Cybersecurity Insider Threat Analytics

Slides:



Advertisements
Similar presentations
Career Opportunities in Statistical Computing. Two Perspectives on Careers in Statistical Computing 1.Software development opportunities at SAS 2.Emerging.
Advertisements

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
1 Visualizer for Firewall Display & Analysis Tool.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon
Network security policy: best practices
Website Hardening HUIT IT Security | Sep
Fraud Detection McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
Data Company Customer Interview. 2. Purpose and Quick Check The purpose of this interview is to determine whether 8020 can provide a useful service.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Introduction – Addressing Business Challenges Microsoft® Business Intelligence Solutions.
Netflix Netflix is a subscription-based movie and television show rental service that offers media to subscribers: Physically by mail Over the internet.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Pertemuan 16 Materi : Buku Wajib & Sumber Materi :
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
By, CA K RAGHU, PAST PRESIDENT – INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA.
USING FAIR, DOES TRAINING HELP REDUCE SPEAR PHISHING RISK? CASE STUDY SHARED COURTESY OF RISKLENS CONFIDENTIAL - FAIR INSTITUTE
CITY OF PHOENIX RECORDS MANAGEMENT AND E-PRIVACY Margie Pleggenkuhle City Clerk Department March 18, 2004.
2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.
Why SIEM – Why Security Intelligence??
CLOSE THE SECURITY GAP WITH IT SOLUTIONS FROM COMPUTACENTER AND CISCO AUGUST 2014.
Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.
Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.
INSIDER THREATS BY: DENZEL GAY COSC 356. ROAD MAP What makes the insider threat important Types of Threats Logic bombs Ways to prevent.
Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon
Protect your Digital Enterprise
Cybersecurity as a Business Differentiator
Advanced Endpoint Security Data Connectors-Charlotte January 2016
A Generic Approach to Big Data Alarms Prioritization
Horizon 2020 Secure Societies European Info Day and Brokerage Event
Security Operations Update
OIT Security Operations
Deployment Planning Services
Cloud App Security vs. O365 Advanced Security Management
Predictive Analytics Proof of Concept (POC) September 2014
Insiders are Today’s Biggest Security Threat
Background and Overview
DETAILED Global CYBERSECURITY SURVEY Summary RESULTS
BOMGAR REMOTE SUPPORT Karl Lankford
Data Security Team 1.
Valid And Updated CS0-001 Exam Certifications Dumps Questions
State System Analytics Platform
Office 365 Security Assessment Workshop
Threat Landscape for Data Security
How to Operationalize Big Data Security Analytics
Cyber Security: The Risk to Associations Today’s Speakers:
CRITICAL INFRASTRUCTURE CYBERSECURITY
Chapter 4: Protecting the Organization
Algorithmic Management and Fairness
How to Mitigate the Consequences What are the Countermeasures?
Introduction to Digital Forensics
PolyAnalyst Web Report Training
Incident response and intrusion detection
Strategic threat assessment
Information Protection
Detection Detect the breach and protect the data. By,
Microsoft Data Insights Summit
COMPLETE BUSINESS TEXTING SOLUTION
<offer name> with Microsoft 365 Business Secure Deployment
A SIEM for the Forensic Analysis of Database Management System Logs
Comodo Dome Data Protection
STEALTHbits Technologies, Inc.
Information Protection
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
OPIsrael And The Value Of Next Generation SOCs
Presentation transcript:

Cybersecurity Insider Threat Analytics Speakers: Joel Amick, Cory Hefner, and Aysha Nahan

Disclosure This material is for informational purposes only and should not be regarded as a recommendation or an offer to buy or sell any product or service to which this information may relate. Certain products and services may not be available to all entities or persons. Past performance does not guarantee future results. Standard Disclaimer This material is for informational purposes only and should not be regarded as a recommendation or an offer to buy or sell any product or service to which this information may

Sr. Info Security Analyst, Cyber Analytics Who We Are Slide 2: Collaboration with UNCC with 4 student interns from the Data Science Program. Over the past 6 months, have created algorithms that provide a “insider risk snapshot”. The internship is led by Joel Amick, director of Cyber Analytics and Cory Hefner, senior info security analyst. Joel Amick Director, Cyber Analytics Cory Hefner Sr. Info Security Analyst, Cyber Analytics Aysha Nahan Data Analyst, Cyber Analytics

In Partnership With Internship Associates TIAA Cybersecurity Mentors Interns from the Professional Masters in Data Science program at the University of North Carolina at Charlotte (UNCC), with experience in Advanced Analytics and Machine Learning. TIAA Cybersecurity Mentors Graduate Students in Data Science Program at UNCC David Milbern Kshitij Khurana Abhinay Reddy Slide 2: Collaboration with UNCC with 4 student interns from the Data Science Program. Over the past 6 months, have created algorithms that provide a “insider risk snapshot”. The internship is led by Joel Amick, director of Cyber Analytics and Cory Hefner, senior info security analyst. Joel Amick Director, Cyber Analytics Cory Hefner Sr. Info Security Analyst, Cyber Analytics Aysha Nahan

