#analyticsx

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Insiders: Your biggest threat to security?

Michael Ames, Senior Director, Data Science and Emerging Technologies, SAS Sanjay Arangala, Director, Analytical Consulting, SAS

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#analyticsx

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

What is insider threat?A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems. Carnegie Mellon University

CERT Division of the

Software Engineering Institute (SEI)

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#analyticsx

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

What does an insider look like? Too simple to say insider

threat can come from anyone or anywhere.

The Malicious insider has an intent to commit harm.

The Dupe is the insider that unwittingly creates a vulnerability or information leakage.

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#analyticsx

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Information leakage Typically an “inadvertent”

information disclosure… or “malicious”

Forms of leakage

Simply remembering

Physical removal

Transmittal

Vodaphone Germany –insider stole personal data from 2M customers

Australian Immigration Dept-inadvertently sent the passport numbers, visa details and other Pii of G20 leaders to the organizers of the Asian Cup football tournament.

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

A COMMON OCCURRENCE, HITS CLOSE TO HOME

Employee Termination Scenario:

An employ decides to quit, and instead of just handing in a letter of resignation, she/he downloads documents, presentations, and sample code and emails it to an outside address or simply downloads it to a thumb drive or both.

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#analyticsx

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

SAS Insider Threat

SAS Insider Threat is designed to protect organizational assets…

– physical, personnel, electronic (data, code, documents)

…from trusted internal users

– employees, contractors, vendors (transient workforce)

…with malicious intent

– fraud, abuse/misuse, theft, sabotage, espionage

#analyticsx

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Insider Threat

• Threat from trusted user

• Specific focus on user

behavior

• HR data forms backbone

• Text analysis of email

and chat data

• Physical security data

• Supports an internal

audit/investigator

Some

technical

data such as

syslog,

weblog and

security

control logs

Cybersecurity

• Follows Advanced

Persistence Threat (APT)

attack progression

• Focus on device activity

and communications

between devices

• Supports SOC security

analyst activity

Fraudulent

motives are

common across

all 3 business

problems

Some technical

data such as

network access

are important to

all

Fraud motive is

common across

both, but Insider

Threat covers a

broader set of

motives

Some common data

sources

Internal Fraud• Identify employees defrauding the

organization

• Collusion with external parties and

organized ring activity is common

• Supports SIU investigator

Our view of the business problem landscape

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#analyticsx

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Key Requirements / Features

User centric analysis and alerting

Holistic surveillance

Electronic communications (unstructured data) analysis

Real time data collection and monitoring

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Real-time Scoring and Alerting Engine

Ev ent Cleansing &

Standardise

Ev ent Enrichment Ev ent Scoring

SAS Event Stream ProcessingReal Time

Real Time

Real-Time Process

Scenario Deploy ment

Data Staging and Management

Detection Analy tics,

Batch Scoring and

Alerting Engine

Insider Threat

Data Store

• Data Quality /Cleanse

• Entity Resolution

Database

Analy tics for Threat Detection

• Rules & Anomaly Detection

• Tex t Analy tics

• Predictiv e Modelling

• Behav ior Analy sis

• Social Netw ork Analy sis

Batch Process

Batch

Insider Threat

Monitoring,

Ex ploration

and Reporting

Triage Inv estigator

Business Analy st

Management

Alert Disposition /

Feedback

Source Data

Web/Sy s-logs

Phy sical Security

Email/IM/Call Logs

DLP/SIEM/Control

Org/HR Reference

Vertical Specific

Data and Process Flow

#analyticsx

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Ingesting,

Understanding

and Preparing

Data

Includes

advanced entity

resolution

techniques

beyond simple

fuzzy matching

Supports both

batch and real-

time analysis and

scoring

Business Rules

for Identifying

Known Behaviors

Encodes know n

schemes and red-

flag indicators to

provide a baseline

measure of high

risk activity

Uses data driven

approach to test,

validate and tune

business rules

Anomaly

Detection for

Identifying

Unknown Patterns

Uses both rule-

based and data

driven, intelligent

peer grouping for

capturing extreme

or unusual user

behavior

Other outlier

detection

techniques

including

multivariate

methods

Advanced

Analytics for

Detecting

Complex Patterns

Uses contextual

analysis of

unstructured text

to accurately

capture user

behaviors of

interest

Leverages know n

events and prior

alert outcomes

(feedback) to

learn and

prioritize alerts

Link Analysis for

Uncovering Entity

Relationships

Connect users

through multitude

of common

attributes

including e-

communications

Help uncover

complex collusive

relationships and

incorporate

associative risk

into user risk

score

• Comprehensive User Behavior Risk Score

• White-box Approach

• Ability to Learn and Evolve

The Hybrid Approach for User Behavior Analytics

#analyticsx

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

Demo – SAS Insider Threat

C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.

#analyticsx