David Monahan

Research Director, Risk & Security

Management, EMA

Dimitri Vlachos

VP of Marketing, ObserveIT

3 Tips for Managing Risky User

Activity in 2015

November 19, 2014

Today’s EMA Presenter

Slide 2

David Monahan

Research Director, Risk & Security Management

David has over 20 years of IT security experience and has

organized and managed both physical and information security

programs, including Security and Network Operations (SOCs and

NOCs) for organizations ranging from Fortune 100 companies to

local government and small public and private companies.

He has diverse Audit and Compliance and Risk and Privacy

experience – providing strategic and tactical leadership, developing,

architecting and deploying assurance controls, delivering process

and policy documentation and training, as well as other aspects

associated with educational and technical solutions.

Agenda

The Threat Landscape is Expanding

Users are the beachhead for attacks

3 Tips for Managing User Risks in 2015

1. Identify different types of user risks

2. Adopt a user-centric security strategy

3. Simplify compliance, focus on the user

Slide 3 © 2014 Enterprise Management Associates, Inc.

Slide 4 © 2014 Enterprise Management Associates, Inc.

Relative Risk From Users

User Risks

3 Types of Users:

Business User - 84% of Insider based breaches = no admin rights

Contractor/Partner/Vendor - 1% of breaches but significantly higher data loss

per incident

Privileged User (IT Admin) – 16% of breaches

Slide 5 © 2014 Enterprise Management Associates, Inc.

Key Findings

Outsiders want to become Insiders

69% of breaches involved an insider identity in 2013

100% of breaches involved an insider identity in 2014

Identities captured in hours but detection an average of 8 months

Monitoring Traditionally Infrastructure (System) and Admin Based

62% of admin breaches involved human error

Compromise of an administrator often raised the red flag for a breach

Use of Trusted 3rd party identities to access data is growing (e.g. Target,

Home Depot)

Security Needs Better/More Context

10% of threat actors were unidentifiable using Infrastructure Monitoring

Much successful malware impersonates real users

Better Context Protects Users

Slide 6 © 2014 Enterprise Management Associates, Inc.

Tip #1: Identify different types of user risks

Ensure that you’re covered for each of these user risk scenarios:

5 Types of User Risk

• Scenario 1: Malicious Insider

• Scenario 2: Insider Accident

• Scenario 3: Duped User

• Scenario 4: Malware

• Scenario 5: Direct Hacker Attack

Ask yourself: Even if detected, how does security identify and

compare these different types of user risks with Infrastructure logging?

Slide 7 © 2014 Enterprise Management Associates, Inc.

Infrastructure vs. User-based Monitoring

Traditional logging is system/application based

Most system and application logging has gaps

Only 29% of data breaches resulted from system glitches

These gaps matriculate to centralized logging

To determine fault and scope large scale investigations are mounted

With Infrastructure logging determining intent is difficult, maybe

impossible

User focused monitoring system can reduce work

IAM solutions apply identity to a user throughout the environment but

still require forensic work post incident

Putting all of the users activity together provides the big picture

Slide 8 © 2014 Enterprise Management Associates, Inc.

Tip #2: Adopt a user-centric strategy for 2015

Adding a visual record of activities provides new user context

A picture is worth a thousand words

Quality Comparison- Telegraph vs. Skype

Shows intent

Protects users from malicious activity using their Identity

Move context from reactive to proactive

Combined with alerting it becomes highly context-based and Proactive

Reduces time and cost of breach investigation

Helps protect Employees and Company

Slide 9 © 2014 Enterprise Management Associates, Inc.

Today’s Burden and Pressures of Compliance

PCI 3.0

Requirement 10- Track and Monitor all access to resources and

cardholder data

HIPAA-HiTech

Section §164.308(a)(1)(ii)(D) mandates covered entities to implement

procedures and regularly review records of information system activity,

such as audit logs, access reports and security incidents

FFIEC

Assigning privileges to a unique user ID apart from the one used for

normal business use…

Logging and auditing the use of privileged access…

MANY Others..

Every Compliance statue or directive requires some form of user

monitoring

Slide 10 © 2014 Enterprise Management Associates, Inc.

Tip #3: Simplify compliance, focus on the user

Provide your auditor not only the list of users who have access to

systems but also ALL activities on systems, and applications – both

visual replay and one-click textual reports

Slide 11 © 2014 Enterprise Management Associates, Inc.

Summary

Attackers want to impersonate business users first

Traditional Administrator Monitoring won’t see this

Traditional Logging Is Table Stakes Only

Benefits of User Focused Monitoring

Help differentiate between the real user and impersonators

Protect the Business and Users

Provide Richer Context for Incident Response and Forensics

Identify Intent

Improve Security and Compliance

Slide 12 © 2014 Enterprise Management Associates, Inc.

SystemsApps Information Users

•••

•••

Identify and Manage User-based Risk

User Context

SIEM IAMITSM