Insider Threat and Data Leakege Considerations and Solutions OZGUR DANISMAN, MBA, CISSP, CISM Sales Engineering Manager, MENA

New Company, Uniquely Formed to Offer a New Approach to Security Commercial Leader with Content Security & DLP Cloud / On-Premise / Hybrid Pioneer on Cyber Frontlines with Financial Resources Deep Understanding of Threat Detection Networking Innovator with Advanced Evasion Prevention Security at Scale

Core Products Core Business Data & Insider Threat Protection Content Security Data & Insider Threat Protection AP-WEB SureView Insider Threat Core Business AP-EMAIL AP-DATA Threat Protection Cloud / Appliance Security for Cloud Network Security Threat Protection for Linux AP-DATA DISCOVER Stonesoft & Sidewinder RiskVision

Challenges and Pressures to Protecting Users & Data BUSINESS TRANSFORMATION BUSINESS TRANSFORMATION Increasingly Mobile Workforce Adoption of Cloud Infrastructure & expansion of supply chain Rapid IT delivery INDUSTRIALIZATION OF CYBERCRIME INDUSTRIALIZATION OF CYBERCRIME Compromises Users & Their Data Increasingly Sophisticated Campaigns DATA NETWORKS USERS WORKFORCE SKILLS & RESOURCING Shadow IT Security Awareness Lack of IT staff Static Budgets WORKFORCE SKILLS & RESOURCING INCREASING REGULTAOTRY SCOPE Breach Notification Consumer Rights Over Their Data Higher Penalties Infrastructure Scope INCREASING REGULTAOTRY SCOPE Enable Business Innovation and Agility Protect the Brand

How Industrial Hackers Monetize the Opportunity Exploits $1000-$300K Mobile Malware $150 Social Security $1 Credit Card Data $0.25-$60 Spam $50/500K emails Medical Record >$50 Global Cybercrime Market: $450B-$1T $ DDoS Facebook Account $1 for an account with 15 friends Malware Development $2500 (commercial malware) Bank Account Info >$1000 depending on account type and balance DDOS as a Service ~$7/hour WELCOME TO THE HACKERS’ ECONOMY Source: RSA/CNBC The question I’ve always had….and I get asked all the time is…..How do the Industrialized Hackers make money? There have been a number of articles published with the prices that the hackers are demanding for their stolen goods. Social Security & Pension data - $1 Go thru each ….emphasize exploit….up to $300,000. The overall market for CyberCriminals is estimated at anywhere from $450Billion to a Trillion, according to Congressional Testimony given by Ed Amoroso, Chief Security Officer from AT&T, and General Alexander, the former Director of the NSA. The bottom line is that Hacker Economy is Huge….and Growing. High School Group/mobile operator. Exploit kit 1k-300k, bank account 1000 USD-like drug dealing example/levels-country secure but it is international 5

Why to focus on Insider Threats? Source Verison DBIR 2016 Majority of breaches fall in 9 categories Insider threats has increased rapidly Crimeware is a big concern Source: Verison DBIR 2015

USER BEHAVIOR PERSONAS THAT POSE RISK TO AN ORGANIZATION COMPROMISED USER Victims of: cyber attacks social engineering bribery or blackmail INTENTIONAL INSIDER Ethical rationalization Abuses privileges & access Knowingly transfers protected data externally ACCIDENTAL INSIDER Works around broken business processes Mistakes made during data transfer Misinterpreted training

Cost of an Insider Breach https://dtexsystems.com/portfolio-items/infographic-findings-from-the-2016-costs-of-insider-threats-report/ COMPROMISED USER Victims of: cyber attacks social engineering bribery or blackmail INTENTIONAL INSIDER Ethical rationalization Abuses privileges & access Knowingly transfers protected data externally ACCIDENTAL INSIDER Works around broken business processes Mistakes made during data transfer Misinterpreted training Source Ponemon 2016

USER BEHAVIOR PERSONAS THAT POSE RISK TO AN ORGANIZATION COMPROMISED USER Victims of: cyber attacks social engineering bribery or blackmail INTENTIONAL INSIDER Ethical rationalization Abuses privileges & access Knowingly transfers protected data externally ACCIDENTAL INSIDER Works around broken business processes Mistakes made during data transfer Misinterpreted training

