Stopping Insider Threats Before They Start: Using Leading Techniques and Predictive Analysis to Presage Your Environment

Transcription

1 Stopping Insider Threats Before They Start: Using Leading Techniques and Predictive Analysis to Presage Your Environment 1 Attachmate Corporation. All rights reserved.

2 Results show that it can take more than 87 days to discover insider fraud. Source: Ponemon Institute, February Attachmate Corporation. All rights reserved.

3 of businesses polled report loss of confidential information or violation of confidentiality policy as a consequence of insecure mobile devices. 3 Attachmate Corporation. All rights reserved.

4 4 Attachmate Corporation. All rights reserved.

5 Agenda Understanding the insider threat The pitfalls of traditional fraud detection methods The mobile device challenge The benefits of continuous monitoring and riskbased alerting New approaches to stop insiders 5 Attachmate Corporation. All rights reserved.

6 Who are the insiders? How do they hide in plain sight?

7 7 Attachmate Corporation. All rights reserved. Trust, but How do you know?

8 Insider Facts Insider threats are not hackers Insider threat is not a technical or cyber security issue alone A good insider threat program should focus on deterrence, not detection Detection of insider threats has to use behavioral based techniques The science of insider threat detection and deterrence is in its infancy Source: FBI 8 Attachmate Corporation. All rights reserved.

9 The Attachmate Group, Inc. All rights reserved.

10 What Can You Do? To Protect Data? Systems? Trust? 10 Attachmate Corporation. All rights reserved.

11 Bringing New Rules and Methods to Your Efforts

12 Determine who will investigate a reported incident and how - Use case management and technology tools - Emphasize cross-group collaboration - Put Best fraud Practices prevention at the forefront of a successful business strategy - Institute a hotline - Develop a code of conduct and confirmation process - Institute continuous fraud awareness training designed to deter unethical conduct and influence an employee s responsibility to report fraud - Create a positive workplace environment and a culture of honesty. Set a moral and ethical tone at the top - Establish realistic performance goals and reward systems - Hire and promote appropriate employees. Perform background checks and credit histories on new recruits or promotions to positions of trust - Exhibit fair and balanced discipline for fraudulent behavior Traditional Fraud Prevention 12 Attachmate Corp. Corporation. All rights All reserved. rights reserved.

13 Barriers Barriers to Taking to Taking a Proactive a Proactive Approach to Approach Fraud to Fraud Traditional Systems are Based on Existing Audit Trails Originally designed for capturing logs for security infrastructure & administration; there is no log standard each app log is unique Assumptions that audit trails already exists Difficult to tie function performed in app with end user across multiple platforms / apps Account profiling isn t captured Investigations are Resource Intensive & Costly 13 Attachmate Corporation. All rights reserved.

14 Traditional Fraud Prevention Business Best Practices Benefits of Addressing Insider Threats and Identify Organizational and measure fraud risks Risk Implement and monitor internal controls Maintain a strong and independent audit committee Hire effective internal auditors Develop a code of conduct and confirmation process Institute continuous fraud awareness training designed to deter unethical conduct and influence an employee s responsibility to report fraud Contract independent external auditors Evaluate antifraud processes and controls, and develop an appropriate oversight process Determine who will investigate a reported incident and how Use case management and technology tools Emphasize cross-group collaboration Put fraud prevention at the forefront of a successful business strategy Create a positive workplace environment and a culture of honesty. Set a moral and ethical tone at the top Establish realistic performance goals and reward systems Hire and promote appropriate employees. Perform background checks and credit histories on new recruits or promotions to positions of trust Exhibit fair and balanced discipline for fraudulent behavior Institute a hotline Source: Association of Certified Fraud Examiners 14 Attachmate Corporation. All rights reserved.

15 Understanding the Power of Fraud Detection Rules

16 Implement Leading Fraud Detection Rules: What to Look For Abnormal after working hours activity Several User-IDs logged-in consecutively from the same IP Same User-IDs logged-in from different IPs consecutively User logged in without scanning physical badge earlier Real rules capturing anomalous behavior. Alerting in real-time. 16 Attachmate Corporation. Corp. All rights All reserved. rights reserved.

