Se ha denunciado esta presentación.
Se está descargando tu SlideShare. ×

Why Insider Threat is a C-Level Priority

Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Anuncio
Cargando en…3
×

Eche un vistazo a continuación

1 de 19 Anuncio

Why Insider Threat is a C-Level Priority

Descargar para leer sin conexión

I’m probably the last person on earth you’d expect to encourage making insider threat a C-level priority after devoting a decade of my career to external threat and endpoint security, as the for CTO of McAfee and Chief Scientist for Lockheed Martin. But sometimes the best advice comes from the least expected places.

I’m probably the last person on earth you’d expect to encourage making insider threat a C-level priority after devoting a decade of my career to external threat and endpoint security, as the for CTO of McAfee and Chief Scientist for Lockheed Martin. But sometimes the best advice comes from the least expected places.

Anuncio
Anuncio

Más Contenido Relacionado

Presentaciones para usted (18)

Similares a Why Insider Threat is a C-Level Priority (20)

Anuncio

Más reciente (20)

Why Insider Threat is a C-Level Priority

  1. 1. Why Insider Threat is a C-Level Priority by Dr. Eric Cole © 2016 Secure Anchor Consulting. All rights reserved.
  2. 2. Are You Focused on the Correct Area?
  3. 3. External vs Internal ● Deliberate/Malicious Insider ● Accidental Insider ● Source of the damage — External ● Cause of the damage — Internal
  4. 4. Paradigm Shift 53% of organizations have experienced an insider incident 33% of organizations have no formal response plan 54% of IT professionals believe an insider threat is harder to detect today
  5. 5. Nature of Insider Threats ● Two main forms of insider threat: — Deliberate/malicious insider — Accidental insider ● Why do insiders become targets? — As external targets become more difficult, attackers find insiders are an easier avenue to compromise
  6. 6. If You Have Employees/Contractors, You Have an Insider Threat Problem Bottom Line
  7. 7. Insider Threat Current State Insider threats are on IT’s radar Spending on insider threats will increase The financial impact is significant Organizations fail to focus on solutions Insider threat often the cause of damage Prevention is more a state of mind than a reality
  8. 8. Assessing Vulnerability to Insiders ● What information would an adversary target? ● What systems contain the information that attackers would target? ● Who has access to critical information? ● What would be the easiest way to compromise an insider? ● What measures or solutions can IT use to prevent/detect these attacks? ● Does our current budget appropriately address insider threats? ● What would a security roadmap that includes insider threats look like for our organization?
  9. 9. Insider Attack Chain – Bad Attacker Tipping Point - Going From Good to Bad Communicating via LinkedIn / Gmail message to competitor. Playing video games with lack of regard. 1 Searching for Data Password harvesting or unauthorized access to co- workers computers. 2 Capture and Hide the Data Encrypt and rename file extensions - password protected ZIP file. 3 Data Exfiltration Send ZIP file over Wetransfer - off hours transfers. 4
  10. 10. Insider Attack Chain – Negligent User Detect Negligent Behavior 1 Inform Users of Security Policy 2 Enforce Behavior Change 3
  11. 11. Solutions for Insider Threat
  12. 12. How well is your organization doing with insider threats? ● Policy ● Procedures ● Awareness ● Training ● Technology ● Administrative ● Executive Support We calculating your “insider threat GPA”, you can see what the biggest exposure you have to insider threats is likely to be. Write your organization’s report card and focus on the lowest scoring areas.
  13. 13. Preventing Insider Threat ● Deliberate Insider – Difficult — More focus on authorization and access ● Accidental Insider - Possible — Differentiate between required functionality and optional functionality — Typical avenues of attack ● Exe attachments ● Macros embedded in Office documents ● Active scripting ● HTML embedded content
  14. 14. Detecting Insider Threat Activity patterns focused on data: — Amount of data accessed — Failed access attempts — Data copied or sent to external sources There are differences in activity between a normal user and an insider threat.
  15. 15. Detecting Accidental Insider ● Accidental insider is being targeted by external entity ● Almost all external attackers setup C2 ● Focus on outbound traffic — Number of connections — Length of the connections — Amount of data — Percent that is encrypted — Destination IP address Focus on Command & Control Channel
  16. 16. Building an Insider Threat Program ● Determine access ● Profile user behavior ● Control administrator access ● Raise awareness ● Monitor activity Conventional wisdom does not work when it comes to security. Giving someone unneeded access just makes it easier for the adversary and increases the amount of damage that can be caused by a successful attack.
  17. 17. Make Sure You Are Solving the Correct Problem ● Always force a user to log in as a normal user. All operating systems can be configured to allow only normal user accounts to login and never allow someone with admin privileges to log directly into the system. ● Configure any application that needs to run with administrator privileges to either “Run as Administrator” or sudo to the appropriate access that is needed. ● Log and carefully review all privileged access. ● If an employee needs a system where they have to log in directly as administrator, give them a separate system for any access he or she may need to the Internet.
  18. 18. Summary ● Perform damage assessment of threats ● Map past and current investment against threats ● Determine exposure to insider threats ● Create attack models to identify exposures ● Identify root-cause vulnerabilities ● Block and remove the vector of the attack ● Control flow of inbound delivery methods ● Filter on executable, mail and web links ● Monitor and look for anomalies in outbound traffic Insider Threat Checklist
  19. 19. Thank You for Your Time! DR. Eric Cole Twitter: drericcole ecole@secureanchor.com eric@sans.org www.securityhaven.com

×