Insider threats are a growing problem as data becomes more digitized and accessible. Effective insider threat programs require increased visibility into user behavior and data access, as well as nimble security tools to quickly identify, investigate, and mitigate issues. Companies should make developing an insider threat program a priority by gaining leadership support, identifying critical assets, screening employees, and continually updating processes as the organization evolves.
3. Roadmap
o Insider Threat Landscape
□ What has changed the landscape?
□ Trends
□ Security priorities in a changing landscape
o Identifying “At Risk” assets
o Even the savviest companies have “Insider” problems
□ Google / Waymo -> unable to attribute actions to an individual
□ Palantir -> limiting scope of an investigation
o Pain points in an Insider Threat Investigation
o Mitigating an Insider Threat
o Conclusions / Recommendations
5. Quick Overview - Insider Threats
o Due to the increased importance of technology (aka
digitalization), employees have greater ability to rapidly
cause more damage
o 74% of companies feel they are vulnerable to insider threats,
with 7% reporting extreme vulnerability
o Insider threats can go undetected for years
o It is hard to distinguish harmful actions from regular work
o Data is increasingly easy to monetize on the dark web
o Access to data is required for people to do their job
These trends will result in insider threats becoming increasingly dangerous
6. Trends
Not just growth but other qualitative trends…
o Some employees are interested in personal or financial gain
o According to Verizon’s DBIR, 77 percent of internal breaches were deemed to be
by employees, 11 percent by external actors only, 3 percent were from partners
and 8 percent involved internal-external collusion
o Of that 77 percent 31.5 percent of breaches stem from malicious insiders, with
another 23.5 percent resulting from actions by inadvertent actors
o 90 percent of organizations reported suffering from at least one data breach in the
last two years, with 45 percent reporting five or more breaches (Ponemon
Institute)
7. Security Priorities - Increase Visibility and Context
Visibility Context
Who has access to sensitive data? What events lead up to a data breach?
Which computers and applications access
sensitive data?
What has an employee been doing in the days
leading up to leaving the company?
Are data governance policies being followed? Are your DLP rules providing adequate
protection?
How do you enable your employees to be productive in an increasingly fast-paced
data-driven world while maintaining the security of your organization’s data?
8. Profiles of Insider Threats
https://www.intel.com/content/dam/www/public/us/en/documents/best-practices/a-field-guide-to-insider-threat-paper.pdf
9. Identifying at Risk Assets
Easy to Monetize Easy to Remove Difficult to Attribute High Impact
12. Pain Points in an Investigation
Detecting
How do you discriminate
between normal activity and
activity leading to an insider
driven breach?
Investigating
Difficult to identify which
computer / person
was involved in the
breach. In large
organizations often 1000+
devices / people could be
involved
Attributing
Hard to prove that a
specific person performed
certain actions
13. Insider Threat Kill Chain
Recruitment /
Tipping Point
Search and
Reconnaissance
Exploitation Acquisition Exfiltration
14. Developing an Inside Threat Program
Gain senior leadership endorsement
Develop repeatable process to monitor and mitigate insider threats
Identify and understand critical assets
Use analytics to strengthen the program backbone
Coordinate with legal counsel to address privacy, data protection and data transfer
Screen employees and vendors regularly
Implement processes following uniform standards involving the right stakeholders
Create curriculum to generate awareness about insider threats and their risks
15. Insider Threat Solution Ecosystem
Network based tools
Behavior based tools
Employee screening tools
Endpoint tools
16. Summary
o Insider threats are a major problem and will become even
worse in the future
o Organizations need increased visibility into user-information
interaction
o Evaluate new nimble/easy to use security tools that can help
you quickly identify, investigate and mitigate insider threats
o Developing an Insider threat program needs to be a priority
and needs to be continuously updated as the organization
evolves
Notas del editor
Intro slide talk briefly about our background, enough to give some credibility and make them interested in what we have to say
Roadmap of the presentation
More employees are required to access data to do their jobs
More data exists, and is required by businesses
Data more critical to business functions
Online dependencies are increasing faster than our ability to protect data
Principles like least privilege are becoming increasingly difficult to enforce
Increase in demand for information driving make public
Increased incentives to steal data -> IP, celebrity status, incredible wealth
Easy to move money digitally, more connected
http://www.advisenltd.com/2014/10/03/insider-threat-employees-can-greatest-asset-greatest-risk/
: a study shows that 1 in 5 employees will sell their work password for money - and 44% of them would do it for less than $1,000 https://www.observeit.com/insider-threat
which makes them hard to categorize. Annual DBIR reports since 2010 show that in purely numerical terms, internal attackers account for around 1 in 5 successful breaches they have reviewed.
https://www.healthitoutcomes.com/doc/the-types-of-insider-threats-and-how-to-stop-them-0001
Roadmap of the presentation
More employees are required to access data to do their jobs
More data exists, and is required by businesses
Data more critical to business functions
Online dependencies are increasing faster than our ability to protect data
Principles like least privilege are becoming increasingly difficult to enforce
Increase in demand for information driving make public
Increased incentives to steal data -> IP, celebrity status, incredible wealth
Easy to move money digitally, more connected
Privileged users – These are usually the most trusted users in a company but they also have the most opportunities to misuse your data, both intentionally and unintentionally.