17 Rules Based Detection Examples: Suspicious Address Related Activity The following rules are designed to look for suspicious employee activity related to address changes in customer accounts Title Scheme Description Account Address Change from/to a Banking Facility Account Address Change to an Employee Self Address or to PO Box Redirect Account mail to any other employee address. To avoid a customer detecting their fraud, internal fraudsters will redirect customer statements and correspondences to their own mailing address, the address of a collusive employee or address of a bank facility. To avoid a customer detecting their fraud, internal fraudsters will redirect customer statements and correspondences to their own mailing address or the address of a collusive employee. To avoid a customer detecting their fraud, internal fraudsters will redirect customer statements and correspondences to their own mailing address or the address of a collusive employee. An Incident is generated when an employee changes the account address from one of bank s facilities addresses. An Incident is generated when an employee changes the account address to the same as an employee or to PO Box. An Incident is generated when an employee changes the account address to the same as any other employee address. Account mail address is suppressed Change Customer Address Back to the Original Address To avoid a customer detecting their fraud, internal fraudsters will redirect customer statements and correspondences to their own mailing address, the address of a collusive employee or address of a bank facility. To avoid a customer detecting their fraud, internal fraudsters will redirect customer statements and correspondences to their own mailing address, the address of a collusive employee or address of a bank facility. An Incident is generated when an employee suppresses an account mail address. An Incident is generated when an employee changes the customer address back to the original address The Attachmate Group, Inc. All rights reserved.

18 Rules Based Detection Examples: Suspicious Account Balance Activity The following rules are designed to look for suspicious employee activity related to account balances in customer accounts. Title Scheme Description Excessive Adjustments to Cash Figures in the Settlement Field Cash settlement system shows increase of foreign currency without foreign currency transaction. Unusual Fields Change in Teller Balancing Screen During this fraud, a Teller is skimming from the till, does a recount of the drawer to see how much extra cash has been taken in, make the difference disappears and cash in the money. Looking for excessive number of recounts may indicate the teller is trying hide skimming activity. Internal fraudsters may steal from foreign currency since it's infrequently used and less monitored than other cash. Atypical changes in a teller balancing screen may indicate that a teller is improperly adjusting the till to hide suspicious cash activity. This behavior can be base lined against the activity of other tellers to spotlight unusual or abnormal activity. An incident is generated when employee performs excessive adjustments to cash figures in the settlement field on the same day. An incident is generated when an employee report on balance of foreign currency but no foreign currency transaction exist on the same day. An incident is generated when employee performs adjustments in one of unusual field in teller balancing screen on the same day. An incident or report can also be generated is teller activity is significantly different from peers The Attachmate Group, Inc. All rights reserved.

19 Rules Based Detection Examples: Suspicious Dormant Account Activity The following rules are designed to look for suspicious employee activity in dormant accounts. Title Scheme Description Closing multiple dormant accounts Dormant account withdrawal Inactive account withdrawal To avoid detection, internal fraudsters will close accounts that they have been using to commit fraud. These mule accounts can be recently created accounts, other dormant accounts, fake accounts created by a party in collusion, etc. Internal fraudsters know that dormant accounts are infrequently monitored. They take advantage of that limited visibility to remove funds. Internal fraudsters know that inactive accounts are infrequently monitored. "Inactive" may be determined by either a flag on the system or lack of activity for a period of months. An Incident is generated when an employee closes multiple dormant accounts in a given time period. An Incident is generated when an employee withdraws money from dormant account or accounts over a given time period. An Incident is generated when an employee withdraws money from accounts with no recent activity in a given time period The Attachmate Group, Inc. All rights reserved.

