Daniel Maloney
Deputy CSO
Verizon
STRATEGY AND ROADMAP / INSIDER THREATS
Dan Maloney, Deputy CSO, Executive Director,
Insider Threat
Confidential and proprietary materials for authorized company personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
Insider Threat in the News
“Edward Snowden Used Inexpensive „Web Crawler‟ to Hack NSA Networks” – HGN News…
“Home Depot hackers used vendor log-on to steal data, emails” – USA Today…
“Target Earnings Slide 46% After Data Breach” – Wall Street Journal
“AT&T Admits Insider Illegally Accessed Customer Data” – securityweek.com…
“F.B.I. Failed to Act on Spy, [Robert Hannsen] Despite Signals, Report Says” – NY Times…
“Encryption Faulted in TJ MAXX Hacking” – Washington Post…
“Fallout from Sony hack may alter how Hollywood conducts business” LA Times…
These issues were end results of existing weaknesses.
Proprietary and Confidential – Not for Disclosure Outside of company
3
Insider Threat, Supply
Supply Chain
Study
Chain
Findings





Foreign company ownership
Offshoring provisioning non-compliance
Subcontracted without approval
Expired contracts
Fraudulent transactions
Don’t rely on a contract for compliance
Confidential and proprietary materials for authorized company personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
4
Insider Threat. Vulnerability Study
• On 6/4/2015 – A Verizon senior leader received a
text message on his personal (unpublished) cell
phone
– Anonymous researcher claims to have found an exploit that
exposed customer information
– Claimed he “didn‟t know who to call so…”
– Offered to “show us how it was done”
• Researcher wouldn‟t reveal his identity
• Wanted money for his information
– Stated that if we didn‟t have a bug bounty program
he wasn‟t interested and would move on
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
5
Insider Threat, Social Engineering
Attacker Calls from 5/15 to 10/16
_____________________________________________
Attacker came after Verizon from May thru October 2015.
Most active period of attacks was August thru Oct.
During
Victim
at the
two of
this period, the attacker was primarily focused on
1, though would pivot to the other names on the list
same time. During one period, we had a compromise on
the VIP accounts on the same day.
Including this issue, this is the 4th significant incident
with VendorX in the 18 months, of which two have been in
Philippines
Concerns:
1. Had the attacker stayed low and slow and out of the
public eye, he could have used Victim1 account at his
discretion for unknown period of time.
2. Prevention tools are necessary, though must be combined
with continuous monitoring for VIP and designated
accounts. Any offshore agent who is savvy enough to
recall customer VIP account password could access even
after they leave Verizon. (Recall AT&T, April 2015)
Bad Actor Calls Rollup
Critical Path: 13 calls from 5/15 to 10/12
Recommendations/Options:
There are 4 confirmed instances where information was given.
1. Having high value info, in least protected environments
remains concern. Tools will assist, though human factor
remains. Thus:
2. RBAC VIPs in US (Segregated WS). Use Higher paid, higher
qual agent. Higher retention.
3. Tools will provide “Prevention” though once “inside” we
pivot to “detection”. Options such as 100% Smart
Auditor/Continuous Monitoring and onsite Security as we
now utilize in certain VES and CMS and Wireless
locations. Video reviewed daily for anomaly and out of
bounds behavior.
4. Immediate response in event of breach is provided.
•
•
•
•
Vendor/Employer breakout
Vendor
• 1 call/1 failure
Vendor
• 1 calls/1 failures  AOL
Breach
Vendor
• 2 calls/1 failure
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or
distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
•
•
•
•
Vendor
• 1 call/1 failure  VZ
Breach
Vendor
• 1 call/ 0 failures
Vendor
• 1 call/0 failures
Verizon
• 6 calls/0 failures
6
Protecting Our House
Historical Approach
Changing Landscape
Insider Threat is a reality in Public and Private Sectors
Softening Perimeter - Demand for remote access
Focus on governance from contract through end of life.
Expanded Geographic Presence
Bring Your Own Device / Mobile Computing
Loss of Intellectual Property
Evolving Security
“Lock the doors and windows”
Understand what “good” looks like and look
for meaningful differences
Environment analysis and base lining
Anomaly detection and response
Big data analytics
Intelligence fusion
Comprehensive Security, Monitoring, Logging and Digital Analytics
Proprietary and Confidential – Not for Disclosure Outside of company
7
Timeline
Prior
to 2006,
the security
of data
assets was
To
address
growing
concerns,
Security
treated
as to
anprovide
‘add-on’enhanced
after the support
businesstowas
expanded
already
in operation.
the business.
Security instituted additional
internal legal, monitoring, and assurance
It was primarily
focused
on preventing
services
which could
address
insider threats
external
attacks
through traditional
site
from
vendors,
contractors
and employees.
monitoring (cameras and badges).
The focus of security was
primarily on the physical
perimeter. Data was protected
by weak controls and was not
treated as a valued asset.
Auditing of the environment
was random and typically in
response to an issue that had
already occurred.
