Cybersecurity Insider Threat Analytics Speakers: Joel Amick, Cory Hefner, and Aysha Nahan

Disclosure This material is for informational purposes only and should not be regarded as a recommendation or an offer to buy or sell any product or service to which this information may relate. Certain products and services may not be available to all entities or persons. Past performance does not guarantee future results. Standard Disclaimer This material is for informational purposes only and should not be regarded as a recommendation or an offer to buy or sell any product or service to which this information may

Sr. Info Security Analyst, Cyber Analytics Who We Are Slide 2: Collaboration with UNCC with 4 student interns from the Data Science Program. Over the past 6 months, have created algorithms that provide a “insider risk snapshot”. The internship is led by Joel Amick, director of Cyber Analytics and Cory Hefner, senior info security analyst. Joel Amick Director, Cyber Analytics Cory Hefner Sr. Info Security Analyst, Cyber Analytics Aysha Nahan Data Analyst, Cyber Analytics

In Partnership With Internship Associates TIAA Cybersecurity Mentors Interns from the Professional Masters in Data Science program at the University of North Carolina at Charlotte (UNCC), with experience in Advanced Analytics and Machine Learning. TIAA Cybersecurity Mentors Graduate Students in Data Science Program at UNCC David Milbern Kshitij Khurana Abhinay Reddy Slide 2: Collaboration with UNCC with 4 student interns from the Data Science Program. Over the past 6 months, have created algorithms that provide a “insider risk snapshot”. The internship is led by Joel Amick, director of Cyber Analytics and Cory Hefner, senior info security analyst. Joel Amick Director, Cyber Analytics Cory Hefner Sr. Info Security Analyst, Cyber Analytics Aysha Nahan

Who is TIAA? https://www.tiaa.org/public/pdf/facts_stats.pdf

Who is TIAA? https://www.tiaa.org/public/pdf/facts_stats.pdf

Photo from WIRED.com

What is an Insider Threat? Malicious 21.6% of Incidents1 Negligent 78.4% of Incidents1 Fraud Accidental Intellectual Property Loss Phishing Sabotage or Destruction Shared/Stolen Credentials 1Study by Ponemon Institute in Sep 2016

Insider Threat Detection Data Loss Prevention Printers Network Proxy Use Cases From Prior Investigations Insider Threats Phishing Awareness Access Privileges VPN Physical Security

Proof of Concept Phase one (May- August) we took data about users' activities at work at combined it with data about whether or not this user had been identified as a threat by the [what team]. By using this data we were able to identify which factors may help PREDICT if a user would be an insider Threat. Pretty cool! Threat is identified as an elevated Data Loss Prevention incident in the DLP Archer database, with a result disposition not being ‘false positive’ Data extraction DLP was the strongest indicator Individual scores were weighted with comparison statistic values, indicating how correlated these scores were for the employee to be a confirmed threat

Outbound External Email Scoring Approach Data Loss Prevention Threat Outbound External Email Data Weighted Final Score VPN Internal Phishing Non Identified Threat Web Proxy Phase one (May- August) we took data about users' activities at work at combined it with data about whether or not this user had been identified as a threat by the [what team]. By using this data we were able to identify which factors may help PREDICT if a user would be an insider Threat. Pretty cool! Threat is identified as an elevated Data Loss Prevention incident in the DLP Archer database, with a result disposition not being ‘false positive’ Data extraction DLP was the strongest indicator Individual scores were weighted with comparison statistic values, indicating how correlated these scores were for the employee to be a confirmed threat Easily Scalable Separate Scores by Data Source Weighted Ensemble Approach to Scoring

Success of Scoring Algorithms *Distributions are representative of actual data, but numbers are anonymized

Quantifying the Threat Most Likely Potential Loss Distribution $0K *Distributions are representative of actual data, but numbers are anonymized

Security Events (SIEM) Implementation Internal Phishing Data Warehouse Data Warehouse VPN Outbound External Email Web Proxy Data Loss Prevention Security Events (SIEM)

Case Study “Joey Jobsearch” “Blocked Bobby” Threat Score: 821 Potential Loss: $2.1M “Blocked Bobby” Threat Score: 680 Potential Loss: $2.4M Insider Threat Score Loss Magnitude Insider Threat Score Loss Magnitude $0K $0K VPN 25 Connection Failures in the last month Web Proxy 83 Job Searches in the past day 32 File Sharing web pages visited in the past week Data Loss Prevention 10 Email Attachments blocked in the past 6 months 14 Cybersecurity Policy Violations in the past 6 months Internal Phishing 1 Internal Phishing Training Email opened in the past year VPN 5 Connection Failures in the last month Outbound External Email 2 Blocked Emails in the past week Data Loss Prevention 293 Files Loaded to USB in the past quarter 2 Email Attachments blocked in the past week Internal Phishing 2 Internal Phishing Training Emails reported in the past year *Distributions are representative of actual data, but numbers are anonymized

Actionable Intelligence Most Likely Potential Loss Distribution “Blocked Bobby” $2.4 million “Joey Jobsearch” $2.1 million $0K *Distributions are representative of actual data, but numbers are anonymized

Impact and Successes 1 1 2 2 3 3 4 Business Impact Successes Insider Threat and Detection Teams can use scores to prioritize incidents 1 Collaborated with Cyber Risk team for Projected Loss 2 Quantifiable value of the Insider Threat Program 2 Actionable intelligence was identified & escalated to the Insider Threat team 3 Matures Cybersecurity Investigations and Operations 3 Process is robust and allows for easy tuning or additions of new data sources 4 Provided new exploratory information about Insider Threat data sources

Challenges and Opportunities Identified Opportunities 1 Algorithms are trained predominantly with negative behavior. Opportunity to incorporate positive attributes in future tuning efforts. 1 Complete dashboard visualizations for Investigations 2 Structured and unstructured data stored in disparate data sources 2 Generate “Harm-Ability” scores based on the capability (permissions and exceptions) of employees potential for impact to the company 3 Managing scope 3 Incorporate additional data sources to further improve the accuracy of the Insider Threat score

Next Steps The next steps would be to have everything up and running, and have the processed scheduled to run daily. This would be with the autosys scheduler, but wouldn’t be needed until all the connections are in place. Also as an additional feature, we would like to display the factors contributing to their high (or low) score. (This is in progress)

Questions?