20 Discover Hidden Linkages Link Analysis Reveals Connections The Attachmate Group, Inc. All rights reserved.

21 Rules Based Detection Examples: Privacy Violations Name Description Report of reports viewed Shows a list of reports that an admin has viewed in the last period. It will show user name, date, and the report(s) run. Inappropriate access of ephi Shows a list of instances of users accessing ephi inappropriately (as defined by the rules). Unauthorized permission sharing Shows a list of users that inappropriately shared their permissions with other users (as defined by the rules). Invalid login attempts Shows login attempts that did not work or otherwise were flagged as possible issues (as defined by the rules). Rules triggered Shows a list of rule violations in a given period. Application metrics Provides a list of monitored applications used by a particular employee during a given period. Improper user rights Shows a list of violations of the assignment of user rights (in a given period). assignments Suspicious login/password Provides a complete listing of login activity rules violations in a given period. activity Security incidents reviewed Shows a list of security incidents that were reviewed in a given period. Workstation use violations Shows a list of incidents generated because of improper use of workstations. Data integrity control Shows a list of incidents generated because of the violation of data integrity controls. violations ephi access/use violations Shows a list of incidents generated because of the violation of ephi access or use. Login metrics Displays information about user login behavior such as average logins per day/week/month, per person/group/overall. Patient records search metrics Displays information about user search behavior on patient records. High-risk user activity Displays information about showing what system resources high-risk users (as defined by the company) have accessed during a given period The Attachmate Group, Inc. All rights reserved.

22 Implementing Fraud Detection Systems: How They Work

23 General Architecture Luminet Users Auditors Visual replay Google-like search Compliance Officers Reports Google-like search Fraud Investigators Alerts Cases Profiles Monitored Environment Network Switch Database Server Client Server External Users ebusiness Customers Internal Users Business user Privileged IT user Mainframe AS 400 Web Server Existing Data Sources Log files Databases Reference tables The Attachmate Group, Inc. All rights reserved.

24 Luminet Architecture Queues Channel Analyzers User Event Detected Business Events Screen Client/ Server MQ Luminet Sensor HTTP VT Central Repository Analytic Engine SOA API API The Attachmate Group, Inc. All rights reserved.

25 Distributed Deployment Enterprise Operational Environment App Server App Server App Server Message Queue Internal Web Server Network Switch Mainframe Network Switch API Data HTTP Traffic Client/Server Traffic Terminal Emulation Traffic MQ Traffic Sensor Sensor Sensor Sensor Luminet Distributed Environment The Attachmate Group, Inc. All rights reserved.

26 Rules Engine Process User Events User Fact Attributes XML Data Channels Alerts Data Base Measures Rule Web Service Data File Business Entities The Attachmate Group, Inc. All rights reserved.

27 Concluding Thoughts

28 94% Breached org s found out thru a 3 rd party Source: 2012 Verizon Breach Report 28 Attachmate Corporation. All rights reserved.

29 82% Breached org s had evidence in their logs Source: 2012 Verizon Breach Report 29 Attachmate Corporation. All rights reserved.

30 Q: Why, given the variety of security technologies typically in place, do information assets remain at significant risk? A: Traditional methods fail to capture and alert on a complete trail of information. With fraud detection software, you can solve this problem. 30 Attachmate Corporation. All rights reserved.

31 Current Trends in Insider Threat: What to Look of Now The policy violator The low and slow fraudster The imposter 31 Attachmate Corporation. All rights reserved.

32 5 THINGS TO THINK ABOUT 1. When funds are gone, it s too late 2. Logs never tell the complete story 3. Focus on analysis, not just alerts. 4. Outdated methods waste time and money. 5. If you could find a way to see fraud before it starts, wouldn t you want to? 32 Attachmate Corp. All rights reserved.

33 About Attachmate

34 It s a Complex Landscape Out There You have to chart the course to business success 34 Attachmate Corporation. Corp. All rights All reserved. rights reserved.

35 It is a Tough Challenge How do you balance productivity, security, and IT investments? Attachmate Corp. All rights reserved. Attachmate Corporation. All rights reserved.

36 Why Attachmate Works for You Delivers solutions for your core challenges Works with your existing IT assets Provides global leadership you can rely on 36 Attachmate Corporation. Corp. All rights All reserved. rights reserved.

37 Questions?

38 Resources: Insider Threat Resources: Additional Luminet Customer Examples: Business Benefits of Luminet: For a free copy of our latest research, contact: Dan.Dunford@Attachmate.com 38 Attachmate Corporation. All rights reserved.

39 Dan Dunford Thank You! 39 Novell, Attachmate Inc. Corporation. Corp. All rights All reserved. rights All reserved. rights reserved.