CORPORATE CYBER SECURITY INSIDER THREATS Dan Maloney Insider Threat - Traveler Case Study An Executive travelled to a restricted country on a visit declared as personal: Took a personal flight, later expensed to Verizon; Required a subordinate to travel at Verizon expense; Conducted Verizon business without the appropriate travel visa; Took Verizon issued smart phone and laptop to other countries without making the appropriate Export Declaration; Received gifts of travel and lodging without prior approval of the Office of Ethics and Business Conduct; This case was caught by a diligent VPN investigator with a sharp eye and management support. What is the linkage between detection and investigation? Insider Threat - Vendor Case Study Foreign company ownership Offshoring provisioning non-compliance Subcontracted without approval Expired contracts Fraudulent transactions Don’t rely on the contract for compliance Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 4 Insider Threat in the News “Edward Snowden Used Inexpensive ‘Web Crawler’ to Hack NSA Networks” – HGN News… “Home Depot hackers used vendor log-on to steal data, emails” – USA Today… “Target Earnings Slide 46% After Data Breach” – Wall Street Journal “AT&T Admits Insider Illegally Accessed Customer Data” – securityweek.com… “F.B.I. Failed to Act on Spy, [Robert Hannsen] Despite Signals, Report Says” – NY Times… “Encryption Faulted in TJ MAXX Hacking” – Washington Post… “Fallout from Sony hack may alter how Hollywood conducts business” LA Times… Were These issues were end results of existing weaknesses?. 5 Architecture of the Insider Threat Program Audit AP Active Sync IM GOOD USB DLP VPN HR/EEO Email Proxy Partnerships 3rd Party Team Corporate Policies CITRIX Domestic Domestic/International Baselines Environmental Legal Best Practice Government 6 Protecting Our House Historical Approach Changing Landscape Insider Threat is a reality in Public and Private Sectors Softening Perimeter - Demand for remote access Focus on governance from contract through end of life. Expanded Geographic Presence Bring Your Own Device / Mobile Computing Loss of Intellectual Property Evolving Security “Lock the doors and windows” Understand what “good” looks like and look for meaningful differences Environment analysis and base lining Anomaly detection and response Big data analytics Intelligence fusion Comprehensive Security, Monitoring, Logging and Digital Analytics 7 Timeline instituted additional internal legal, monitoring, and Itassurance was primarily focused on preventing external attacks services which could address insider through traditional site monitoring (cameras and threats from vendors, contractors and employees. badges). Auditing of the environment was random and typically in response to an issue that had already occurred. V&V begins regular reviews of control effectiveness globally to provide dedicated and ad-hoc support to the business 2006 2008 2010 2012 2014 Business Enabling Global clearance council increases focus on offshore data control and access. GSOC institutes monitoring services capable of detecting malicious activity internationally. 2004 Gap Awareness Security assurance was unsustainable & unpredictable. 2002 Reactive Prior to 2006,growing the security of dataSecurity assets was treated as To address concerns, expanded to an ‘add-on’ after thesupport businessto was already in operation. provide enhanced the business. Security The focus of security was primarily on the physical perimeter. Data was protected by weak controls and was not treated as a valued asset. 8 Cyber capability evolution…Silo to Integrated Investigate Fraud V&V verifies that the controls defined by a Allegations governance exist in Fraud Technical Resourceproject’s for FRAUD Legal, HR, Privacy,the etc.implementation space, and validates that those Fraud Level controls are working effectively to prevent the Corp V&V V&V egress of sensitive Security information Analytics categorizes issues Secured Digital by type and severity in order Evidence Collection & to analyze trends in controlAnalysis Forensics/2n d Level vulnerabilities based on Investigation Support FORENSICS geography and ownership. Forensics / 2nd The results of analysis often Analyti Analytics allow us to take corrective cs measures before a problem occurs. This has led to an STS GSOC V&V is able to influence overall decrease in the mitigation strategies by number of exposure STS GSOC working with project owners opportunities as well as Secure Data Storage Enterprise Network to find solutions which will stronger compliance with of The capabilities the Insider Threat Program are being deployed in the known high risk Sensitive Application Content Inspection meet their operational goals company standards. vendors and locations. Development Cyber Event Analysis STS and enable the business GSOC to Maintenance and High Risk User function The Program is not everywhere, and does not cover allMonitoring locations, or high risk vendorsmore or securely. Support of Critical environments. Systems 9 Evolution of Operational Insider Risk Program Effectiveness is measured by changing business behavior Event Collectors (Data Centers) Stakeholders Insider Threat Framework