Who is TIAA? https://www.tiaa.org/public/pdf/facts_stats.pdf

Who is TIAA? https://www.tiaa.org/public/pdf/facts_stats.pdf

Photo from WIRED.com

What is an Insider Threat? Malicious 21.6% of Incidents1 Negligent 78.4% of Incidents1 Fraud Accidental Intellectual Property Loss Phishing Sabotage or Destruction Shared/Stolen Credentials 1Study by Ponemon Institute in Sep 2016

Insider Threat Detection Data Loss Prevention Printers Network Proxy Use Cases From Prior Investigations Insider Threats Phishing Awareness Access Privileges VPN Physical Security

Proof of Concept Phase one (May- August) we took data about users' activities at work at combined it with data about whether or not this user had been identified as a threat by the [what team]. By using this data we were able to identify which factors may help PREDICT if a user would be an insider Threat. Pretty cool! Threat is identified as an elevated Data Loss Prevention incident in the DLP Archer database, with a result disposition not being ‘false positive’ Data extraction DLP was the strongest indicator Individual scores were weighted with comparison statistic values, indicating how correlated these scores were for the employee to be a confirmed threat

Outbound External Email Scoring Approach Data Loss Prevention Threat Outbound External Email Data Weighted Final Score VPN Internal Phishing Non Identified Threat Web Proxy Phase one (May- August) we took data about users' activities at work at combined it with data about whether or not this user had been identified as a threat by the [what team]. By using this data we were able to identify which factors may help PREDICT if a user would be an insider Threat. Pretty cool! Threat is identified as an elevated Data Loss Prevention incident in the DLP Archer database, with a result disposition not being ‘false positive’ Data extraction DLP was the strongest indicator Individual scores were weighted with comparison statistic values, indicating how correlated these scores were for the employee to be a confirmed threat Easily Scalable Separate Scores by Data Source Weighted Ensemble Approach to Scoring

Success of Scoring Algorithms *Distributions are representative of actual data, but numbers are anonymized

Quantifying the Threat Most Likely Potential Loss Distribution $0K *Distributions are representative of actual data, but numbers are anonymized

Security Events (SIEM) Implementation Internal Phishing Data Warehouse Data Warehouse VPN Outbound External Email Web Proxy Data Loss Prevention Security Events (SIEM)

Case Study “Joey Jobsearch” “Blocked Bobby” Threat Score: 821 Potential Loss: $2.1M “Blocked Bobby” Threat Score: 680 Potential Loss: $2.4M Insider Threat Score Loss Magnitude Insider Threat Score Loss Magnitude $0K $0K VPN 25 Connection Failures in the last month Web Proxy 83 Job Searches in the past day 32 File Sharing web pages visited in the past week Data Loss Prevention 10 Email Attachments blocked in the past 6 months 14 Cybersecurity Policy Violations in the past 6 months Internal Phishing 1 Internal Phishing Training Email opened in the past year VPN 5 Connection Failures in the last month Outbound External Email 2 Blocked Emails in the past week Data Loss Prevention 293 Files Loaded to USB in the past quarter 2 Email Attachments blocked in the past week Internal Phishing 2 Internal Phishing Training Emails reported in the past year *Distributions are representative of actual data, but numbers are anonymized

Actionable Intelligence Most Likely Potential Loss Distribution “Blocked Bobby” $2.4 million “Joey Jobsearch” $2.1 million $0K *Distributions are representative of actual data, but numbers are anonymized

Impact and Successes 1 1 2 2 3 3 4 Business Impact Successes Insider Threat and Detection Teams can use scores to prioritize incidents 1 Collaborated with Cyber Risk team for Projected Loss 2 Quantifiable value of the Insider Threat Program 2 Actionable intelligence was identified & escalated to the Insider Threat team 3 Matures Cybersecurity Investigations and Operations 3 Process is robust and allows for easy tuning or additions of new data sources 4 Provided new exploratory information about Insider Threat data sources

Challenges and Opportunities Identified Opportunities 1 Algorithms are trained predominantly with negative behavior. Opportunity to incorporate positive attributes in future tuning efforts. 1 Complete dashboard visualizations for Investigations 2 Structured and unstructured data stored in disparate data sources 2 Generate “Harm-Ability” scores based on the capability (permissions and exceptions) of employees potential for impact to the company 3 Managing scope 3 Incorporate additional data sources to further improve the accuracy of the Insider Threat score

Next Steps The next steps would be to have everything up and running, and have the processed scheduled to run daily. This would be with the autosys scheduler, but wouldn’t be needed until all the connections are in place. Also as an additional feature, we would like to display the factors contributing to their high (or low) score. (This is in progress)

Questions?