Detecting Insider Threats: Actions Speak Louder than Words

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

THE INSIDER THREAT AND DATA LOSS PREVENTION CSCE 727.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Security Controls – What Works
Information Security Policies and Standards
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Session 3 – Information Security Policies
Computer Security: Principles and Practice
Terry Ray VP Global Security Engineering The Insider's View To Insider Threats © 2012 Imperva, Inc. All rights reserved.
People Health Audit Frank Newman, C.H.R.L. Newman Human Resources  35 years HR experience  Finance Industry, Pharmaceutical Manufacturing, Semi-Conductor,
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Leveraging Information to Detect and Prevent Insider Attacks Phoram Mehta Senior.
USER ACTIVITY MONITORING: MITIGATING USER-BASED RISK Presented by XXXX.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Security for Online Games Austin GDC, September 2009 Tim Ray, CISSP.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Welcome to the ICT Department Unit 3_5 Security Policies.
INSIDER THREATS BY: DENZEL GAY COSC 356. ROAD MAP What makes the insider threat important Types of Threats Logic bombs Ways to prevent.
Doug Sampson, Founder & CEO at Soteritech The Human Side of Insider Threats Copyright © 2016 Soteritech LLC.
SECURITY AND ELECTRONIC COMMUNICATIONS WHAT YOU NEED TO KNOW FOR YOUR AUDIT.
Cyber Security Phillip Davies Head of Content, Cyber and Investigations.
Law Firm Data Security: What In-house Counsel Need to Know
Six Steps to Secure Access for Privileged Insiders and Vendors
Cybersecurity - What’s Next? June 2017
Insiders are Today’s Biggest Security Threat
CHAPTER FOUR OVERVIEW SECTION ETHICS
Business At the Speed of Cyber
The Value of Defense in Depth
IS4680 Security Auditing for Compliance
Planning your BC/DR Strategy You’re Doing it Backwards
Six Steps to Secure Access for Privileged Insiders and Vendors
Dissecting the Cyber Security Threat Landscape
San Francisco IIA Fall Seminar
Forensics Week 11.
Information Security: Risk Management or Business Enablement?
Risks & Reality Cyber Security Risks & Reality
Varonis Overview.
IS4550 Security Policies and Implementation Unit 5 User Policies
The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture
XAHIVE International LLC Ottawa • New York
Security Awareness Training: Data Owners
Managing Content: You Need To Think About More Than Office 365
ITP Maturity Model Survey 2018
Information Security Awareness
Keeping your data, money & reputation safe
Chapter 8 Developing an Effective Ethics Program
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
Anatomy of a Large Scale Attack
CHAPTER FOUR OVERVIEW SECTION ETHICS
DATA LOSS PREVENTION Mr. Collins Oduor.
IS Risk Management Framework Overview
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Steppa Cyber Security Training Tips Your Business Was Seeking For With Cyber Security Training!
Records Management Network
The State of Cybersecurity in State Government NAST March 26, 2019
Incident response and intrusion detection
Coaching in the Workplace: When & How
Cyber Security in a Risk Management Framework
Part 1 Security Action Plan Template.
Cybersecurity: Audit Considerations
“Workplace Behaviour: Activating your greatest security asset”
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Detecting Insider Threats: Actions Speak Louder than Words Nick Cavalancia Technical Evangelist Techvangelism #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM NICK CAVALANCIA Technical Evangelist Certifications: MVP / MCSE / MCT / MCNE / MCNI Co-Founder of ConversationalGeek.com Founder of Techvangelism Consultant/Trainer/Speaker/Author Technical author with over a dozen books Technical speaker for Techmentor, Connections, SpiceWorld Regular speaker for 1105 Media, Penton, Spiceworks, TechTarget Writes, Speaks, and Blogs for some of today’s best-known tech companies #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM SESSION AGENDA Look at the state of insider threats Where to place your focus How to spot an insider What it takes to build an Insider Threat Program #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM THE ELUSIVE INSIDER 28% Data breaches committed by an insider 56% Regular Employees 55% Privileged Users IT Admins 42% Contractors Service Providers Temp. Workers 59% Emp. take data when they leave ******* 6 Passwords Shared by the avg. user vz.to/2JzzhGq bit.ly/2pKqJXy bit.ly/LPStateOfThePswd bit.ly/DelDbrief Delloite Debrief March 2016 #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

CASE STUDY: HEALTHCARE vz.to/2zZjkXy 58% Incidents involved insiders 48% Financially motivated Error Misdelivery ! Misuse Priv. Abuse Physical Theft Hacking Stolen Creds. Malware Ransomware Social Phishing #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