Security Contracts & Clearance VPN Alerts E-Mail Messaging Servers Audit reports Corp Security VPN USB Proxy Content inspection High risk user reports GPS Location DLP reports Smartphones and Devices Workstations HR/EEO CIRT LOB IT V&V Personnel Contracts Risk Profile • • • • Legal Transaction based Clearance Contract Support Due diligence Network Access HR Data Operations Data VPN Tracking Personnel Data Onsite Reviews • • • •RIF List •EEO •Investigation • • • Identify user/co. Validate access Identify Anomalies Validate Controls Identify Gaps Track Mitigation 10 Identifying the Threat Event log: Active Directory 2014-03-10:22:01:02 Host Name: dummyhost Assigned IP: 127.0.0.1 User: V123XXX Event Type: Event Type: Logon: Windows Successful WindowsV123XXX Successful Logon MY\Domain Host: dummyhost Event log: Symantec 2014-03-10:22:04:22 Host Name: dummyhost User: V123XXX Filename: Corporate_Secret Sauce Process Name C:/Windows Corporate_Secret Log files written toSauce USB written to USB drive drive Event log: PROXY 2014-03-10:22:06:15 Source IP: 127.0.0.1 User: V4123XXX URL: URL: http://dropbox.com http://dropbox.com ACTION: ACTION: UPLOAD UPLOAD Category: Online Storage Event log: Content Inspection 2014-03-10:22:06:16 Source IP: 127.0.0.1 URL: http://dropbox.com/ Filename: Corporate_Secret Sauce File FileCONTENT: CONTENT: CONFIDENTIAL CONFIDENTIAL Category Policy: Confidential Correlated data creates the bigger picture: Correlated data 2014-03-10:22:06:20 User: V4123XXX Host Name: dummyhost URL: http://dropbox.com/ ACTION: UPLOAD Filename: Corporate_Secret Sauce File CONTENT: Corporate CONFIDENTIAL “The whole is greater than the sum of the individual parts.” Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 11 V&V: Extending the Security Ecosystem V&V MISSION V&V verifies that the controls defined by a project’s governance exist in the implementation space, and validates that those controls are working effectively to prevent the egress of sensitive information or the intrusion of unauthorized persons into the network. V&V’s directive extends that of the typical audit function to implement appropriate mitigation responses that will support the mission of the business. V&V deploys embedded regional IST program managers and operational personnel in a “tactical spread” fashion in order to have proximity and capability in areas with high volume of VZ business activities. Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 12 Primary Responsibilities & Capabilities 13 Improvement – 2012-2014 14 Insider Risk Reporting New vendor engagement Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement. 15 Program Evolution The Corporate Security Insider Threat Program (ITP) began in its current form in 2010 with the addition of the V&V program. The program shifted from silos to an integrated framework based on the 13 traditional U.S.CERT elements of a formal ITP. (1) Initial Planning (2) Identify Stakeholders x x Sub-Category VZ Corporate Security (3) Achieve & Sustain Leadership Buy-in (4) Risk Management Process (5) Detailed Project Planning (6) (7) Governance Communication, Training Structure, Policies & Awareness & Procedures (8) Establish Detection Indicators x (9) Data & Tool Requirements (10) Data Fusion (11) Analysis & Incident Management (12) Management Reporting (13) Feedback & Lessons Learned x x x x When the ITP is engaged, especially in environments that have not gone through the traditional clearance process, we see immediate evidence of non-compliance in all categories. As the ITP is embedded with the business and matures, we see sustainable categorical improvements, severity of issues decrease or level off and business response to issues improves: • • • Global finding to review ratio decreased 30%. On-time resolution of findings increased by 32% Occurrence of severe issues reduced from common to rare Mean time to resolve issues dropped below target from a peak average of 70 days to an average of 2.3 days. Occurrence of top four categorical finding types continues to decline 16 Missteps which lead to Insider Threat • Assuming that Serious Insider Problems are in someone else’s organization • Disproportionate reliance on background checks, policy or contracts, assuming these will care for potential concerns. • Assuming that indicators will be interpreted properly…or assuming that all environments have indicators to interpret. • Relying solely on periodic quality checks, or assuming that Cyber Security Rules are followed because of vendor agreements. • Assuming employees or vendors are aware and savvy around security controls • Assuming that only intentional actions will cause damage • Relying on a heavy, reactive response capability in lieu of an integrated, preventative programmatic approach. • Not knowing the security posture of day to day activities in international vendor environments 17 Do you have an Insider Threat Mitigation Program? a. b. Yes No Do you think you need one? a. b. Yes No Does your contract establish cyber penalties, or financial (or other) impact for cyber non compliance? a. Yes b. No 21 How satisfied were you with today’s program/session? a. b. c. d. Thought it was great Very Satisfied Slightly satisfied Dissatisfied