Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting Insider Threats: Actions Speak Louder than Words

Published byLeslie Morgan Modified over 6 years ago

Similar presentations

Presentation on theme: "Detecting Insider Threats: Actions Speak Louder than Words"— Presentation transcript:

1 Detecting Insider Threats: Actions Speak Louder than Words
Nick Cavalancia Technical Evangelist Techvangelism #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

2 #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
NICK CAVALANCIA Technical Evangelist Certifications: MVP / MCSE / MCT / MCNE / MCNI Co-Founder of ConversationalGeek.com Founder of Techvangelism Consultant/Trainer/Speaker/Author Technical author with over a dozen books Technical speaker for Techmentor, Connections, SpiceWorld Regular speaker for 1105 Media, Penton, Spiceworks, TechTarget Writes, Speaks, and Blogs for some of today’s best-known tech companies #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

3 #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
SESSION AGENDA Look at the state of insider threats Where to place your focus How to spot an insider What it takes to build an Insider Threat Program #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

4 #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
THE ELUSIVE INSIDER 28% Data breaches committed by an insider 56% Regular Employees 55% Privileged Users IT Admins 42% Contractors Service Providers Temp. Workers 59% Emp. take data when they leave ******* 6 Passwords Shared by the avg. user vz.to/2JzzhGq bit.ly/2pKqJXy bit.ly/LPStateOfThePswd bit.ly/DelDbrief Delloite Debrief March 2016 #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

5 CASE STUDY: HEALTHCARE
vz.to/2zZjkXy 58% Incidents involved insiders 48% Financially motivated Error Misdelivery ! Misuse Priv. Abuse Physical Theft Hacking Stolen Creds. Malware Ransomware Social Phishing #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

6 Remember: External threat actors eventually look like an insider too!
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

7 WHY IS SPOTTING AN INSIDER SO TOUGH?
Simple answer: They’re on the inside. Not that simple, though: Can exist anywhere in the organization Insider risk shifts Looks like they’re doing their job Lots of insider actions Lots of valuable data Need to define what’s an insider to you #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

8 Where should you place your focus?
Where your risk is. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

9 DETERMINING INSIDER RISK
STEP 1: INVOLVE THE RIGHT PEOPLE Insider Threat Program Team Need perspective of several positions Executive Leadership Human Resources Legal IT LoB Owners, Department Heads Security #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

10 DETERMINING INSIDER RISK
STEP 2: DEFINE RISK LEVELS Assign risk based on: Position/Role Department Individual #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

11

12

13 DETERMINING INSIDER RISK
STEP 3: ALIGN RISK LEVELS WITH SECURITY CONTROLS User Behavior Analytics Security Awareness Training User Activity Monitoring Data Loss Prevention Secure Admin Workstation Priv. Access Management #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

14 #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
Spotting the Insider #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

15 IT’S ALL ABOUT BEHAVIOR
Leading Indicators Shift in behavior Shifts in communication Active Indicators Unusual Inappropriate Consider not all threats are malicious Shifts in behavior - 92% of insider threat cases were preceded by a negative workplace event #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

16 #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
THREAT INDICATORS Leading Active Personal Changes HR issues Arrival/Leaving times Positive to negative tone “We/Us” to “I/Me” Looking for a new job Communications Unusual logon times Abnormal application use Excessive Printing Access of sensitive data Copying of sensitive data Communications Shifts in behavior - 92% of insider threat cases were preceded by a negative workplace event #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

17 #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
IT’S ALL ABOUT CONTEXT One action doesn’t indicate a threat Culmination of actions, tone, communications, etc. Need to have complete visibility into employee activity Online Offiline #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

18 Building an Insider Threat Program
#ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

19 INSIDER THREAT PROGRAM MATURITY MODEL
Shifts in behavior - 92% of insider threat cases were preceded by a negative workplace event #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

20 INSIDER THREAT PROGRAM MATURITY MODEL
Shifts in behavior - 92% of insider threat cases were preceded by a negative workplace event #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