INTRODUCING ‘Dwell-Time’ OUTSIDE ATTACKS STOLEN STOLEN Get Back To Normal Protect as much as possible Average time to identify UNINTENTIONAL insider breaches 158 BREACH DETECT DEFEND DECIDE INITIAL COMPROMISE LATERAL MOVEMENT DEFEAT INSIDER THREATS Reduce “Dwell Time” (when threats are in your network) to minimize theft and damage BREACH FIXED TIMELINE The insider threat problem requires a new approach, focused on decreasing this dwell time rather than trying to craft a policy to match every possible scenario. [CLICK] An insider is someone who is already “in” the system and already has level of access and associated privileges. The same is true for an outside attacker who has stolen credentials and is acting like an insider. [CLICK] This approach requires a deep understanding of what behavior is normal for the organization and what sequences of activity are abnormal. As technology is able to help humans quickly find and verify these malicious events, the dwell time between the inception and defeat of a threat is minimized. INCIDENT

MODERN BUSINESS IS ALL ABOUT SAFELY CONNECTING USERS TO DATA Cloud Apps Mobile Corp Servers DATA USER BEHAVIOUR ANALYTICS (UBA) USERS Office DATA LOSS PREVENTION (DLP) NETWORKS + Websites Other Locations Partners & Supply Chain Email Endpoint Media Customers IN THE CLOUD, ON THE ROAD, IN THE OFFICE

Data LEAKAGE Prevention – architecture IM Active Sync IM Cloud Active Sync FTP FTP Email Printer Storage Database Web Email Web Email Media Network Storage Network Printer Laptop Drives ENDPOINT Data in Use NETWORK Data in Motion DISCOVER Data at Rest

Data LEAKAGE Prevention is a Tool for Risk Reduction 1000 800 600 400 200 Visibility Remediation Incidents Per Week Notification Prevention

DLP secures sensitive data In Use & In Motion Who What Where How Action Human Resources Source Code Evernote File Transfer Confirm Customer Service Credit Card Data Dropbox Web Block Marketing Personal Data Business Partner Instant Messaging Notify Finance M&A Plans Facebook Peer-to-Peer Remove Accounting Employee Salary OneDrive Email Encrypt Sales / Marketing Financial Report Malicious Server Print Quarantine Legal Patient Records Removable Media File Copy Confirm Technical Support Manufacturing Docs Competitor Print Screen Audit Engineering Research Customer Copy/Paste Notify

Insider Threat Mitigation Presentation Title February 11, 2018 DLP Evolution Compliance Insider Threat Mitigation IP Protection Data Theft Prevention 2003 2010 2017 Pre-defined Compliance Policies Data Fingerprints Endpoint fingerprints OCR and Cumulative (DRIP) DLP Cloud & Mobile DLP Data Theft Risk Indicators Incident Risk Ranking Behavioral Analytics Speaker Name

User Behaviour Analytics MACHINE LEARNING Policy Violations ORGANISATION Volume Anomaly INDIVIDUAL Volume Anomaly Policies 3rd Party Policies Scoring Engines

DLP Data Monitoring and Protection Insider threat + DLP DLP Data Monitoring and Protection Monitor and protect IP and PII everywhere Insider Threat Behavioural Audit Establish a baseline of typical user behavior Identify potentially anomalous behaviors Insider Threat Focused Investigation Comprehensive, chronicled data collection Learn from incidents However, it is important to keep in mind that UBA tools are just part of the actual ‘solution’. A full DLP program, including endpoint based DLP, should be an integral part of a complete “Insider Threat Data Protection” program. Here you can see how they compliment each other. TRITON AP-DATA (DLP) Protect “sensitive data” in external communications Identify and describe sensitive data Provide visibility into the movement of sensitive data Educate users to communicate data safely Protect the data everywhere SureView Insider Threat Correlate “user” behavior to identify “risky users” Correlate security events and other user contextual data Data models identify and score risky users and score Administrator validates the behavior with on-demand forensics DLP Data Monitoring and Protection Data classification Data exfiltration controls across IT infrastructure Incident-based behavioral model Monitor and protect IP and PII everywhere Insider Threat Behavioral Audit Establish a baseline of typical user behavior Identify potentially anomalous behaviors User-based behavioral models Insider Threat Focused Investigation Comprehensive, chronicled collection from multiple data sources including AP-DATA All the details, insight and complete context of user actions Video replay of user activity Detect and deter insider threats

THANK YOU! Ozgur Danisman ozgur.danisman@forcepoint.com