#TDPARTNERS16 GEORGIA WORLD CONGRESS CENTER

Insider Threat Detection:Behavioral Pattern Analysis to Identify RisksDave Gebala & Hannah ChenAster Solutions, Center of Innovation

At Teradata, we believe…

Analytics and data unleash the potential of great companies

• What is an insider threat?

• How big is the problem?

• Teradata Aster Insider Threat Solution• Threat dashboards• Integrations• Descriptive use cases

Agenda

3

The Source of The Threat is Evolving

It’s coming from inside the organization

Confidential Data

Phone

Laptop

BYODSocial

Cloud

Tablet

Multi-user Collaboration

Sensitive data is increasingly accessible and distributed throughout an organization

Outsiders (hackers) get the headlines; but Insiders are the bigger risk

Data Breaches

Cloud

Outsiders 42%

Insiders 58%

Employees

Contractors/Partners

Former Employees

4

Insider Threats are Hard To Detect

Insiders are authorized to access confidential information as part of their jobs

• Sales records• Customer data• Financial records• Operating plans• Release schedules

Insider actions (malicious or not) leave you exposed

• Use of USB or other storage devices

• Inadvertent human error (sharing credentials)

• Sending messages/files via personal email over public networks

5

Any Insider Can Evolve into a Threat

How do you know when this metamorphosis is occurring?

Former employees

Departing employees

Contractors Partners

Anyone losing network access…

Lateral Data

MovementData

Exfiltration

Privilege Escalation Internal

Reconnaissance

…may engage in damaging behavior

6

Digital Information Loss is a Top Priority

72%Struggling with changing landscape;

unsure what to do

43%U.S. firms with a data breach

in the past year

We hear about big breaches by hackers who hit the DoD, Target, The Home Depot, the DNC…

…but most companies are caught flat footed and resort to damage control after a breach has been discovered

7

Point Solutions have Limited Scope

Baseline Facts Limited Security checks

Sales Exec Trusted actor who relies on data access to perform job

Accesses CRM System Authentication via user name and password

Explores Account List Varying levels of role-based access

Performs Custom Searches Standard activity

Downloads Opportunity Pipeline Standard activity

Syncs CRM Contact database Standard activity

Logs into shared storage Authenticated via SSO

Sends emails with attachments Attachment types checked; documents are under size limit

An example of “benign” activity…

8

See All Activity and Its Context.

Sales Exec who missed quota for 2 quarters

who is not on track to meet quota

who has recently received notice

Accesses CRM System from a new location outside of historical access

norms on a new device

Explores Account List outside of assigned geography

outside of assigned industry vertical

does not update or save any data

Performs CustomSearches

attempts to access account details

with multiple probing attempts

for high dollar value prospects

Downloads Opportunity Pipeline

requests all interaction records for entire date range for all geographies

Syncs CRM Contact database

to local address book on Outlook

syncs Outlook to Google contacts

Syncs to a personal iPhone

Logs into shared storage

bulk uploads/downloads documents

attaches a USB drive to laptop

Performs bulk upload to Dropbox

Sends emails with attachments

from corporate server to a webmail address

which is outside of expected community

destination address has high match as predicted

personal webmail

9

Teradata Aster Insider Threat Solution

Interactive Dashboard feeding Splunk console

10

Teradata Aster Insider Threat Solution

Network Traffic Log Analysis to highlight threats

11

Insider Threat Analytics Demo

12

• Path Analytics • Sessionizes across multiple log inputs • Constructs a comprehensive record of activity in context

• Behavioral Analytics against structured and unstructured data to intelligently score an Insider Threat event

• Splunk logs • HR personnel profiles• Badge access • VPN access logs

• Graph Analytics to reveal the context of information flow and detect anomalous patterns of behavior

• Machine Learning to automate detection of risky patterns of activity

• Text Analytics to screen and flag messages at scale

Built on the Aster Analytic Platform

13

Descriptive Use Case

Employee’s Average # of violations

increasing over time

Compare individual’s DLP violations to detect drift over time

14

Descriptive Use CaseCompare individual’s behavior (network activity) to that of peers

Department Average Violation

Count

15

Descriptive Use Case

USB removable media is leading

violation for terminated

employees/expiring contractors

Combine personnel records/profiles with data loss prevention alerts

16

Descriptive Use CaseModularity reveals communities of violators with similar behavior

Clusters of employees with

similar, multi-violation behavior

17

Descriptive Use CaseIdentify anomalies that policies and point solutions are not catching

Simultaneous badge in/network access at HQ while connected from remote geo via

VPN

18

At Teradata…

We empower companies to achieve high-impact business outcomes

through analytics at scale on an agile data foundation

Thank You

Questions/CommentsEmail:

Follow MeTwitter @

Rate This Session # with the PARTNERS Mobile App

Remember To Share Your Virtual Passes

DGebala@Teradata.com or Hannah.Chen@Teradata.com

748

20

APPENDIX and REFERENCE

21

APPENDIX

22

Splunk Screenshots

Login Threats• SSH attack detection• Data source: authentication logs (e.g. SSH, VPN, RSA)

Teradata Confidential23

Splunk Screenshots

Network Traffic• Traffic threat detection• Data source: network log (e.g. IP tables, Snort)

Teradata Confidential24

Splunk Screenshots

Insider Threat• Behavioral anomaly detection• Data source: corporate network log

Teradata Confidential25

Data Source: Corporate Network Log

90%

26

AppCenter + Tableau Screenshots

Web Logs• Web attack detection• Data source: Apache web log

Teradata Confidential27

Tableau Screenshots

Insider Threat• Behavioral anomaly detection• Data source: corporate network log

Teradata Confidential28

Teradata Aster + Splunk

Enhance & Enrich• Enhance Splunk’s feature set with Aster advanced analytics. Enrich Splunk’s data set with

multi-channel and profile data stored in Aster.• Connect Splunk to Aster using SQL-MR or Splunk’s DB Connect App.• Push (or Pull) Splunk data into Aster to take advantage of advanced Path & Pattern

Analytics, Text Analytics, Predictive Analytics and more.

29

Teradata Aster + Splunk

• Enhance Splunk search and reporting with Aster’s advanced analytics capabilities.

• Move data from Splunk into Aster. Execute analytics either on schedule or on demand. View result sets and visualizations produced by Aster inside of Splunk.

Type 1: For the Splunk User

Type 2: For the Aster User• Extract greater analytics value from the data that you are

currently investigating inside of Splunk.• Make Splunk data available for more iterative analysis using Aster

out-of-the-box techniques including Path & Pattern Analytics, Text Analytics, Predictive Analytics, etc…

Integration Types

30

Conceptual Workflow Splunk DB Connect

1. Data is streamed into Splunk from one or more sources.

2. Splunk data is pushed (or pulled) into Aster using DB Connect or SQL-MR.

3. Aster Analytics are executed on either a scheduled or ad hoc basis. Results from these analyses are now available to query in Splunk via DB Connect.

4. Aster AppCenter Apps are built to run further analytics and produce visualizations.

5. A Splunk App is built to view results and visualizations produced by AppCenter IN Splunk via the AppCenter REST API.

Teradata Aster + Splunk

Data

Aster AppCenter

Aster SQL-MR Splunk Connector

Aster Apps

AppCenter REST API

Splunk Aster App(s)

31

32