Countering the Insider Threat: Behavioral Analytics Security Intelligence Cell (BASIC)

Similar documents
State of Security Operations

Department of Management Services REQUEST FOR INFORMATION

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

locuz.com SOC Services

RSA NetWitness Suite Respond in Minutes, Not Months

Advanced Security Tester Course Outline

Sage Data Security Services Directory

THE TRIPWIRE NERC SOLUTION SUITE

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

White Paper. How to Write an MSSP RFP

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

SIEM: Five Requirements that Solve the Bigger Business Issues

Cyber Risks in the Boardroom Conference

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Governance Ideas Exchange

The Impact of Cybersecurity, Data Privacy and Social Media

Altitude Software. Data Protection Heading 2018

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

ForeScout Extended Module for Splunk

Cybersecurity, Trade, and Economic Development

Combating Cyber Risk in the Supply Chain

Cybersecurity for Product Lifecycle Management A Research Roadmap

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

SIEMLESS THREAT DETECTION FOR AWS

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Automating the Top 20 CIS Critical Security Controls

SAC PA Security Frameworks - FISMA and NIST

RSA INCIDENT RESPONSE SERVICES

MEETING ISO STANDARDS

CyberArk Privileged Threat Analytics

How to Write an MSSP RFP. White Paper

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Defending Our Digital Density.

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

The Honest Advantage

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

KuppingerCole Whitepaper. by Dave Kearns February 2013

Cyber Threat Landscape April 2013

Securing Office 365 with SecureCloud

OPSEC and defense agains social engineering for devels, execs, and sart-ups

Healthcare Security Success Story

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Objectives of the Security Policy Project for the University of Cyprus

Abstract. The Challenges. ESG Lab Review InterSystems IRIS Data Platform: A Unified, Efficient Data Platform for Fast Business Insight

RULES VERSUS MODELS IN YOUR SIEM

Vulnerability Assessment Process

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Cybersecurity The Evolving Landscape

A practical guide to IT security

TEL2813/IS2820 Security Management

FairWarning Mapping to PCI DSS 3.0, Requirement 10

RSA INCIDENT RESPONSE SERVICES

SOC 3 for Security and Availability

EXPERT SERVICES FOR IoT CYBERSECURITY AND RISK MANAGEMENT. An Insight Cyber White Paper. Copyright Insight Cyber All rights reserved.

WHITE PAPER. Vericlave The Kemuri Water Company Hack

The Convergence of Security and Compliance

Building a Case for Mainframe Security

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Best Practices for Campus Security. January 26, 2017

GDPR How to Comply in an HPE NonStop Environment. Steve Tcherchian GTUG Mai 2018

ACM Retreat - Today s Topics:

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

What is ISO ISMS? Business Beam

CYBER RISK MANAGEMENT: ADDRESSING THE CHALLENGE SIMON CRUMPLIN, FOUNDER & CEO

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

EXAM PREPARATION GUIDE

Network Security Whitepaper. Good Security Policy Ensures Payoff from Your Security Technology Investment

2017 Varonis Data Risk Report. 47% of organizations have at least 1,000 sensitive files open to every employee.

Designing and Building a Cybersecurity Program

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Industrial Defender ASM. for Automation Systems Management

Security Architecture

Certified Cyber Security Specialist

Professional Training Course - Cybercrime Investigation Body of Knowledge -

2017 Annual Meeting of Members and Board of Directors Meeting

Figure 11-1: Organizational Issues. Managing the Security Function. Chapter 11. Figure 11-1: Organizational Issues. Figure 11-1: Organizational Issues

Continuous protection to reduce risk and maintain production availability

CYBER RESILIENCE & INCIDENT RESPONSE

e:

FBI. National Security & Oil and Natural Gas. NOIA Conference April 11, 2014

Total Security Management PCI DSS Compliance Guide

DSS in Transition RMS Pilot

EXAM PREPARATION GUIDE

Incident Response Services

CEdMA Certification SIG

Security Diagnostics for IAM

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Crown Jewels Risk Assessment: Cost- Effective Risk Identification

IP Risk Assessment & Loss Prevention By Priya Kanduri Happiest Minds, Security Services Practice

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Transcription:

Countering the Insider Threat: Behavioral Analytics Security Intelligence Cell (BASIC) Jesse Hughes CSG LLP Tammy Torbert Solution Architect, HP ESP

In the next 35 minutes we ll cover the following: The human aspect of the insider threat Recognize the scope of the problem Address the disease, not the symptoms ArcSight enables the all-seeing eye Use the tool sets you already have but in a new way Recognize what s in front of you Bringing it all together: the BASICs How it all fits together The output 2

The human aspect

Scenario 1: the new employee New employees may have old intentions Person A Cleared government contractor working on-site Worked for multiple contractors US Citizen Activities Expressed uneasiness with intelligence program Interviewed with separate company for a position with increased access Stole hundreds (or more) classified documents Published some secrets, held the rest Person B Research scientist Worked on proprietary programs for 2 US chemical companies Foreign national (Permanent US Resident) Activities Stole research and proprietary information from first company Worked for a second company (a US competitor of the first) Provided IP and research material to foreign government 4

Scenario 2: recruited in place If you don t social engineer your people, someone else will Person C Cleared government employee Worked for multiple contractors History of mental instability and performance issues Activities Sought external advice on theft of documents; encouraged to do more Downloaded classified documents (in violation of protocols and policies) Leaked documents, ostensibly as a whistleblower Person D Product developer for US company Access to sensitive programs US Citizen Activities Stole gift card codes for online purchases worth > $50,000 Quit company Waited 2 years and then publicly released ~ $20,000 of gift card codes Claimed to be giving to the public ( Robin Hood type) 5