Security assurance was
unsustainable & unpredictable.
Global clearance council
increases focus on offshore
data control and access.
GSOC institutes monitoring
services capable of detecting
malicious activity
internationally.
V&V begins regular reviews of
control effectiveness globally
to provide dedicated and adhoc support to the business
Proprietary and Confidential – Not for Disclosure Outside of company
2002
2004
2006
2008
2010
2012
2014
8
Converged Solution Security
Corporate Security consists of 6 major functional
departments:
Legal Compliance; Domestic Investigations;
Wireless Security; Domestic Physical Security,
Travel Security and Cyber Security
Cyber Security consists of 6 major functional units
under Corporate Security:
Business Risk Team, ISG, GSOC, V&V, Fraud and
Forensics, and Security Technical Support
These combined elements form a converged
solution set, which provides a multi-layered,
worldwide, global security support capability to
company
End to End Business Coverage
Contract
Security
Operational
Incident
Implementation
Pre-Security
Development
Engagement
Response
Launch
Center/Operation
launches
and
security
hasuses
Traditionally,
Legal
Contract
Business
Vendors
When
department’s
a security
are
work
caseselected
security
development
plan,
incident
Global
which
from
teams
isincludes
Clearance
an
detected
includes
are
approved
notsecurity
involved
funding
by
team
the
list
ora/in
day-one
controls-based
baseline
off
of
which
Security
requirements,
the
cost
submitted
V&V
vendor
planning
team
Risk
to
or
sourcing
Profile
the
iffor
isthe
implemented
security
Business
project
in
process.
partnership
requirements
Risk
reports
Aby
Team
project
the
awith
concern,
(BRT)
Project
may
Security
for
measurements,
auditing,
and
reporting
will be
teams
team.
move
evaluation.
the
Investigation
through
to
Security
establish
BRT
its
controls
searches
team
lifecycle
project
provides
are
and
specific
for
built
recent
only
an
into
conditions
appropriate
engage
or
the
pending
performed
collaboratively
by“red-lines”
security
teams.
and
infrastructure
security
litigation,
response
applicable
when
and
relationships
is
as
an
controls
able
the
incident
operation
to with
leverage
andoccurs.
foreign
iscompliance
turned
However,
entities,
up. the
contracts
damage
and several
reports
to
toto
address
the
other
ensure
company
components
root
security
causes.
is already
standards
to determine
done.
are the
present.
risk posed to Verizon by using that vendor.
RFP Vendor Contract Implementatio
n
Selection
VZ
VZ
VZ
VZ
Operational
Launch
VZ
Proprietary and Confidential – Not for Disclosure Outside of company
Incident Response
VZ
10
Architecture of the Insider Threat Program
Audit
AP
Active
Sync
IM
GOOD
USB
DLP
VPN
HR/EEO
Email
Proxy
CITRIX
Partnerships
Domestic
3rd Party Team
Domestic/International
Corporate Policies
Baselines
Environmental
Legal
Best Practice
Proprietary and Confidential – Not for Disclosure Outside of company
Government
11
Cyber capability evolution…Silo to Integrated
Analytics categorizes Secured Digital
issues by type and
Evidence Collection &
severity in order to
Analysis
analyze trends in controlInvestigation Support
Forensics/
FORENSICS
vulnerabilities
based on
2nd Level
Forensics
geography and
/ 2nd
Level
ownership.
Investigate FraudV&V verifies that the
controls defined by a
Allegations
project‟s
governance
Technical Resource
for
exist in the
Legal, HR, Privacy,
FRAUD
implementation space,
etc.
Fraud
Fraud
and validates that those
controls are working
effectively to prevent the
egress of sensitive V&V
information
Corporate
The
results of analysis
Analytics
V&V
Analytics
Security
often allow us to take
corrective measures
STS
GSOC
V&V is able to influence
before a problem occurs.
mitigation strategies by
This has led to an
STS
GSOC
working with project
overall decrease in the
owners to find solutions
number of exposure
Secure Data Storage
Enterprise Network
which will meet their
opportunities as well as Sensitive Application
Content
Inspection
The
capabilities
of
the
Insider
Threat
Program
are
being
deployed
in
operational goals and
stronger compliance with
Development
Cyber Event Analysis
the known high
risk vendors and locations.High Risk User enable the business toGSOC
company
standards.
Maintenance and
STS
function more securely.
Support of Critical
Monitoring
The Program Systems
is not everywhere, and does not cover all locations, or
high risk vendors or environments.