21 BUILDING AN INSIDER THREAT PROGRAM
STEP 1: UNDERSTAND YOUR OBSTACLES Support Budget Culture Stakeholders Employees Communications Privacy Only 27% had full support of the C-Suite Largest was Some 37% Biggest blocker was Finance HR most concerned about Privacy Communications – Only 21% of orgs had formalized communications #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

22 BUILDING AN INSIDER THREAT PROGRAM
STEP 2: CREATE THE ITP TEAM Did this at Risk Assessment… Key Stakeholders Executive Leadership Human Resources Legal IT LoB Owners, Department Heads Security Designate an ITP Senior Official 75% of orgs have no formalized ITP #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

23 BUILDING AN INSIDER THREAT PROGRAM
STEP 3: ASSEMBLE CRITICAL DOCUMENTATION & NOTICES Background/Credit Checks Confidentiality and Intellectual Property Agreement (CIPA) Acceptable Use Policy Security Acknowledgement Agreement Logon Banners #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

24 BUILDING AN INSIDER THREAT PROGRAM
STEP 4: SELECT INTELLIGENCE SOURCES Human Resources Physical Security User Behavior Analytics User Activity Monitoring Auditing Data Goal is to be as close to the intersection of the user and everything they interact with as is possible – apply it to HR and all other data sources. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

25 BUILDING AN INSIDER THREAT PROGRAM
STEP 5: BUILD INCIDENT RESPONSE PLANS Scenario-Based Leading Indicators Active Indicators Employee Giving Notice Employee Being Terminated Goal is to be as close to the intersection of the user and everything they interact with as is possible – apply it to HR and all other data sources. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

26 BUILDING AN INSIDER THREAT PROGRAM
STEP 5: BUILD INCIDENT RESPONSE PLANS #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

27 BUILDING AN INSIDER THREAT PROGRAM
STEP 5: BUILD INCIDENT RESPONSE PLANS Scenario-Based Leading Indicators Active Indicators Employee Giving Notice Employee Being Terminated Not a comprehensive list. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

28 GETTING A HANDLE ON INSIDER THREATS
Understand it’s real and risky Define insider threat Classify your organizational risk Determine threat behaviors Build the ITP Processes, Policy, Technology, Response Not a comprehensive list. #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

29 #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
QUESTIONS? #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

30 #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM
THANK YOU Don’t forget to visit conversationalgeek.com #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM

Download ppt "Detecting Insider Threats: Actions Speak Louder than Words"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
THE INSIDER THREAT AND DATA LOSS PREVENTION CSCE 727.

THE INSIDER THREAT AND DATA LOSS PREVENTION CSCE 727.
Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.

Chapter 4 McGraw-Hill/Irwin Copyright © 2011 by The McGraw-Hill Companies, Inc. All rights reserved. Ethics and Information Security.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Terry Ray VP Global Security Engineering The Insider's View To Insider Threats © 2012 Imperva, Inc. All rights reserved.

Terry Ray VP Global Security Engineering The Insider's View To Insider Threats © 2012 Imperva, Inc. All rights reserved.
People Health Audit Frank Newman, C.H.R.L. Newman Human Resources  35 years HR experience  Finance Industry, Pharmaceutical Manufacturing, Semi-Conductor,

People Health Audit Frank Newman, C.H.R.L. Newman Human Resources  35 years HR experience  Finance Industry, Pharmaceutical Manufacturing, Semi-Conductor,
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.

InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.
Social Media Jeevan Kaur, Michael Mai, Jing Jiang.

Social Media Jeevan Kaur, Michael Mai, Jing Jiang.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
© 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Leveraging Information to Detect and Prevent Insider Attacks Phoram Mehta Senior.

© 2014 PayPal Inc. All rights reserved. Confidential and proprietary. Leveraging Information to Detect and Prevent Insider Attacks Phoram Mehta Senior.
USER ACTIVITY MONITORING: MITIGATING USER-BASED RISK Presented by XXXX.

USER ACTIVITY MONITORING: MITIGATING USER-BASED RISK Presented by XXXX.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.

Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Similar presentations

Ads by Google