Third parties – Remote employees, subcontractors, third-party vendors and partners all usually have access to your system. Since you know nothing about the security of their systems and often even about the very people accessing your data, you should treat them as a security risk.
Terminated employees – Similar to the case mentioned at the beginning of this article, employees can take data with them when terminated. Even more importantly, sometimes they can access your data even after termination, either via malware or backdoors or by retaining their access because nobody bothered to disable it.
The Malicious Insider
This type of insider threat is likely the most difficult to face, and the threat they pose is not easily mitigated by more stringent protocols or advanced information security training. Whether a criminal agent who poses as a legitimate candidate and secures work with a healthcare business, or a disgruntled employee looking to retaliate against an employer, this type of insider has secured a set of legitimate credentials and uses it to breach the network. This also applies to an external hacker logging into the network using stolen credentials; once in, they have free rein to roam around unfettered. Whether it is collecting personal information of coworkers and patients, or planting malicious software into the system, the malicious actor works with legitimate credentials for his own criminal agency.
The Negligent/Unknowledgeable Employee
Negligent and unknowledgeable employees can inadvertently compromise the security and safety of a healthcare network. In March of 2016, the Feinstein Institute for Medical Research paid $3.9 million in a HIPAA settlement for a data breach that compromised the data of 13,000 patients. The cause? A laptop stolen from an employee’s car. Part of the problem stems from the fact digital technologies are relatively new to the healthcare industry, which was very slow to adopt electronic records yet implemented them rapidly once they saw the benefits it provided. However, such rapid deployment of technology often resulted in inadequate training on information security procedures. Often, protocols aren’t strict enough to protect against sophisticated modern cybersecurity attacks, and even if they are, there is no guarantee employees will always follow protocol. In the modern IT landscape, employees can log onto secure networks with their personal phones, laptops, pagers, and other less secure devices. They may use the same or similar credentials for many accounts — including the ones they use to access secure hospital networks. They may even log into work email or electronic patient files while out and about, tapped into an unsecure public network. All of these provide ample opportunity for malicious actors to steal credentials and log into networks for criminal purposes.
The Third Party Contractor
Similar to the negligent or unknowledgeable employee, third party contractors provide another opportunity for malicious hackers to compromise a hospital or healthcare provider’s network security. Whether it’s as simple as the maintenance company contracted by a hospital, or the lab a practice outsources testing to, all of these third party contractors must be given some degree of access to a healthcare organization’s network to function. And depending on the strength of cybersecurity protocols employed by these third party contractors, their networks might provide an easy gateway to compromising the entire network of the healthcare organization. Strong internal security protocols cannot ensure that these contractors, or their employees, may not suffer a breach that then leads to compromise in the network of the organization they contract with.
Data
https://redowl.com/2017/05/insider-threats-even-google-issues/
Even the most sophisticated companies have trouble implementing insider threat programs
Tell the story while drilling key points
Build up of data -> constant assessment / awareness of sensitive data in an organization
Slowness of investigation, no real time alerting direct business impact
$600 M -> quantifiable impact
Employees have access to take things with them to competitor
Motivation
Intellectual property
Recruitment/Tipping Point Engineer A hands in his resignation. Unknown to the ZoneFox team at the time, he was due to leave for a competitor.
Search and Reconnaissance Over a period of time, Engineer A went to a number of network shares which held files and data for different divisions within the organisation. The Engineer explored a number of different areas by browsing directories and opening files.
Exploitation In this case there was no sophisticated exploit other than the fact that the organisation did not have critical and sensitive areas of their network controlled with the correct levels of permission. Where organisations require open and free access to data, or have not implemented basic access control, this is a common example.
Acquisition Once Engineer A had identified the information he wanted to steal, he downloaded a piece of software designed to create backups. He installed this on his machine and configured it to retrieve the necessary files from network locations to consolidate them in a single file. Once it had performed its initial backup, he was clever enough to configure it to perform an incremental backup, which means that if the files in the locations change, or new ones are added, the backup software would only add the new or modified content.
Exfiltration Once Engineer A was ready, he unplugged his endpoint from the network, and loaded the backup file onto a USB thumb drive.