combating insider threats – protecting your agency from the inside out

Charles HerringCyber Security Specialist@charlesherring

Introduction

© 2014 Lancope, Inc. All rights reserved.

Crown Jewels

Card holder data (PCI)Patient records (HIPAA)Trade secretsCompetitive information (M&A)Employee data (PII)State SecretsCustomer Data

Data that is valuable to attackers

2


Why do attackers care?Attacker Jewel MotivationCriminals PCI Data $4-$12/cardCriminals Patient Records $30-$50/recordActivists Anything ShamingState Sponsored Trade Secrets GeopoliticalState Sponsored Patient Records ?!?!!!!Insiders IP and Customer Data Professional Advantage


WAN DATACENTER

ACCESS

CORE3560-X

Atlanta

New York

San Jose

3850 Stack(s)

Cat4k

ASA Internet

Cat6k

VPC Servers

3925 ISR

ASR-1000

Nexus 7000 UCS with Nexus 1000v


Where to Look?North, South, EAST AND WEST = Every Communication

Signature

Anomaly Behavior

How to LookSignature = Object against blacklist

• IPS, Antivirus, Content Filter

Behavior = Inspect Victim behavior against blacklist

• Malware Sandbox, NBAD, HIPS, SEIM

Anomaly = Inspect Victim behavior against whitelist

• NBAD, Quantity/Metric based—not Signature based

Signature Behavior Anomaly Known Exploits BEST Good Limited0-day Exploits LimIted BEST GoodCredential Abuse Limited Limited BEST


By Data Grouping – Data Inventory

Find your data“Pull the thread” with Top Peers/Flow TablesHost Group Policies with lower tolerance

Find your jewels

6


Data Anomaly Alarms

Suspect Data HoardingTarget Data HoardingTotal TrafficSuspect Data Loss

Counting Access

7


Data Hoarding


Data Loss


Map the Segmentation

Logical vs. PhysicalMap Segmentation

Watch the logical roadways

10


Custom Events

Evolution of HLVAlert when Segmentation failsAllows for NOR logic

Alert on Zero Tolerance

11


Logical vs. Physical Map Segmentation

Watch the logical roadways

12

Segmentation Violations

combating insider threats – protecting your agency from the inside out

Technology