1

Insider Threat ProtectionDr Jamie GravesVP Security Analytics

© Fortinet Inc. All Rights Reserved. 2© Fortinet Inc. All Rights Reserved. 2

Robert Hanssen

© Fortinet Inc. All Rights Reserved. 3© Fortinet Inc. All Rights Reserved. 3

• Psychology• Entitled Independent Model• Ambitious Leader Model

• Motivation• Ego• Monetary Problems• Alienation• Groomed• Anger/revenge• Ideology/Identification• Adventure/Thrill• Vulnerability to Blackmail• Compulsive/Addictive Behaviour• Family Problems

Psychology & Motivation

© Fortinet Inc. All Rights Reserved. 4© Fortinet Inc. All Rights Reserved. 4

• Behaviour• Technical

• Attempts to circumvent auditing and logging functions• Copying, deleting, moving and printing sensitive files• Network interface or system hardware manipulation

• Non-Technical• Without need or authorisation, takes proprietary material or other

materials home • Interest in matter outside the scope of their duties• Unnecessarily copies material

Behaviour – Some Examples

© Fortinet Inc. All Rights Reserved. 5© Fortinet Inc. All Rights Reserved. 5

Email25%

Removable Media25%

Network Access

23%

Laptops16%

Printed Docs6%

File Xfer5%

How Data Is Stolen

© Fortinet Inc. All Rights Reserved. 6© Fortinet Inc. All Rights Reserved. 6

• The Insider Threat is not related to ‘Hackers’• The insider threat is not just a technical or cyber security issue• A good insider threat program should focus on deterrence, not

detection• Detection of insider threats should involve behavioural based

techniques

Insider Lessons

© Fortinet Inc. All Rights Reserved. 7© Fortinet Inc. All Rights Reserved. 7

A Blind Spot in Security AnalyticsInsider Risk

• Malware analytics is taken care of through the following:• A ‘hard-shell’ and network monitoring provides

some perimeter visibility • EPP solutions mostly focus on malware

• A blind spot exists within the perimeter

• 30% of breaches were due to those within the organization acting negligently or maliciously

Network Security

© Fortinet Inc. All Rights Reserved. 8© Fortinet Inc. All Rights Reserved. 8

Achieving UEBAMarket Landscape

Network-Based

• Unable to monitor off-network

• Unable to unencrypt if no key present

Log-Based

• Incomplete picture

• Log files are not designed to give necessary user insights

Endpoint-Based

• Visibility of user and data behavior on and off the network

• Provides the best granularity of telemetry to detect insiders

© Fortinet Inc. All Rights Reserved. 9© Fortinet Inc. All Rights Reserved. 9

System ArchitectureAgent/Server

Windows Endpoint Agent• Lightweight, zero-configuration agent

• Encrypted connection (TLS 1.2)

• Push deployment

AWS Hosted

Storage, Presentation and Analytics• Rule Matching

• Machine Learning

• Threat Hunting

© Fortinet Inc. All Rights Reserved. 10© Fortinet Inc. All Rights Reserved. 10

3

Unique 5-Factor Telemetry ModelEngineered to detect insider threats

FortiInsightWherever a machine is located and whatever network the machine is connected to, FortiInsight captures the key information from 5 anchors to deliver insights built upon, the key metadata and behavior analysis around:

1 2 54Users Processes Devices BehavioursResources

Data Analysis

© Fortinet Inc. All Rights Reserved. 11© Fortinet Inc. All Rights Reserved. 11

Policies Detecting Predictable Threats

• Real-time inspection of incoming events against defined criteria• Encode compliance

• Generate Alerts on violation

• Create New Policy• Search based• Raw EPL

• Policy attributes• Enable\Disable• Severity• Frameworks• Labels• Email notifications

© Fortinet Inc. All Rights Reserved. 12© Fortinet Inc. All Rights Reserved. 12

AI Scoring

• Using Naïve Bayes

• Severity Score = Risk as Anomaly

• Goal: determine risky activity

• Deviation from normal behavior

• Risk = static score (low 0-29, med 30-59, high 6 -100)

• E.g. cloud backup program = medium risk

• Two weeks to learn normal behavior, switch on alert mode

FortiInsight UEBA ML

© Fortinet Inc. All Rights Reserved. 13© Fortinet Inc. All Rights Reserved. 13

VisualisationAlerts

• Use Visualization and summary table to find what’s important to you

• Users, Entities, Tags for scoping

• Feedback mechanism

• Pivot on Threat Hunting for context

© Fortinet Inc. All Rights Reserved. 14© Fortinet Inc. All Rights Reserved. 14

Feedback Mechanism

• User input to system:• Thumbs up = positive feedback• Thumbs down = negative feedback

• System output:• Searchable Tags e.g. “potential leaver” =

user writing a CV file. “Sensitive data” etc

• Settings – allow define file types, folders, and users that are high risk

FortiInsight UEBA ML - Feedback

© Fortinet Inc. All Rights Reserved. 15© Fortinet Inc. All Rights Reserved. 15

FeedbackTags

© Fortinet Inc. All Rights Reserved. 16© Fortinet Inc. All Rights Reserved. 16

FeedbackTags

© Fortinet Inc. All Rights Reserved. 17© Fortinet Inc. All Rights Reserved. 17

• FBI Insider Threat Lessons• CERT: Spotlight On: Insider Theft of Intellectual Property inside

the United States Involving Foreign Governments or Organisations

• CERT Insider theft of intellectual property for business advantage: a preliminary model

• CERT common sense guide to mitigating insider threats; 4th edition

Sources