Insider Threat in the News - Distribution Business Management

advertisement
CORPORATE CYBER SECURITY
INSIDER THREATS
Dan Maloney
Insider Threat - Traveler Case Study
An Executive travelled to a restricted country on a
visit declared as personal:
 Took a personal flight, later expensed to Verizon;
 Required a subordinate to travel at Verizon expense;
 Conducted Verizon business without the appropriate travel visa;
 Took Verizon issued smart phone and laptop to other countries without
making the appropriate Export Declaration;
 Received gifts of travel and lodging without prior approval of the Office
of Ethics and Business Conduct;
This case was caught by a diligent VPN investigator
with a sharp eye and management support.
What is the linkage between detection and investigation?
Insider Threat - Vendor Case Study

Foreign company ownership

Offshoring provisioning non-compliance

Subcontracted without approval

Expired contracts

Fraudulent transactions
Don’t rely on the contract for compliance
Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.
4
Insider Threat in the News
“Edward Snowden Used Inexpensive ‘Web Crawler’ to Hack NSA Networks” – HGN News…
“Home Depot hackers used vendor log-on to steal data, emails” – USA Today…
“Target Earnings Slide 46% After Data Breach” – Wall Street Journal
“AT&T Admits Insider Illegally Accessed Customer Data” – securityweek.com…
“F.B.I. Failed to Act on Spy, [Robert Hannsen] Despite Signals, Report Says” – NY Times…
“Encryption Faulted in TJ MAXX Hacking” – Washington Post…
“Fallout from Sony hack may alter how Hollywood conducts business” LA Times…
Were These issues were end results of existing weaknesses?.
5
Architecture of the Insider Threat Program
Audit
AP
Active
Sync
IM
GOOD
USB
DLP
VPN
HR/EEO
Email
Proxy
Partnerships
3rd Party Team
Corporate Policies
CITRIX
Domestic
Domestic/International
Baselines
Environmental
Legal
Best Practice
Government
6
Protecting Our House
Historical Approach
Changing Landscape
Insider Threat is a reality in Public and Private Sectors
Softening Perimeter - Demand for remote access
Focus on governance from contract through end of life.
Expanded Geographic Presence
Bring Your Own Device / Mobile Computing
Loss of Intellectual Property
Evolving Security
“Lock the doors and windows”
Understand what “good” looks like and look for
meaningful differences
Environment analysis and base lining
Anomaly detection and response
Big data analytics
Intelligence fusion
Comprehensive Security, Monitoring, Logging and Digital Analytics
7
Timeline
instituted additional internal legal, monitoring, and
Itassurance
was primarily
focused
on preventing
external
attacks
services
which
could address
insider
through traditional site monitoring (cameras and
threats from vendors, contractors and employees.
badges).
Auditing of the environment was
random and typically in response to
an issue that had already occurred.
V&V begins regular reviews of
control effectiveness globally to
provide dedicated and ad-hoc
support to the business
2006
2008
2010
2012
2014
Business Enabling
Global clearance council increases
focus on offshore data control and
access.
GSOC institutes monitoring services
capable of detecting malicious
activity internationally.
2004
Gap
Awareness
Security assurance was
unsustainable & unpredictable.
2002
Reactive
Prior
to 2006,growing
the security
of dataSecurity
assets was
treated as
To address
concerns,
expanded
to
an
‘add-on’
after thesupport
businessto
was
already
in operation.
provide
enhanced
the
business.
Security
The focus of security was primarily on
the physical perimeter. Data was
protected by weak controls and was
not treated as a valued asset.
8
Cyber capability evolution…Silo to Integrated
Investigate Fraud V&V verifies that the
controls defined by a
Allegations
governance exist in
Fraud
Technical Resourceproject’s
for
FRAUD
Legal, HR, Privacy,the
etc.implementation space,
and validates that those
Fraud
Level
controls are working
effectively to prevent the
Corp
V&V
V&V
egress of sensitive
Security
information
Analytics categorizes issues
Secured Digital
by type and severity in order
Evidence Collection &
to analyze trends in controlAnalysis
Forensics/2n
d Level
vulnerabilities
based on Investigation Support
FORENSICS
geography and ownership.
Forensics
/ 2nd
The results of analysis often
Analyti
Analytics
allow
us to take corrective
cs
measures before a problem
occurs. This has led to an
STS
GSOC
V&V is able to influence
overall decrease in the
mitigation strategies by
number of exposure
STS
GSOC
working with project owners
opportunities as well as
Secure Data Storage
Enterprise Network
to find
solutions
which will
stronger compliance
with of
The capabilities
the Insider
Threat Program are being
deployed
in the known
high
risk
Sensitive
Application
Content
Inspection
meet their operational goals
company standards.
vendors and locations.
Development
Cyber Event Analysis
STS
and enable the business GSOC
to
Maintenance and
High Risk User
function
The Program is not
everywhere,
and does not cover allMonitoring
locations, or high risk
vendorsmore
or securely.
Support
of Critical
environments.
Systems
9
Evolution of Operational Insider Risk Program
Effectiveness is measured by changing business behavior
Event Collectors
(Data Centers)
