Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cybersecurity Insider Threat Analytics

Published byFrederick Doyle Modified over 6 years ago

Similar presentations

Presentation on theme: "Cybersecurity Insider Threat Analytics"— Presentation transcript:

1 Cybersecurity Insider Threat Analytics
Speakers: Joel Amick, Cory Hefner, and Aysha Nahan

2 Disclosure This material is for informational purposes only and should not be regarded as a recommendation or an offer to buy or sell any product or service to which this information may relate. Certain products and services may not be available to all entities or persons. Past performance does not guarantee future results. Standard Disclaimer This material is for informational purposes only and should not be regarded as a recommendation or an offer to buy or sell any product or service to which this information may

3 Sr. Info Security Analyst, Cyber Analytics
Who We Are Slide 2: Collaboration with UNCC with 4 student interns from the Data Science Program. Over the past 6 months, have created algorithms that provide a “insider risk snapshot”. The internship is led by Joel Amick, director of Cyber Analytics and Cory Hefner, senior info security analyst. Joel Amick Director, Cyber Analytics Cory Hefner Sr. Info Security Analyst, Cyber Analytics Aysha Nahan Data Analyst, Cyber Analytics

4 In Partnership With Internship Associates TIAA Cybersecurity Mentors
Interns from the Professional Masters in Data Science program at the University of North Carolina at Charlotte (UNCC), with experience in Advanced Analytics and Machine Learning. TIAA Cybersecurity Mentors Graduate Students in Data Science Program at UNCC David Milbern Kshitij Khurana Abhinay Reddy Slide 2: Collaboration with UNCC with 4 student interns from the Data Science Program. Over the past 6 months, have created algorithms that provide a “insider risk snapshot”. The internship is led by Joel Amick, director of Cyber Analytics and Cory Hefner, senior info security analyst. Joel Amick Director, Cyber Analytics Cory Hefner Sr. Info Security Analyst, Cyber Analytics Aysha Nahan

5 Who is TIAA?

6 Who is TIAA?

7 Photo from WIRED.com

8 What is an Insider Threat?
Malicious 21.6% of Incidents1 Negligent 78.4% of Incidents1 Fraud Accidental Intellectual Property Loss Phishing Sabotage or Destruction Shared/Stolen Credentials 1Study by Ponemon Institute in Sep 2016

9 Insider Threat Detection
Data Loss Prevention Printers Network Proxy Use Cases From Prior Investigations Insider Threats Phishing Awareness Access Privileges VPN Physical Security

10 Proof of Concept Phase one (May- August) we took data about users' activities at work at combined it with data about whether or not this user had been identified as a threat by the [what team]. By using this data we were able to identify which factors may help PREDICT if a user would be an insider Threat. Pretty cool! Threat is identified as an elevated Data Loss Prevention incident in the DLP Archer database, with a result disposition not being ‘false positive’ Data extraction DLP was the strongest indicator Individual scores were weighted with comparison statistic values, indicating how correlated these scores were for the employee to be a confirmed threat

11 Outbound External Email
Scoring Approach Data Loss Prevention Threat Outbound External Data Weighted Final Score VPN Internal Phishing Non Identified Threat Web Proxy Phase one (May- August) we took data about users' activities at work at combined it with data about whether or not this user had been identified as a threat by the [what team]. By using this data we were able to identify which factors may help PREDICT if a user would be an insider Threat. Pretty cool! Threat is identified as an elevated Data Loss Prevention incident in the DLP Archer database, with a result disposition not being ‘false positive’ Data extraction DLP was the strongest indicator Individual scores were weighted with comparison statistic values, indicating how correlated these scores were for the employee to be a confirmed threat Easily Scalable Separate Scores by Data Source Weighted Ensemble Approach to Scoring

12

13 Success of Scoring Algorithms
*Distributions are representative of actual data, but numbers are anonymized

14 Quantifying the Threat
Most Likely Potential Loss Distribution $0K *Distributions are representative of actual data, but numbers are anonymized

15

16 Security Events (SIEM)
Implementation Internal Phishing Data Warehouse Data Warehouse VPN Outbound External Web Proxy Data Loss Prevention Security Events (SIEM)

