combating insider threats – protecting your agency from the inside out

Charles HerringCyber Security Specialist@charlesherring

Introduction

© 2014 Lancope, Inc. All rights reserved.

Crown Jewels

Card holder data (PCI)Patient records (HIPAA)Trade secretsCompetitive information (M&A)Employee data (PII)State SecretsCustomer Data

Data that is valuable to attackers

2

© 2014 Lancope, Inc. All rights reserved.

Why do attackers care?Attacker Jewel MotivationCriminals PCI Data $4-$12/cardCriminals Patient Records $30-$50/recordActivists Anything ShamingState Sponsored Trade Secrets GeopoliticalState Sponsored Patient Records ?!?!!!!Insiders IP and Customer Data Professional Advantage

© 2014 Lancope, Inc. All rights reserved.

WAN DATACENTER

ACCESS

CORE3560-X

Atlanta

New York

San Jose

3850 Stack(s)

Cat4k

ASA Internet

Cat6k

VPC Servers

3925 ISR

ASR-1000

Nexus 7000 UCS with Nexus 1000v

© 2014 Lancope, Inc. All rights reserved.

Where to Look?North, South, EAST AND WEST = Every Communication

Signature

Anomaly Behavior

How to LookSignature = Object against blacklist

• IPS, Antivirus, Content Filter

Behavior = Inspect Victim behavior against blacklist

• Malware Sandbox, NBAD, HIPS, SEIM

Anomaly = Inspect Victim behavior against whitelist

• NBAD, Quantity/Metric based—not Signature based

Signature Behavior Anomaly Known Exploits BEST Good Limited0-day Exploits LimIted BEST GoodCredential Abuse Limited Limited BEST

© 2014 Lancope, Inc. All rights reserved.

By Data Grouping – Data Inventory

Find your data“Pull the thread” with Top Peers/Flow TablesHost Group Policies with lower tolerance

Find your jewels

6

© 2014 Lancope, Inc. All rights reserved.

Data Anomaly Alarms

Suspect Data HoardingTarget Data HoardingTotal TrafficSuspect Data Loss

Counting Access

7

© 2014 Lancope, Inc. All rights reserved.

Data Hoarding

© 2014 Lancope, Inc. All rights reserved.

Data Loss

© 2014 Lancope, Inc. All rights reserved.

Map the Segmentation

Logical vs. PhysicalMap Segmentation

Watch the logical roadways

10

© 2014 Lancope, Inc. All rights reserved.

Custom Events

Evolution of HLVAlert when Segmentation failsAllows for NOR logic

Alert on Zero Tolerance

11

© 2014 Lancope, Inc. All rights reserved.

Logical vs. Physical Map Segmentation

Watch the logical roadways

12

Segmentation Violations