Proprietary and Confidential – Not for Disclosure Outside of company
12
Identifying the Threat
Event log:
Active Directory
2014-03-10:22:01:02
Host Name:
dummyhost
Assigned IP:
127.0.0.1
User:
V123XXX
Event Type:
Type:
Event
Windows Successful
Successful
Windows
Logon:
V123XXX
Logon
Host: dummyhost
MY\Domain
Event log:
Symantec
2014-03-10:22:04:22
Host Name:
dummyhost
User:
V123XXX
Filename:
company_Secret Sauce
Process Name
C:/Windows
company_Secret
Log
files written to
SauceUSB
written
to USB
drive
drive
Event log:
PROXY
2014-03-10:22:06:15
Source IP:
127.0.0.1
User:
V4123XXX
URL:
http://dropbox.com
ACTION:
UPLOAD
Category:
Online Storage
Event log:
Content Inspection
2014-03-10:22:06:16
Source IP:
127.0.0.1
URL:
http://dropbox.com/
Filename:
company_Secret Sauce
File CONTENT:
CONFIDENTIAL
Category Policy:
Confidential
Correlated data creates the bigger picture:
Correlated data
2014-03-10:22:06:20
User:
V4123XXX
Host Name:
dummyhost
URL:
http://dropbox.com/
ACTION:
UPLOAD
Filename:
company_Secret
Sauce
File CONTENT:
company
CONFIDENTIAL
“The whole is greater than the sum of the individual parts.”
Confidential and proprietary materials for authorized company personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
13
V&V: Extending the Security Ecosystem
V&V MISSION
V&V verifies that the controls defined by a project‟s
governance exist in the implementation space, and
validates that those controls are working effectively to
prevent the egress of sensitive information or the
intrusion of unauthorized persons into the network.
V&V‟s directive extends that of the typical audit function
to implement appropriate mitigation responses that will
support the mission of the business.
V&V deploys embedded
regional IST program
managers and operational
personnel in a “tactical
spread” fashion in order to
have proximity and capability
in areas with high volume of
VZ business activities.
Confidential and proprietary materials for authorized company personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
14
Primary Responsibilities & Capabilities
Proprietary and Confidential – Not for Disclosure Outside of company
15
Performance Indicators
• Significant year to year increase in global security reviews
• Overall reduction in all categories of findings
• Reduction in severe findings globally
• Higher rate of sustainable compliance
• Significant reduction in mean time to repair (MTTR)
• Predictable Security Posture when adopting appropriate and measurable controls
Building a more security conscious culture
Confidential and proprietary materials for authorized company personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
16
Improvement – 2012-2014
When Corpsec engages with a Tier 1 model of support,
there is substantive and sustainable cyber and physical
“controls” improvement
1.
2.
3.
4.
5.
Reviews increase due to targeted usage. Includes all aspects
of security which could impact business globally
Findings have mandatory response requirements based on
severity
Findings initially spike, then level off over time
Both MTTR and OTR (On time Resolution) improve due to
process adoption over time
Importantly, findings “Severity” decreases categorically and
in volume, as business becomes accustomed to security
“norms”
Proprietary and Confidential – Not for Disclosure Outside of company
17
Insider Risk Reporting
New vendor
engagement
Confidential and proprietary materials for authorized company personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
18
Program Evolution
The Corporate Security Insider Threat Program (ITP) began in its current form in 2010 with the addition of
the V&V program. The program shifted from silos to an integrated framework based on the 13 traditional
U.S.CERT elements of a formal ITP.
Sub-Category
VZ Corporate
Security
(1)
Initial
Planning
(2)
Identify
Stakeholders
x
x
(3)
Achieve &
Sustain
Leadership
Buy-in
(4)
Risk
Management
Process
(5)
Detailed
Project
Planning
(6)
Governance
Structure,
Policies &
Procedures
(7)
(8)
(9)
Communication, Establish Data & Tool
Training &
Detection Requirements
Awareness
Indicators
x
(10)
Data
Fusion
(11)
Analysis &
Incident
Management
x
x
(12)
(13)
Management Feedback &
Reporting
Lessons
Learned
x
x
When the ITP is engaged, especially in environments that have not gone through the traditional clearance
process, we see immediate evidence of non-compliance in all categories.
As the ITP is embedded with the business and matures, we see sustainable categorical improvements,
severity of issues decrease or level off and business response to issues improves:
• Global finding to review ratio decreased 30%. On-time resolution of findings increased by 32%
• Occurrence of severe issues reduced from common to rare
• Mean time to resolve issues dropped below target from a peak average of 70 days to an average of
2.3 days. Occurrence of top four categorical finding types continues to decline
Proprietary and Confidential – Not for Disclosure Outside of company
19
Missteps which lead to Insider Threat
•
Assuming that Serious Insider Problems are in someone else‟s organization
•
Disproportionate reliance on background checks, policy or contracts, assuming these will
care for potential concerns.
•
Assuming that indicators will be interpreted properly…or assuming that all environments
have indicators to interpret.
•
Relying solely on periodic quality checks, or assuming that Cyber Security Rules are
followed because of vendor agreements.
•
Assuming employees or vendors are aware and savvy around security controls
•
Assuming that only intentional actions will cause damage
•
Relying on a heavy, reactive response capability in lieu of an integrated, preventative
programmatic approach.
•
Not knowing the security posture of day to day activities in international vendor
environments
Proprietary and Confidential – Not for Disclosure Outside of company
20
WRAP-UP
PTEXXXXX XX/14
Confidential and proprietary materials for authorized company personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.