Upload
ambrose-harvey
View
216
Download
2
Tags:
Embed Size (px)
Citation preview
© 2010 Quest Software, Inc. ALL RIGHTS RESERVED
Dmitry Kagansky, CTO - Public Sector (Federal)
March 14, 2011
Quest Software – APT and the Insider Threat
2
Agenda
• The Insider Threat• Advanced Persistent Threat
– What is it and what does it mean for Public Sector?• The Federal Supply Chain
– Where are the weaknesses, and how can they be shored up?• The Commercial Perspective
– Paul Harper to discussion the view from the Commercial side• Privileged Identity Management (PIM)
– The ‘firewall’ for the insider threat• Demonstration• Q & A
#QSFTcybersecurity - follow this webcast/ask questions!
3
The Insider Threat• We all know the stats and stories• The Insider is more dangerous• The Insider is more careless• The Insider is more malicious
• However . . .
• Sometimes . . .
• The Insider doesn’t know he’s the source of the compromise!
#QSFTcybersecurity - follow this webcast/ask questions!
4
What is APT (Advanced Persistent Threat)?• New term for an old problem
– Coined by Mandiant• What is it?
– Advanced• No one attack is particularly sophisticated• Combination of attacks from many different vectors
– Email– Web– Social Engineering– Devices
– Persistent• No longer recreational or even opportunistic• This is someone’s job
– Threat • Co-ordinated• Skilled, motivated and well-funded
• What does it mean for Public Sector?#QSFTcybersecurity - follow this webcast/ask questions!
5
The Federal Supply Chain• Any chain is only as strong as the weakest link
– Where are the weaknesses, and how can they be shored up?– Documents
• Adobe Acrobat is a bigger vehicle for malware than MS Word– Email– Websites– Devices – that USB stick you found at Starbucks!
• An agency may be ‘clean’ but it is not safe if it interacts with anyone else on the outside
• This same supply chain analogy applies to all agencies and all their partners– First Responders
#QSFTcybersecurity - follow this webcast/ask questions!
6
The Commercial Perspective• APTs are just as prevalent
– Not publicly discussed or acknowledged
• Part of the Federal Supply Chain
• Many ties to government
• Slower to acknowledge that it’s a problem
#QSFTcybersecurity - follow this webcast/ask questions!
7
Now what?• How do you guard against the APT?
– Low & slow attacks• Days and weeks to develop• Multiple vectors
– Data gathering and observation• Train your users• Constantly update anti-virus• Avoid giving out privileged access
– Segregation of duties– Segregation of accounts (dual accounts for admins)
#QSFTcybersecurity - follow this webcast/ask questions!
8
Privileged Identity Management (PIM)• aka PAM (Privileged Account Management)• Elevated privileged are most dangerous when obtained by an
APT– It’s not the secretary or the janitor that is a concern– It’s the people with the keys to the kingdom– They won’t know when they’ve given up the keys
• 2 Flavors:– Named Accounts– System accounts such as root, oracle, administrator, etc
• Password Vault• Continuous logging and monitoring• Session recording• Command control
#QSFTcybersecurity - follow this webcast/ask questions!
10
Summary• Advanced Persistent Threat is a reality and only going to grow• Harder to detect• Harder to prevent• Weakness through weak security not just from users but
partners• Elevated accounts are most dangerous
#QSFTcybersecurity - follow this webcast/ask questions!
11
Resources• Advanced Persistent Threat
– http://en.wikipedia.org/wiki/Advanced_Persistent_Threat (Definition and overview page)
– http://www.usenix.org/event/lisa09/tech/slides/daly.pdf (Excellent presentation from Raytheon)
– http://www.mandiant.com(Great white papers and studies – check their M-Trends paper)
• The Federal Supply Chain– http
://www.businessofgovernment.org/sites/default/files/The%20Role%20of%20the%20Federal%20Supply%20Chain%20in%20Preparing%20for%20National%20Emergencies.pdf(Planning for the Inevitable: The Role of the Federal Supply Chain in Preparing for National Emergencies)
• Quest TPAM– http://www.edmz.com
#QSFTcybersecurity - follow this webcast/ask questions!
12
Want more info?
• DLT Contact Information:Phone: 877-783-7800 Email: [email protected] Twitter: @DLTSolutions
• Quest’s identity management solutions– http://www.quest.com/identity-management
– http://www.GetToOne.com
#QSFTcybersecurity - follow this webcast/ask questions!