past present and future - c.ymcdn.comc.ymcdn.com/sites/ …• insider threats are more difficult to...
TRANSCRIPT
© 2007 Oakley Networks Inc. All Rights Reserved
Russ Jensen
Past Present andFuture
Copyright © 2007 Raytheon Company. All rights reserved.Customer Success Is Our Mission is a trademark of Raytheon Company.
© 2007 Oakley Networks Inc. All Rights Reserved
The Leader in Insider ThreatMitigation
• 200+ Employees• Oakley DNA from
Department of Defense, FBI• Tier 1 Federal and
Commercial Customers
Integrated Solutions
DiverseCustomer Base
© 2007 Oakley Networks Inc. All Rights Reserved
How do you identify the threat?
• Where do they come from?• What are they attacking?• Users can obfuscate behaviors• Lots of traffic is
encrypted/hidden• Much happens offline• Complex risks are hard to
detect!?
© 2007 Oakley Networks Inc. All Rights Reserved
What is a threat?
• Insider threats are more difficult to detect thanexternal threats. The individuals who abusesystems are authorized to access corporatesensitive data in the course of their daily work.Identifying an individual who is misusing thedata he is allowed to access is much morecomplicated than detecting or blocking access ofan unauthorized outsider. Additionally, becausepolices and procedures are often looselyfollowed, it is hard to know at what point “theline” has been crossed.
© 2007 Oakley Networks Inc. All Rights Reserved
Decentralization – An IP leakage nightmare
• Larger more porous Networksexacerbates the insider threat.
• Mesh of connectivity for applications,telecommuters, business partnersand customers.
© 2007 Oakley Networks Inc. All Rights Reserved
?
Insider Threat is much more than data leaks
• IP Theft• Customer Data Theft• Fraud• Sabotage• Hacking
• Chat, Web Mail• Auctions, Shopping• Job Hunting• Day Trading• Gambling• Porn
• Internal Protest• Spread Discontent• Organize Labor• Exposé, Whistle Blower• Press Leaks
• Snooping• Rights Escalation• Technical Arrogance• Hacking• Insider Trading
• Hazing• Discrimination• Racial Slurs• Hate Sites• Terrorism
• Ignorance• Negligence• Process Failure• Technical Failure• Semi-Deliberate
InsiderThreats
Any behavior thatputs Business at
risk…HIGH
LOW
INSIDERTHREATS
© 2007 Oakley Networks Inc. All Rights Reserved
The Internal Threat Is Large and Still Growing
• 55% of companies experiencedat least one internal threatevent between July 2005 and2006
• 48% of companies report thatinternal, deliberate corporatesabotage occurs often
• Threats from “inside” includecarelessness and maliciousbehavior by– Employees– Former employees– Contractors– Temporary workers– Consultants– Outsourcers
COMPANIES REPORTING AT LEAST ONE INTERNAL THREATEVENT
TYPE OF DATA LOST
Source: CERT E-Crime Watch survey report; Ponemon Institute
0%
10%
20%
30%
40%
50%
60%
70%
2005 2006
0%5%
10%15%20%25%30%35%40%45%
Confidentialbusiness
data
Customerpersonal data
Intellectualproperty
Workerpersonal data
Other
What this really means is that theother 45% are clueless!!!
© 2007 Oakley Networks Inc. All Rights Reserved
2006 e-CrimeWatch Survey
30
19
15
0
5
10
15
20
25
30
2004 2005 2006
CSO Magazine, USSS & CERT434 respondents
Percentage of Incidentswith no source identified
Percentage of Insidersverses Outsiders
010
20
30
40
50
60
7080
2004 2005 2006
InsidersOutsiders
© 2007 Oakley Networks Inc. All Rights Reserved
Results from FOSE 2008
• Botnets and spyware top the list of security worries for federal technologies,according to a survey of 200 federal information technology employees fromCisco Systems.
The study, reviewed today at the FOSE Conference and Exposition inWashington, found that 56 percent of those surveyed “were kept up at night”worrying about botnets and spyware.
Botnets—networks of compromised machines under the control of a single eviloverlord—have grown into a significant problem over the past year, as hackinghas moved from a vanity hobby to profit-driven organized crime.
Spyware secretly gathers information about a user while he/she navigates theInternet. Spyware can gather information about e-mail addresses, passwordsand credit card numbers.
According to the September 2007 survey, 55 percent of respondents reportedsecurity breaches as the second top worry for federal IT security; inadequatelytrained employees was next with 53 percent; employee data loss came in fourthwith 51 percent and citizen data loss was fifth at 50 percent.
Government Computer News April 2008
© 2007 Oakley Networks Inc. All Rights Reserved
Insider Threat varies byorganization
A recent DoDIG reportindicates that, for [over1,000] investigations, 87percent of identifiedintruders into DoDinformation systems wereeither employees orothers internal to theorganization.