The attackers range from simple to professional Different attackers have different characteristics; all may involve insiders Economic espionage (G2B) Extensive training Long time horizon Unlimited resources Generally research, technology, IP, and trade secret focused Industrial espionage (B2B) Limited training, if any Medium time horizon Sufficient resources for dedicated efforts Market motivations Criminal Limited training, but experienced Medium time horizon Sufficient resources for the effort Economies of effort across targets Financial motivation Lone wolf No formal training Short time horizon Limited resources Wide range of motivation 6

Traditional insider threat monitoring leaves exploitable gaps Tripwire Tripwire Simple approach; good for organizations with limited assets Potential for high Type I error rate (which conditions humans to ignore all alerts) Signature Signature Based on well known and documented attack vectors Complexity takes more time to fully understand Limited to forensically-available attack vector data Scorecard Scorecard Good for forcing a review of critical assets within enterprise Does not adapt to changes in network, requires constant review Beholden to external scoring approach 7

First seek self-awareness. What must be protected? Everything is not equally valuable; focus on the essentials The essentials will vary by industry and by company Generally protect: Plans Intentions Capabilities Proprietary info (e.g. IP, trade secrets, research) Protected info (e.g. PII, PCI, HIPAA) What must be protected? What/who has access? How can these be exploited? 8

Cyberspace is one component of insider detection ArcSight enables needle searches within stacks of needles Most organizations separate technical and non-technical monitoring Non-technical monitoring and response is done as a physical security function Technical monitoring done through SOC-like function Day to day operational priorities and sensitivity of information separate these functions causing a critical breakdown in the ability to effectively deal with the insider threat The ArcSight tool enables the methodology to discover anomalous behavior in a sea of data 9

Enabling the all-seeing eye

Behavioral-based threat monitoring focuses on users Behavioral based approach: Moves focus from objects on network to the user Adapts instantly to new critical objects introduced to network and requires no signature updates Requires 4-6 weeks of data to have a strong enough baseline The insider threat demands an approach that can adapt and scale Individual behavior varies and broad based rules do not all rules apply to each person Different organizations have different missions, and therefore different risk factors and vulnerabilities 11

Behavioral Analytics detects anomalous behavior The BASIC approach defines Behavioral Analytics as: The monitoring of observable and quantifiable aspects of human and machine behavior as they interact with objects on a network Establishes a baseline of normal user activity, then looks for statistically significant deviations from normal to identify anomalous behavior Uses already existing log data from network logs to establish baseline activity across all objects Uses identification of anomalous activity to establish an indicator that can be used for further analysis or investigation 12

Behavioral baselines: All entities must be observed Machines, users, and processes all have baseline behaviors User oriented examples: Order and preference for use of applications Average number of daily interactions with objects on a network Average remote session length, concurrence of session Any activity on off or non-standard business hours Rate of password check out for secure file share access Account monitoring for new users as well as those who have given notice, etc. Machine oriented examples: Processes per server role (white list and black list); host, role, process name, user name, etc. Anomaly detection by server role Non-human services reaching in for access or keys Frequency of connections to other machines, time of day File changes (if user data is included in those logs) 13

Use your current tool set and data better ArcSight detects anomalous behavior across a range of data Alerting priority levels 14

Get back to the BASICs

BASIC: Technical and non-technical integration Non-technical observables: - Poor performance reviews - Security violations - Not accepting feedback - Anger issues/disgruntled - Financial issues Tech Indic. Non-Tech Indic. Technical observables: - Anomalous printing activity - Erratic working hours - Anomalous network behavior - Network service usage - Privileged access (role) Sides are firewalled off for protection of investigative and personal information 16

Bringing the technical and non-technical together Non-technical monitoring Applied Intel collection and analytic techniques Investigative techniques based on CI/HUMINT expertise Multi-Intel approach Standards and procedures built on best practices Behavioral Analytic Security Intelligence Cell (2 People) Technical monitoring Proven HP technology Identification of anomalous behavior through advanced analytics Incorporates current data Integration with current monitoring applications Builds on Identity View and Trending capabilities Integrated enterprise-wide insider threat monitoring program (ICS & ICD compliant) 17

BASIC: Outputs from operations BASIC delivers an actionable, implementable program using what you already have Assessment of organizational environment Recommendation list (e.g. high value sections, privileged roles) Mapping of: organizational characteristics baselines List of organization specific observables (technical and non-technical) Identification of all potential information sources Regular intelligence summaries Graduated response plan, tailored to organizational traits and patterns Program dashboard and reports: Process, roles, and responsibilities documentation Facilitates transition of personnel Standardizes monitoring progress Enables coordination across the organization 18

What does it take to get there? Scalable and repeatable solution to help you recognize what s in front of you Professional services engagement Initial Evaluation of Environment: Review organizational structure, community, staffing, response plans, etc. Review objects on network for level of processing Review types of network logs generated, etc. Content tailored to organization environment Integration of best practices from Human Intelligence and Information Security professionals Configuration of required software Recommendations on required or potential sources of critical data on network Simplification of process with Identity View Disambiguation of identities across network Creates one user profile per actor on the network Enhances analytic capability Builds off information in ActiveDirectory 19

For more information Attend this session BS1195, 5G/SOC: The World s Most Advanced SOC Visit these demos B.A.S.I.C. ESP Global Services Mock SOC After the event Contact your sales rep Visit HP ESP at: www.hp.com/go/espservices Follow the ESP blog at at: www.hp.com/go/securityproductsblo g Your feedback is important to us. Please take a few minutes to complete the session survey. 20

Thank you Jesse Hughes 720.310.8227 jhughes@csg-llp.com Tammy Torbert 571.217.1169 tammy.torbert@hp.com Dave Beabout 202.450.7551 dbeabout@hp.com

Security for the new reality

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback