  of  Power  –  Forensic  Analysis   12   ! The  rogue  manager  had  logged  into  control  systems  during  non-­‐ client  billable  hours   ! The  manager  scheduled  manufacturing  jobs  outside  of  any   legiMmate  work  order   ! The  manager  deleted  associated  files  in  a  failed  a@empt  to  cover   his  tracks  
  • 13. #RSAC Proac.ve  Measures  –  Accounts  &  Systems   13   ! Technical  measures   ! Monitor  user  logins   ! Monitor  system  usage   ! Business  measures   ! No  criMcal  business  processes  should  be  controlled  by  one  person    
  • 14. #RSAC Offline  Exfiltra.on  -­‐  Background   14   ! VicMm  organizaMon  had  very  Mght  data  exfiltraMon  controls   ! Laptops  uMlized  full  disk  encrypMon  (FDE)   ! ...  but  desktops  did  not!   ! Path  to  exfiltraMon:   1.  Copy  sensiMve  files  to  desktop  during  business  hours   2.  Remove  hard  drive  before  leaving  and  take  home   3.  Offline  mount  hard  drive  and  copy  files  
  • 15. #RSAC Offline  Exfiltra.on  –  Forensic  Analysis   15   ! If  done  properly,  this  leaves  no  traces  for  (reasonable)  forensics   to  find   ! The  employee  in  this  instance  could  create,  modify,  and  delete   files  from  the  disk  at  will   ! Was  only  caught  aYer  making  other  “mistakes”  and  confessing   to  the  disk  removal    
  • 16. #RSAC Proac.ve  Measures    -­‐  Full  Disk  Encryp.on   16   ! UMlize  FDE  for  everything!   ! Be  wary  of  offline  decrypt  capabiliMes   ! The  user  knows  his/her  own  password…  
  • 17. #RSAC An.-­‐Forensics  -­‐  Background   17   ! Two  key  employees  leave  the  vicMm  company  simultaneously   ! Soon  aYer,  important  clients  end  contracts   ! Previous  employees’  equipment  invesMgated  for  signs  of   improper  client  interacMons    
  • 18. #RSAC An.-­‐Forensics  –  Forensics  Analysis   18   ! Employees  uMlized  heavy  anM-­‐forensics   ! Both  factory  reset  their  company  provided  Android  phones   ! Employee  1  ran  CCleaner  before  returning  his  computer     ! Employee  2  replaced  the  hard  drive  with  one  bought  from   Amazon  
  • 19. #RSAC An.-­‐Forensics  –  Proac.ve  Measures   19   ! Tracking  applicaMon  downloads  and  installs   ! ApplicaMon  whitelisMng  
  • 20. #RSAC Proac.ve  Measures  –  Employee  Termina.on   20   ! Companies  work  against  themselves  by  not  properly  assessing   and  preserving  employee  equipment  (laptops,  desktops,  phones,   tablets)  post  terminaMon   ! These  policies,  or  lack  thereof,  can  inhibit  forensic  invesMgaMon,   legal  proceeding,  and  recovery  and  understanding  of  stolen  data    
  • 21. #RSAC Bad  Policy  Examples   21   ! Re-­‐install/re-­‐purpose  systems  immediately  upon  employee   terminaMon   ! No  check  of  all  system  components  against  IT  inventory   ! No  check  of  historical  removable  media  usage  
  • 22. #RSAC Get  Proac.ve  Against  Insider  Threat   22   ! Within  a  month  you  should  be  able  to  idenMfy:   ! Deficiencies  that  could  allow  for  exfiltraMon   ! Deficiencies  in  key  employee  oversight   ! Policy  deficiencies  related  to  employee  terminaMon   ! Within  three  months  be  able  to:   ! Remediate  criMcal  deficiencies   ! Have  a  working  plan  to  remediate  all  deficiencies  
  • 23. #RSAC Wrapping  Up  &  Q/A   23   ! If  you  aren’t  being  proacMve  then  you  are  just  waiMng  to  become   a  vicMm   ! While  insider  threats  are  the  most  prevalent,  they  are  also  the   most  preventable  through  proacMve  policy  and  technical   controls   ! Contact  info:   ! acase@volexity.com  (3DE6E0C8)   ! @a@rc