This webinar is a continuation to Part 1: Identifying Insider Threats with Fidelis EDR Technology. Fidelis Engineers, Lucas Chumley and Louis Smith will provide a demonstration of how Fidelis Technology can help organizations respond to and prevent an insider threat from moving data externally. You’ll learn how our Elevate technology can be leveraged to successfully identify what data has left your network, and how to prevent data leaving in future by looking for similar information on all other assets.
Fidelis Collector Presentation – Public Information.
We covered the theory last time, this time we’re talking practical application
Were any of these the result of insider threat? Yes – Equifax (Negligent) and Marriott (They acquired the breach - Negligent)
Edward Snowden. Air gap – data was physically moved from one medium to another - mention the length of the breach
Marriott – The attackers remained in the system after Marriott acquired Stargroup.
Source: https://www.csoonline.com/article/2130877/data-breach/the-biggest-data-breaches-of-the-21st-century.html
https://attack.mitre.org/techniques/T1041/
Baselining can be any number of things. Not just how much data, or where the data is coming from. Other things like 'people logging into their work stations at odd hours of the day'. If you log in between 9am and 5pm. Now, all of a sudden, that same user is logging in at 1am - there is a problem. In Network, we can apply an analytic rule - incoming connection on this port. The analytic rule can be applied to certain hours to catch anomalies.
This will help you build a baseline between what's normal and what's note. Really it's about being able to identify the difference. What's normal & what's not.
These are automated rules that can be set up, and there are also Data Science as a Service that we can apply to the baseline.
Fidelis Offers Data Science as a Service - which helps customers create models to help establish baselines.
Machine Learning plus targeted Human Learning & model creation is the utmost comprehensive way to establish baselines & anomalous behavior.
The ways in which Fidelis could sold this issue…
Generally, current solutions attempt to identify divergence from what is considered “normal” behavior for a given employee. When the software spots an anomaly, a small team investigates.
While this method can be helpful, it usually falls short, for four reasons:
By the time negative behaviors are detected, the breach has often already occurred. The organization is already at a disadvantage, and it cannot deploy an active defense.
Monitoring for “divergence from normal behavior” creates a huge number of false positives, wasting much of the investigation team’s time.
Serial bad actors may not be caught; malicious activity may be built into the baseline of “normal” activity.
Collecting massive amounts of employee data creates privacy concerns and significant potential for abuse, and even gives off a high perception of privacy intrusion by end-users.
We address these concerns in very innovative ways
Monitor and apply automatic analysis to all behavior, all the time.
Integrate prevention, detection, investigation and remediation tools to allow for simultaneous operations.
Automated detection, identification and classification of key assets and their alerts to minimize both dwell time and investigation resources.
A program to combat any form of insider threat has to focus on detection through the techniques we’ve discussed. Since those cannot be replaced, they had to be improved.