insider threats: how to spot trouble quickly with alienvault usm

Live Demo: Insider Threats

About AlienVault

AlienVault has unified the security products, intelligence and community essential for mid-sized businesses to defend against

today’s modern threats

Introductions

Garrett GrossSr. Technical Product Marketing Mgr

Mark AllenTechnical Sales Engineer

Agenda

• Insider Threats & Risk Factors

• Data exfiltration methods

• Tips to mitigate these threats

• Demo: using USM to detect insider threats

Insider Threat Types

• Naive insiders may be “tricked” by external

parties into providing data or passwords

they shouldn’t

• Careless insiders may make inappropriate

use of company network resources

• Malicious insiders are the least frequent,

but have the potential to cause significant

damage.

85%of insider privilege misuse

attacks used the corporate LAN…

Source: Verizon Data Breach Report, 2014

Insider Risk Factors

• Ineffective management of privileged users

• Inappropriate role and entitlement assignment

• Users unaware of vulnerabilities

• Poor information classification and policy enforcement

• Inadequate auditing and analytics

• Audit log complexity

• Reactive response

• No comprehensive written acceptable use policies

• General misuse of corporate network

Exfiltration

• Simple encrypted transmission

• HTTP/HTTP

• Posting to WordPress or other sites

• FTP/SFTP/SCP

• Slow & low

• Hide & Seek

• Images

• Video

• Audio (via VOIP)

• New Methods created every day

Dealing with possible insider threats

• Identity Management

• Not just black/white – user/admin access

• Data Controls

• Auditing

• Restrict access to those on a “need-to-know” basis

• Advanced Authentication

• Network groups

• Policies

Firewalls/Antivirus are not enough

• Firewalls are usually not the target – too difficult to effectively penetrate

• Endpoints are the target, usually via email, url redirects, misc malicious

files, etc.

• With 160,000 new malware

samples seen every day,

antivirus apps will not find

every threat

• Needs to be bolstered by

regular and comprehensive

monitoring

Prevent Detect & Respond

The basics are in place for most

companies…but this alone is a ‘proven’ failed

strategy.

New capabilities to develop

Get (Very) good at detection & response

@AlienVault

Asset Discovery• Active Network Scanning

• Passive Network Scanning

• Asset Inventory

• Host-based Software

Inventory

Vulnerability Assessment• Network Vulnerability Testing

• Remediation Verification

Threat Detection• Network IDS

• Host IDS

• Wireless IDS

• File Integrity Monitoring

Behavioral Monitoring• Log Collection

• Netflow Analysis

• Service Availability Monitoring

Security Intelligence• SIEM Event Correlation

• Incident Response

AlienVault Labs Threat Intelligence

• Weekly updates to correlation directives to detect emerging threats

• Recent updates to Data exfiltration-related threat intelligence:

• AV Malware, Ajax Security Team Data Exfiltration

• AV Malware, Operation Machete FTP exfiltration

• AV attack, malware sending exfiltrating command output

• AV Policy violation, BitTorrent P2P usage

• AV Misc, suspicious successful login from Tor anonymity

network

• AV Policy violation, Tor anonymity network usage

• *malware – 1,161 (03/2015)

Scenarios

• Vulnerable/Naive user

• Malware infection on end-user machine

• Vulnerable systems due to missed software updates

• Misuse

• BitTorrent

• Tor

• Malicious intent

• Users accessing info they shouldn’t be

• Data exfiltration

Now for some Q&A…

Test Drive AlienVault USM

Download a Free 30-Day Trial

http://www.alienvault.com/free-trial

Try our Interactive Demo Site

http://www.alienvault.com/live-demo-site

Questions? hello@alienvault.com