Stakeholders
Insider Threat Framework
Security
Contracts & Clearance
VPN Alerts
E-Mail
Messaging
Servers
Audit reports
Corp
Security
VPN
USB
Proxy
Content inspection
High risk user reports
GPS
Location
DLP reports
Smartphones
and Devices
Workstations
HR/EEO
CIRT
LOB
IT
V&V
Personnel
Contracts
Risk Profile
•
•
•
•
Legal
Transaction based
Clearance
Contract Support
Due diligence
Network Access
HR Data
Operations Data
VPN Tracking
Personnel Data
Onsite Reviews
•
•
•
•RIF List
•EEO
•Investigation
•
•
•
Identify user/co.
Validate access
Identify Anomalies
Validate Controls
Identify Gaps
Track Mitigation
10
Identifying the Threat
Event log:
Active Directory
2014-03-10:22:01:02
Host Name:
dummyhost
Assigned IP:
127.0.0.1
User:
V123XXX
Event Type:
Event
Type: Logon:
Windows
Successful
WindowsV123XXX
Successful Logon
MY\Domain
Host: dummyhost
Event log:
Symantec
2014-03-10:22:04:22
Host Name:
dummyhost
User:
V123XXX
Filename:
Corporate_Secret Sauce
Process Name
C:/Windows
Corporate_Secret
Log files written toSauce
USB
written to
USB drive
drive
Event log:
PROXY
2014-03-10:22:06:15
Source IP:
127.0.0.1
User:
V4123XXX
URL:
URL:
http://dropbox.com
http://dropbox.com
ACTION:
ACTION:
UPLOAD
UPLOAD
Category:
Online Storage
Event log:
Content Inspection
2014-03-10:22:06:16
Source IP:
127.0.0.1
URL:
http://dropbox.com/
Filename:
Corporate_Secret Sauce
File
FileCONTENT:
CONTENT:
CONFIDENTIAL
CONFIDENTIAL
Category Policy:
Confidential
Correlated data creates the bigger picture:
Correlated data
2014-03-10:22:06:20
User:
V4123XXX
Host Name:
dummyhost
URL:
http://dropbox.com/
ACTION:
UPLOAD
Filename:
Corporate_Secret Sauce
File CONTENT:
Corporate CONFIDENTIAL
“The whole is greater than the sum of the individual parts.”
Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11
V&V: Extending the Security Ecosystem
V&V MISSION
V&V verifies that the controls defined by a project’s
governance exist in the implementation space, and validates
that those controls are working effectively to prevent the
egress of sensitive information or the intrusion of unauthorized
persons into the network.
V&V’s directive extends that of the typical audit function to
implement appropriate mitigation responses that will support
the mission of the business.
V&V deploys embedded regional
IST program managers and
operational personnel in a “tactical
spread” fashion in order to have
proximity and capability in areas
with high volume of VZ business
activities.
Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12
Primary Responsibilities & Capabilities
13
Improvement – 2012-2014
14
Insider Risk Reporting
New vendor
engagement
Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15
Program Evolution
The Corporate Security Insider Threat Program (ITP) began in its current form in 2010 with the addition of the V&V program. The
program shifted from silos to an integrated framework based on the 13 traditional U.S.CERT elements of a formal ITP.
(1)
Initial Planning
(2)
Identify
Stakeholders
x
x
Sub-Category
VZ Corporate Security
(3)
Achieve
& Sustain
Leadership Buy-in
(4)
Risk
Management
Process
(5)
Detailed
Project
Planning
(6)
(7)
Governance
Communication, Training
Structure, Policies
& Awareness
& Procedures
(8)
Establish
Detection
Indicators
x
(9)
Data &
Tool Requirements
(10)
Data Fusion
(11)
Analysis & Incident
Management
(12)
Management
Reporting
(13)
Feedback &
Lessons Learned
x
x
x
x
When the ITP is engaged, especially in environments that have not gone through the traditional clearance process, we see
immediate evidence of non-compliance in all categories.
As the ITP is embedded with the business and matures, we see sustainable categorical improvements, severity of issues decrease or level off and
business response to issues improves:
•
•
•
Global finding to review ratio decreased 30%. On-time resolution of findings increased by 32%
Occurrence of severe issues reduced from common to rare
Mean time to resolve issues dropped below target from a peak average of 70 days to an average of 2.3 days. Occurrence of top four
categorical finding types continues to decline
16
Missteps which lead to Insider Threat
•
Assuming that Serious Insider Problems are in someone else’s organization
•
Disproportionate reliance on background checks, policy or contracts, assuming these will care for potential
concerns.
•
Assuming that indicators will be interpreted properly…or assuming that all environments have indicators to
interpret.
•
Relying solely on periodic quality checks, or assuming that Cyber Security Rules are followed because of
vendor agreements.
•
Assuming employees or vendors are aware and savvy around security controls
•
Assuming that only intentional actions will cause damage
•
Relying on a heavy, reactive response capability in lieu of an integrated, preventative programmatic approach.
•
Not knowing the security posture of day to day activities in international vendor environments
17
Do you have an Insider Threat
Mitigation Program?
a.
b.
Yes
No
Do you think you need one?
a.
b.
Yes
No
Does your contract establish cyber penalties, or financial (or
other) impact for cyber non compliance?
a. Yes
b. No
21
How satisfied were you with today’s
program/session?
a.
b.
c.
d.
Thought it was great
Very Satisfied
Slightly satisfied
Dissatisfied
Download