past present and future - c.ymcdn.comc.ymcdn.com/sites/ …• insider threats are more difficult to...

© 2007 Oakley Networks Inc. All Rights Reserved

Russ Jensen

Past Present andFuture

Copyright © 2007 Raytheon Company. All rights reserved.Customer Success Is Our Mission is a trademark of Raytheon Company.


The Leader in Insider ThreatMitigation

• 200+ Employees• Oakley DNA from

Department of Defense, FBI• Tier 1 Federal and

Commercial Customers

Integrated Solutions

DiverseCustomer Base


How do you identify the threat?

• Where do they come from?• What are they attacking?• Users can obfuscate behaviors• Lots of traffic is

encrypted/hidden• Much happens offline• Complex risks are hard to

detect!?


What is a threat?

• Insider threats are more difficult to detect thanexternal threats. The individuals who abusesystems are authorized to access corporatesensitive data in the course of their daily work.Identifying an individual who is misusing thedata he is allowed to access is much morecomplicated than detecting or blocking access ofan unauthorized outsider. Additionally, becausepolices and procedures are often looselyfollowed, it is hard to know at what point “theline” has been crossed.


Decentralization – An IP leakage nightmare

• Larger more porous Networksexacerbates the insider threat.

• Mesh of connectivity for applications,telecommuters, business partnersand customers.


?

Insider Threat is much more than data leaks

• IP Theft• Customer Data Theft• Fraud• Sabotage• Hacking

• Chat, Web Mail• Auctions, Shopping• Job Hunting• Day Trading• Gambling• Porn

• Internal Protest• Spread Discontent• Organize Labor• Exposé, Whistle Blower• Press Leaks

• Snooping• Rights Escalation• Technical Arrogance• Hacking• Insider Trading

• Hazing• Discrimination• Racial Slurs• Hate Sites• Terrorism

• Ignorance• Negligence• Process Failure• Technical Failure• Semi-Deliberate

InsiderThreats

Any behavior thatputs Business at

risk…HIGH

LOW

INSIDERTHREATS


The Internal Threat Is Large and Still Growing

• 55% of companies experiencedat least one internal threatevent between July 2005 and2006

• 48% of companies report thatinternal, deliberate corporatesabotage occurs often

• Threats from “inside” includecarelessness and maliciousbehavior by– Employees– Former employees– Contractors– Temporary workers– Consultants– Outsourcers

COMPANIES REPORTING AT LEAST ONE INTERNAL THREATEVENT

TYPE OF DATA LOST

Source: CERT E-Crime Watch survey report; Ponemon Institute

0%

10%

20%

30%

40%

50%

60%

70%

2005 2006

0%5%

10%15%20%25%30%35%40%45%

Confidentialbusiness

data

Customerpersonal data

Intellectualproperty

Workerpersonal data

Other

What this really means is that theother 45% are clueless!!!


2006 e-CrimeWatch Survey

30

19

15

0

5

10

15

20

25

30

2004 2005 2006

CSO Magazine, USSS & CERT434 respondents

Percentage of Incidentswith no source identified

Percentage of Insidersverses Outsiders

010

20

30

40

50

60

7080

2004 2005 2006

InsidersOutsiders


Results from FOSE 2008

• Botnets and spyware top the list of security worries for federal technologies,according to a survey of 200 federal information technology employees fromCisco Systems.

The study, reviewed today at the FOSE Conference and Exposition inWashington, found that 56 percent of those surveyed “were kept up at night”worrying about botnets and spyware.

Botnets—networks of compromised machines under the control of a single eviloverlord—have grown into a significant problem over the past year, as hackinghas moved from a vanity hobby to profit-driven organized crime.

Spyware secretly gathers information about a user while he/she navigates theInternet. Spyware can gather information about e-mail addresses, passwordsand credit card numbers.

According to the September 2007 survey, 55 percent of respondents reportedsecurity breaches as the second top worry for federal IT security; inadequatelytrained employees was next with 53 percent; employee data loss came in fourthwith 51 percent and citizen data loss was fifth at 50 percent.

Government Computer News April 2008


Insider Threat varies byorganization

A recent DoDIG reportindicates that, for [over1,000] investigations, 87percent of identifiedintruders into DoDinformation systems wereeither employees orothers internal to theorganization.