Remember: External threat actors eventually look like an insider too! #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

WHY IS SPOTTING AN INSIDER SO TOUGH? Simple answer: They’re on the inside. Not that simple, though: Can exist anywhere in the organization Insider risk shifts Looks like they’re doing their job Lots of insider actions Lots of valuable data Need to define what’s an insider to you #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

Where should you place your focus? Where your risk is. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

DETERMINING INSIDER RISK STEP 1: INVOLVE THE RIGHT PEOPLE Insider Threat Program Team Need perspective of several positions Executive Leadership Human Resources Legal IT LoB Owners, Department Heads Security #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

DETERMINING INSIDER RISK STEP 2: DEFINE RISK LEVELS Assign risk based on: Position/Role Department Individual #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

DETERMINING INSIDER RISK STEP 3: ALIGN RISK LEVELS WITH SECURITY CONTROLS User Behavior Analytics Security Awareness Training User Activity Monitoring Data Loss Prevention Secure Admin Workstation Priv. Access Management #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM Spotting the Insider #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

IT’S ALL ABOUT BEHAVIOR Leading Indicators Shift in behavior Shifts in communication Active Indicators Unusual Inappropriate Consider not all threats are malicious Shifts in behavior - 92% of insider threat cases were preceded by a negative workplace event #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM THREAT INDICATORS Leading Active Personal Changes HR issues Arrival/Leaving times Positive to negative tone “We/Us” to “I/Me” Looking for a new job Communications Unusual logon times Abnormal application use Excessive Printing Access of sensitive data Copying of sensitive data Communications Shifts in behavior - 92% of insider threat cases were preceded by a negative workplace event #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM IT’S ALL ABOUT CONTEXT One action doesn’t indicate a threat Culmination of actions, tone, communications, etc. Need to have complete visibility into employee activity Online Offiline #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

Building an Insider Threat Program #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

INSIDER THREAT PROGRAM MATURITY MODEL Shifts in behavior - 92% of insider threat cases were preceded by a negative workplace event #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

INSIDER THREAT PROGRAM MATURITY MODEL Shifts in behavior - 92% of insider threat cases were preceded by a negative workplace event #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

BUILDING AN INSIDER THREAT PROGRAM STEP 1: UNDERSTAND YOUR OBSTACLES Support Budget Culture Stakeholders Employees Communications Privacy Only 27% had full support of the C-Suite Largest was Some Support @ 37% Biggest blocker was Finance HR most concerned about Privacy Communications – Only 21% of orgs had formalized communications #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

BUILDING AN INSIDER THREAT PROGRAM STEP 2: CREATE THE ITP TEAM Did this at Risk Assessment… Key Stakeholders Executive Leadership Human Resources Legal IT LoB Owners, Department Heads Security Designate an ITP Senior Official 75% of orgs have no formalized ITP #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

BUILDING AN INSIDER THREAT PROGRAM STEP 3: ASSEMBLE CRITICAL DOCUMENTATION & NOTICES Background/Credit Checks Confidentiality and Intellectual Property Agreement (CIPA) Acceptable Use Policy Security Acknowledgement Agreement Logon Banners #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

BUILDING AN INSIDER THREAT PROGRAM STEP 4: SELECT INTELLIGENCE SOURCES Human Resources Physical Security User Behavior Analytics User Activity Monitoring Auditing Data Goal is to be as close to the intersection of the user and everything they interact with as is possible – apply it to HR and all other data sources. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

BUILDING AN INSIDER THREAT PROGRAM STEP 5: BUILD INCIDENT RESPONSE PLANS Scenario-Based Leading Indicators Active Indicators Employee Giving Notice Employee Being Terminated Goal is to be as close to the intersection of the user and everything they interact with as is possible – apply it to HR and all other data sources. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

BUILDING AN INSIDER THREAT PROGRAM STEP 5: BUILD INCIDENT RESPONSE PLANS #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

BUILDING AN INSIDER THREAT PROGRAM STEP 5: BUILD INCIDENT RESPONSE PLANS Scenario-Based Leading Indicators Active Indicators Employee Giving Notice Employee Being Terminated Not a comprehensive list. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

GETTING A HANDLE ON INSIDER THREATS Understand it’s real and risky Define insider threat Classify your organizational risk Determine threat behaviors Build the ITP Processes, Policy, Technology, Response Not a comprehensive list. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM QUESTIONS? #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM THANK YOU nick.cavalancia@techvangelism.com Don’t forget to visit conversationalgeek.com #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.