Countering the Insider Threat: Behavioral Analytics Security Intelligence Cell (BASIC) Jesse Hughes CSG LLP Tammy Torbert Solution Architect, HP ESP
In the next 35 minutes we ll cover the following: The human aspect of the insider threat Recognize the scope of the problem Address the disease, not the symptoms ArcSight enables the all-seeing eye Use the tool sets you already have but in a new way Recognize what s in front of you Bringing it all together: the BASICs How it all fits together The output 2
The human aspect
Scenario 1: the new employee New employees may have old intentions Person A Cleared government contractor working on-site Worked for multiple contractors US Citizen Activities Expressed uneasiness with intelligence program Interviewed with separate company for a position with increased access Stole hundreds (or more) classified documents Published some secrets, held the rest Person B Research scientist Worked on proprietary programs for 2 US chemical companies Foreign national (Permanent US Resident) Activities Stole research and proprietary information from first company Worked for a second company (a US competitor of the first) Provided IP and research material to foreign government 4
Scenario 2: recruited in place If you don t social engineer your people, someone else will Person C Cleared government employee Worked for multiple contractors History of mental instability and performance issues Activities Sought external advice on theft of documents; encouraged to do more Downloaded classified documents (in violation of protocols and policies) Leaked documents, ostensibly as a whistleblower Person D Product developer for US company Access to sensitive programs US Citizen Activities Stole gift card codes for online purchases worth > $50,000 Quit company Waited 2 years and then publicly released ~ $20,000 of gift card codes Claimed to be giving to the public ( Robin Hood type) 5
The attackers range from simple to professional Different attackers have different characteristics; all may involve insiders Economic espionage (G2B) Extensive training Long time horizon Unlimited resources Generally research, technology, IP, and trade secret focused Industrial espionage (B2B) Limited training, if any Medium time horizon Sufficient resources for dedicated efforts Market motivations Criminal Limited training, but experienced Medium time horizon Sufficient resources for the effort Economies of effort across targets Financial motivation Lone wolf No formal training Short time horizon Limited resources Wide range of motivation 6
Traditional insider threat monitoring leaves exploitable gaps Tripwire Tripwire Simple approach; good for organizations with limited assets Potential for high Type I error rate (which conditions humans to ignore all alerts) Signature Signature Based on well known and documented attack vectors Complexity takes more time to fully understand Limited to forensically-available attack vector data Scorecard Scorecard Good for forcing a review of critical assets within enterprise Does not adapt to changes in network, requires constant review Beholden to external scoring approach 7
First seek self-awareness. What must be protected? Everything is not equally valuable; focus on the essentials The essentials will vary by industry and by company Generally protect: Plans Intentions Capabilities Proprietary info (e.g. IP, trade secrets, research) Protected info (e.g. PII, PCI, HIPAA) What must be protected? What/who has access? How can these be exploited? 8
Cyberspace is one component of insider detection ArcSight enables needle searches within stacks of needles Most organizations separate technical and non-technical monitoring Non-technical monitoring and response is done as a physical security function Technical monitoring done through SOC-like function Day to day operational priorities and sensitivity of information separate these functions causing a critical breakdown in the ability to effectively deal with the insider threat The ArcSight tool enables the methodology to discover anomalous behavior in a sea of data 9
Enabling the all-seeing eye
Behavioral-based threat monitoring focuses on users Behavioral based approach: Moves focus from objects on network to the user Adapts instantly to new critical objects introduced to network and requires no signature updates Requires 4-6 weeks of data to have a strong enough baseline The insider threat demands an approach that can adapt and scale Individual behavior varies and broad based rules do not all rules apply to each person Different organizations have different missions, and therefore different risk factors and vulnerabilities 11
Behavioral Analytics detects anomalous behavior The BASIC approach defines Behavioral Analytics as: The monitoring of observable and quantifiable aspects of human and machine behavior as they interact with objects on a network Establishes a baseline of normal user activity, then looks for statistically significant deviations from normal to identify anomalous behavior Uses already existing log data from network logs to establish baseline activity across all objects Uses identification of anomalous activity to establish an indicator that can be used for further analysis or investigation 12
Behavioral baselines: All entities must be observed Machines, users, and processes all have baseline behaviors User oriented examples: Order and preference for use of applications Average number of daily interactions with objects on a network Average remote session length, concurrence of session Any activity on off or non-standard business hours Rate of password check out for secure file share access Account monitoring for new users as well as those who have given notice, etc. Machine oriented examples: Processes per server role (white list and black list); host, role, process name, user name, etc. Anomaly detection by server role Non-human services reaching in for access or keys Frequency of connections to other machines, time of day File changes (if user data is included in those logs) 13
Use your current tool set and data better ArcSight detects anomalous behavior across a range of data Alerting priority levels 14
Get back to the BASICs
BASIC: Technical and non-technical integration Non-technical observables: - Poor performance reviews - Security violations - Not accepting feedback - Anger issues/disgruntled - Financial issues Tech Indic. Non-Tech Indic. Technical observables: - Anomalous printing activity - Erratic working hours - Anomalous network behavior - Network service usage - Privileged access (role) Sides are firewalled off for protection of investigative and personal information 16
Bringing the technical and non-technical together Non-technical monitoring Applied Intel collection and analytic techniques Investigative techniques based on CI/HUMINT expertise Multi-Intel approach Standards and procedures built on best practices Behavioral Analytic Security Intelligence Cell (2 People) Technical monitoring Proven HP technology Identification of anomalous behavior through advanced analytics Incorporates current data Integration with current monitoring applications Builds on Identity View and Trending capabilities Integrated enterprise-wide insider threat monitoring program (ICS & ICD compliant) 17
BASIC: Outputs from operations BASIC delivers an actionable, implementable program using what you already have Assessment of organizational environment Recommendation list (e.g. high value sections, privileged roles) Mapping of: organizational characteristics baselines List of organization specific observables (technical and non-technical) Identification of all potential information sources Regular intelligence summaries Graduated response plan, tailored to organizational traits and patterns Program dashboard and reports: Process, roles, and responsibilities documentation Facilitates transition of personnel Standardizes monitoring progress Enables coordination across the organization 18
What does it take to get there? Scalable and repeatable solution to help you recognize what s in front of you Professional services engagement Initial Evaluation of Environment: Review organizational structure, community, staffing, response plans, etc. Review objects on network for level of processing Review types of network logs generated, etc. Content tailored to organization environment Integration of best practices from Human Intelligence and Information Security professionals Configuration of required software Recommendations on required or potential sources of critical data on network Simplification of process with Identity View Disambiguation of identities across network Creates one user profile per actor on the network Enhances analytic capability Builds off information in ActiveDirectory 19
For more information Attend this session BS1195, 5G/SOC: The World s Most Advanced SOC Visit these demos B.A.S.I.C. ESP Global Services Mock SOC After the event Contact your sales rep Visit HP ESP at: www.hp.com/go/espservices Follow the ESP blog at at: www.hp.com/go/securityproductsblo g Your feedback is important to us. Please take a few minutes to complete the session survey. 20
Thank you Jesse Hughes 720.310.8227 jhughes@csg-llp.com Tammy Torbert 571.217.1169 tammy.torbert@hp.com Dave Beabout 202.450.7551 dbeabout@hp.com
Security for the new reality