Finding the Needle


Hacker Profile

• Romanian• Nigerian• Chinese• Russian• American


Threat Trends

• Intellectual Property – CustomerDatabase, Gary Min

• PII – TJMax, Vladimir Levin• Credit Cards• Snooping – Moonlight Maze• Botnets and other Malware – Romania

Dameware


Traditional Sniffer in a new wrapper


Document Tracking & Content Monitoring• Untracked decentralization of information storage in files and

databases across many systems.• Content monitors/filters can be negated through the use of

compression and/or encryption.• Tracking these files via network content analyzers using static

hashes is only a partial solution.– Modifications, compression and encryption changes the hash.– Keywords are useless after compression

This is the customerupdate list forRhondoEnterprises:

ABC Corp

Banana Democratic

Canoco Oil

Here is the customerlist, I’ve added somenew names thatweren’t included:

ABC Corp

Bmart

Banana Democratic

PK Py¤6Ûó {d qsample.txt ‹Á

Ã0 ÿ õ° ¤‚übç‘”qHX§p:Ç}¸âœÙÇÀ0û¢ mÂ?DÙ§•

NÃÖ¦ßð>•„ÔÊŠ Ê *•W,Ž#žz:š–m•èžÓcY± ûæ´t1 Æ̂ðd ÅÄ[Éé PK Py¤6Ûó {d q

sample.txtPK8 Œ


They don’t get it!!!!


Behavioral Predictors

Estimated $400,000,000 loss in Intellectual Property

Min downloaded about 22,000 abstracts and accessedabout 16,706 documents--15 times the number ofabstracts and reports accessed by the next-highest userduring that period. InformationWeek February 17, 2007


Behavioral Predictors

• Typical Fraud IncidentsWho were they?

•Current employees•Half male; half female•Non-technical; non-management positions

Why did they do it?•Greed

How did they attack?•Many had privileged access•Only legitimate user commands•Used their own username & password•Acted during working hours from within the workplace

www.cert.com presented at CSI November 7, 2006


Content Filtering can catch any idiotwith a keyboard

Grrrrr!!!


Understanding the threat helps to develop the defense

www.cert.com presented at CSI November 7, 2006


What is the solution?At first, it appears thathost-level control may bemore difficult to deployand require moreresources to manage thannetwork-based products,but it does have a majorbenefit: the ability tomonitor at the desktoplevel, which is thelaunching pad for waywardbehavior. An ideal setupwould be to have bothnetwork and host-basedprotection guarding localusage and networktransmission in a layeredapproach.

Connectivity is valuable economically, but thatdoesn’t mean that we have to give absolutelyeverything away in the name of connectivity.


With Host Based Monitoring, you can…• Detect incidents even if all the traffic was encrypted?• Capture and document even the most complex incidents?• Catch incidents when a device was “offline”?• See content going over your network like a filmstrip?• Replay any incident like a TiVo or DVR?• Have non-technical users identity threats/behavior?• Automatically deploy software to rogue desktops?

DVR Replay 2x Speed

PornTerrorismFinancialsXLS

Gambling IdentityTheft

ProductPlans.CAD

EmailCustomerList.DOC


Broad, network level observation• Content Threats

– Inappropriate content– Legally liable content– Unproductive content– Intellectual Property– Sensitive Documents

• Traffic Threats– High bandwidth users– Insecure protocols– Unexpected port

traffic– Off-hour transfers– Unusual encrypted

traffic– Biggest downloaders


• Based upon your priorities, which egressmethod is most likely used?

• Do you block access to those egressmethods? (super glue in the USB port)

• What do you do after a violation occurs?

What to Monitor

Monitoring every vector of communication

PrinterKeyboardEmail Office Clipboard FileIM Log OnSystem ProcessBrowser USBTerminalServers

LotusNotes


Threat Process

1. They gain entry to the system or network.2. They poke around.3. May set up from some other workstation.4. Destructive activity takes

Insider threats are often disgruntled employees or ex-employees who believe that the business, institution, oragency has "done them wrong" and feel justified in gainingrevenge. The malicious activity usually occurs in four stepsor phases.


DVR-Like event replay and investigation

[email protected]

Here ya go

Here is that customer list I told you about

Private.docEncrypted.doc.pgp

2x SpeedDVR 1x Speed

SureView™

• DVR-Like EventReplay– Before/after time

slices• Pre-Encryption• Offline Events• Event

Reconstruction• Archival and

Retrievel


• USB/MobileStorage

• PrivilegedUser/Admin

• Export/TradeViolations

• Intellectual/Customer DataPropertyprotection

Detect Network andContent Liability Risks

Rich policies designed for specific pain points

SureView™

Collect Data

Alert

Block drive mounts

Lockout User

Disconnect from network

Shutdown


Advantages of host-based monitoring

• Trace suspicious or malicious usage back to computersand users.

• Provide strong audit trails and evidence needed toconfront, terminate, prosecute employee’s suspiciousactivities.

• Augment forensics investigations by providing incidentcontext and content.

• Help decrease legal liabilities by minimizing sensitiveinformation losses.

• Detect unauthorized encrypted communicationssessions and information that should be encrypted but isnot.


That’s all folks

Arf…


Questions?