insiders: your biggest threat to security? · 2017-11-28 · insiders: your biggest threat to...
TRANSCRIPT
#analyticsx
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Insiders: Your biggest threat to security?
Michael Ames, Senior Director, Data Science and Emerging Technologies, SAS Sanjay Arangala, Director, Analytical Consulting, SAS
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#analyticsx
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
What is insider threat?A malicious insider threat to an organization is a current or former employee, contractor, or other business partner who has or had authorized access to an organization's network, system, or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization's information or information systems. Carnegie Mellon University
CERT Division of the
Software Engineering Institute (SEI)
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#analyticsx
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
What does an insider look like? Too simple to say insider
threat can come from anyone or anywhere.
The Malicious insider has an intent to commit harm.
The Dupe is the insider that unwittingly creates a vulnerability or information leakage.
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#analyticsx
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Information leakage Typically an “inadvertent”
information disclosure… or “malicious”
Forms of leakage
Simply remembering
Physical removal
Transmittal
Vodaphone Germany –insider stole personal data from 2M customers
Australian Immigration Dept-inadvertently sent the passport numbers, visa details and other Pii of G20 leaders to the organizers of the Asian Cup football tournament.
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
A COMMON OCCURRENCE, HITS CLOSE TO HOME
Employee Termination Scenario:
An employ decides to quit, and instead of just handing in a letter of resignation, she/he downloads documents, presentations, and sample code and emails it to an outside address or simply downloads it to a thumb drive or both.
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#analyticsx
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
SAS Insider Threat
SAS Insider Threat is designed to protect organizational assets…
– physical, personnel, electronic (data, code, documents)
…from trusted internal users
– employees, contractors, vendors (transient workforce)
…with malicious intent
– fraud, abuse/misuse, theft, sabotage, espionage
#analyticsx
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Insider Threat
• Threat from trusted user
• Specific focus on user
behavior
• HR data forms backbone
• Text analysis of email
and chat data
• Physical security data
• Supports an internal
audit/investigator
Some
technical
data such as
syslog,
weblog and
security
control logs
Cybersecurity
• Follows Advanced
Persistence Threat (APT)
attack progression
• Focus on device activity
and communications
between devices
• Supports SOC security
analyst activity
Fraudulent
motives are
common across
all 3 business
problems
Some technical
data such as
network access
are important to
all
Fraud motive is
common across
both, but Insider
Threat covers a
broader set of
motives
Some common data
sources
Internal Fraud• Identify employees defrauding the
organization
• Collusion with external parties and
organized ring activity is common
• Supports SIU investigator
Our view of the business problem landscape
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#analyticsx
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Key Requirements / Features
User centric analysis and alerting
Holistic surveillance
Electronic communications (unstructured data) analysis
Real time data collection and monitoring
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Real-time Scoring and Alerting Engine
Ev ent Cleansing &
Standardise
Ev ent Enrichment Ev ent Scoring
SAS Event Stream ProcessingReal Time
Real Time
Real-Time Process
Scenario Deploy ment
Data Staging and Management
Detection Analy tics,
Batch Scoring and
Alerting Engine
Insider Threat
Data Store
• Data Quality /Cleanse
• Entity Resolution
Database
Analy tics for Threat Detection
• Rules & Anomaly Detection
• Tex t Analy tics
• Predictiv e Modelling
• Behav ior Analy sis
• Social Netw ork Analy sis
Batch Process
Batch
Insider Threat
Monitoring,
Ex ploration
and Reporting
Triage Inv estigator
Business Analy st
Management
Alert Disposition /
Feedback
Source Data
Web/Sy s-logs
Phy sical Security
Email/IM/Call Logs
DLP/SIEM/Control
Org/HR Reference
Vertical Specific
Data and Process Flow
#analyticsx
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Ingesting,
Understanding
and Preparing
Data
Includes
advanced entity
resolution
techniques
beyond simple
fuzzy matching
Supports both
batch and real-
time analysis and
scoring
Business Rules
for Identifying
Known Behaviors
Encodes know n
schemes and red-
flag indicators to
provide a baseline
measure of high
risk activity
Uses data driven
approach to test,
validate and tune
business rules
Anomaly
Detection for
Identifying
Unknown Patterns
Uses both rule-
based and data
driven, intelligent
peer grouping for
capturing extreme
or unusual user
behavior
Other outlier
detection
techniques
including
multivariate
methods
Advanced
Analytics for
Detecting
Complex Patterns
Uses contextual
analysis of
unstructured text
to accurately
capture user
behaviors of
interest
Leverages know n
events and prior
alert outcomes
(feedback) to
learn and
prioritize alerts
Link Analysis for
Uncovering Entity
Relationships
Connect users
through multitude
of common
attributes
including e-
communications
Help uncover
complex collusive
relationships and
incorporate
associative risk
into user risk
score
• Comprehensive User Behavior Risk Score
• White-box Approach
• Ability to Learn and Evolve
The Hybrid Approach for User Behavior Analytics
#analyticsx
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Demo – SAS Insider Threat
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#analyticsx