17 Case Study “Joey Jobsearch” “Blocked Bobby”
Threat Score: 821 Potential Loss: $2.1M “Blocked Bobby” Threat Score: 680 Potential Loss: $2.4M Insider Threat Score Loss Magnitude Insider Threat Score Loss Magnitude $0K $0K VPN 25 Connection Failures in the last month Web Proxy 83 Job Searches in the past day 32 File Sharing web pages visited in the past week Data Loss Prevention 10 Attachments blocked in the past 6 months 14 Cybersecurity Policy Violations in the past 6 months Internal Phishing 1 Internal Phishing Training opened in the past year VPN 5 Connection Failures in the last month Outbound External 2 Blocked s in the past week Data Loss Prevention 293 Files Loaded to USB in the past quarter 2 Attachments blocked in the past week Internal Phishing 2 Internal Phishing Training s reported in the past year *Distributions are representative of actual data, but numbers are anonymized

18 Actionable Intelligence
Most Likely Potential Loss Distribution “Blocked Bobby” $2.4 million “Joey Jobsearch” $2.1 million $0K *Distributions are representative of actual data, but numbers are anonymized

19 Impact and Successes 1 1 2 2 3 3 4 Business Impact Successes
Insider Threat and Detection Teams can use scores to prioritize incidents 1 Collaborated with Cyber Risk team for Projected Loss 2 Quantifiable value of the Insider Threat Program 2 Actionable intelligence was identified & escalated to the Insider Threat team 3 Matures Cybersecurity Investigations and Operations 3 Process is robust and allows for easy tuning or additions of new data sources 4 Provided new exploratory information about Insider Threat data sources

20 Challenges and Opportunities
Identified Opportunities 1 Algorithms are trained predominantly with negative behavior. Opportunity to incorporate positive attributes in future tuning efforts. 1 Complete dashboard visualizations for Investigations 2 Structured and unstructured data stored in disparate data sources 2 Generate “Harm-Ability” scores based on the capability (permissions and exceptions) of employees potential for impact to the company 3 Managing scope 3 Incorporate additional data sources to further improve the accuracy of the Insider Threat score

21 Next Steps The next steps would be to have everything up and running, and have the processed scheduled to run daily. This would be with the autosys scheduler, but wouldn’t be needed until all the connections are in place. Also as an additional feature, we would like to display the factors contributing to their high (or low) score. (This is in progress)

22 Questions?

Download ppt "Cybersecurity Insider Threat Analytics"

Similar presentations

Career Opportunities in Statistical Computing. Two Perspectives on Careers in Statistical Computing 1.Software development opportunities at SAS 2.Emerging.

Career Opportunities in Statistical Computing. Two Perspectives on Careers in Statistical Computing 1.Software development opportunities at SAS 2.Emerging.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
1 Visualizer for Firewall Display & Analysis Tool.

1 Visualizer for Firewall Display & Analysis Tool.
Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.

Preventing Good People From Doing Bad Things Best Practices for Cloud Security Brian Anderson Chief Marketing Officer & Author of “Preventing Good People.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Ken Paiboon 214.274.3436 ken@exabeam.com User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon 214.274.3436 ken@exabeam.com.

Ken Paiboon User Behavior Intelligence Fundamentals: Behaviors, Characteristics, and Facts Ken Paiboon
Network security policy: best practices

Network security policy: best practices
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
6-1. 6-2 06 Fraud Detection McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

Fraud Detection McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.

What Keeps You Awake at Night Compliance Corporate Governance Critical Infrastructure Are there regulatory risks? Do employees respect and adhere to internal.
1. 8020 Data Company Customer Interview. 2. Purpose and Quick Check The purpose of this interview is to determine whether 8020 can provide a useful service.

Data Company Customer Interview. 2. Purpose and Quick Check The purpose of this interview is to determine whether 8020 can provide a useful service.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Introduction – Addressing Business Challenges Microsoft® Business Intelligence Solutions.

Introduction – Addressing Business Challenges Microsoft® Business Intelligence Solutions.
Netflix Netflix is a subscription-based movie and television show rental service that offers media to subscribers: Physically by mail Over the internet.

Netflix Netflix is a subscription-based movie and television show rental service that offers media to subscribers: Physically by mail Over the internet.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.

IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Pertemuan 16 Materi : Buku Wajib & Sumber Materi :

Pertemuan 16 Materi : Buku Wajib & Sumber Materi :
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.

Similar presentations

Ads by Google