© 2007 Oakley Networks Inc. All Rights Reserved
Hacker Profile
• Romanian• Nigerian• Chinese• Russian• American
© 2007 Oakley Networks Inc. All Rights Reserved
Threat Trends
• Intellectual Property – CustomerDatabase, Gary Min
• PII – TJMax, Vladimir Levin• Credit Cards• Snooping – Moonlight Maze• Botnets and other Malware – Romania
Dameware
© 2007 Oakley Networks Inc. All Rights Reserved
Document Tracking & Content Monitoring• Untracked decentralization of information storage in files and
databases across many systems.• Content monitors/filters can be negated through the use of
compression and/or encryption.• Tracking these files via network content analyzers using static
hashes is only a partial solution.– Modifications, compression and encryption changes the hash.– Keywords are useless after compression
This is the customerupdate list forRhondoEnterprises:
ABC Corp
Banana Democratic
Canoco Oil
Here is the customerlist, I’ve added somenew names thatweren’t included:
ABC Corp
Bmart
Banana Democratic
PK Py¤6Ûó {d qsample.txt ‹Á
Ã0 ÿ õ° ¤‚übç‘”qHX§p:Ç}¸âœÙÇÀ0û¢ mÂ?DÙ§•
NÃÖ¦ßð>•„ÔÊŠ Ê *•W,Ž#žz:š–m•èžÓcY± ûæ´t1 Æ̂ðd ÅÄ[Éé PK Py¤6Ûó {d q
sample.txtPK8 Œ
© 2007 Oakley Networks Inc. All Rights Reserved
Behavioral Predictors
Estimated $400,000,000 loss in Intellectual Property
Min downloaded about 22,000 abstracts and accessedabout 16,706 documents--15 times the number ofabstracts and reports accessed by the next-highest userduring that period. InformationWeek February 17, 2007
© 2007 Oakley Networks Inc. All Rights Reserved
Behavioral Predictors
• Typical Fraud IncidentsWho were they?
•Current employees•Half male; half female•Non-technical; non-management positions
Why did they do it?•Greed
How did they attack?•Many had privileged access•Only legitimate user commands•Used their own username & password•Acted during working hours from within the workplace
www.cert.com presented at CSI November 7, 2006
© 2007 Oakley Networks Inc. All Rights Reserved
Content Filtering can catch any idiotwith a keyboard
Grrrrr!!!
© 2007 Oakley Networks Inc. All Rights Reserved
Understanding the threat helps to develop the defense
www.cert.com presented at CSI November 7, 2006
© 2007 Oakley Networks Inc. All Rights Reserved
What is the solution?At first, it appears thathost-level control may bemore difficult to deployand require moreresources to manage thannetwork-based products,but it does have a majorbenefit: the ability tomonitor at the desktoplevel, which is thelaunching pad for waywardbehavior. An ideal setupwould be to have bothnetwork and host-basedprotection guarding localusage and networktransmission in a layeredapproach.
Connectivity is valuable economically, but thatdoesn’t mean that we have to give absolutelyeverything away in the name of connectivity.
© 2007 Oakley Networks Inc. All Rights Reserved
With Host Based Monitoring, you can…• Detect incidents even if all the traffic was encrypted?• Capture and document even the most complex incidents?• Catch incidents when a device was “offline”?• See content going over your network like a filmstrip?• Replay any incident like a TiVo or DVR?• Have non-technical users identity threats/behavior?• Automatically deploy software to rogue desktops?
DVR Replay 2x Speed
PornTerrorismFinancialsXLS
Gambling IdentityTheft
ProductPlans.CAD
EmailCustomerList.DOC
© 2007 Oakley Networks Inc. All Rights Reserved
Broad, network level observation• Content Threats
– Inappropriate content– Legally liable content– Unproductive content– Intellectual Property– Sensitive Documents
• Traffic Threats– High bandwidth users– Insecure protocols– Unexpected port
traffic– Off-hour transfers– Unusual encrypted
traffic– Biggest downloaders
© 2007 Oakley Networks Inc. All Rights Reserved
• Based upon your priorities, which egressmethod is most likely used?
• Do you block access to those egressmethods? (super glue in the USB port)
• What do you do after a violation occurs?
What to Monitor
Monitoring every vector of communication
PrinterKeyboardEmail Office Clipboard FileIM Log OnSystem ProcessBrowser USBTerminalServers
LotusNotes
© 2007 Oakley Networks Inc. All Rights Reserved
Threat Process
1. They gain entry to the system or network.2. They poke around.3. May set up from some other workstation.4. Destructive activity takes
Insider threats are often disgruntled employees or ex-employees who believe that the business, institution, oragency has "done them wrong" and feel justified in gainingrevenge. The malicious activity usually occurs in four stepsor phases.
© 2007 Oakley Networks Inc. All Rights Reserved
DVR-Like event replay and investigation
Here ya go
Here is that customer list I told you about
Private.docEncrypted.doc.pgp
2x SpeedDVR 1x Speed
SureView™
• DVR-Like EventReplay– Before/after time
slices• Pre-Encryption• Offline Events• Event
Reconstruction• Archival and
Retrievel
© 2007 Oakley Networks Inc. All Rights Reserved
• USB/MobileStorage
• PrivilegedUser/Admin
• Export/TradeViolations
• Intellectual/Customer DataPropertyprotection
Detect Network andContent Liability Risks
Rich policies designed for specific pain points
SureView™
Collect Data
Alert
Block drive mounts
Lockout User
Disconnect from network
Shutdown
© 2007 Oakley Networks Inc. All Rights Reserved
Advantages of host-based monitoring
• Trace suspicious or malicious usage back to computersand users.
• Provide strong audit trails and evidence needed toconfront, terminate, prosecute employee’s suspiciousactivities.
• Augment forensics investigations by providing incidentcontext and content.
• Help decrease legal liabilities by minimizing sensitiveinformation losses.
• Detect unauthorized encrypted communicationssessions and information that should be encrypted but isnot.