CORPORATE CYBER SECURITY

INSIDER THREATS

Dan Maloney

Insider Threat - Traveler Case Study

What is the linkage between detection and investigation?

An Executive travelled to a restricted country on a visit declared as personal:

Took a personal flight, later expensed to Verizon; Required a subordinate to travel at Verizon expense; Conducted Verizon business without the appropriate travel visa; Took Verizon issued smart phone and laptop to other countries without

making the appropriate Export Declaration; Received gifts of travel and lodging without prior approval of the Office

of Ethics and Business Conduct;

This case was caught by a diligent VPN investigatorwith a sharp eye and management support.

Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.4

Foreign company ownership

Offshoring provisioning non-compliance

Subcontracted without approval

Expired contracts

Fraudulent transactions

Don’t rely on the contract for compliance

Insider Threat - Vendor Case Study

5

“Edward Snowden Used Inexpensive ‘Web Crawler’ to Hack NSA Networks” – HGN News…

“Home Depot hackers used vendor log-on to steal data, emails” – USA Today…

“Target Earnings Slide 46% After Data Breach” – Wall Street Journal

“AT&T Admits Insider Illegally Accessed Customer Data” – securityweek.com…

“F.B.I. Failed to Act on Spy, [Robert Hannsen] Despite Signals, Report Says” – NY Times…

“Encryption Faulted in TJ MAXX Hacking” – Washington Post…

“Fallout from Sony hack may alter how Hollywood conducts business” LA Times…

Insider Threat in the News

Were These issues were end results of existing weaknesses?.

6

Architecture of the Insider Threat Program

Supplier Security BaselineCode of Conduct

Network Security Baseline

CPI-810

CPI-306CPI-303

CPS-304CPS-610

Global Ops. PolicyEnt. Clean Room Req.Secured Work Space Req.

Vendor Contract

Project Clearance

Local Laws

ISO 2700x

PCI DSS

NIST SP800

DoD 5200.28

DoD 5240.26

E.O. 13587

HR/EEO

CITRIXProxy

EmailVPN

DLP

USBGOOD

IM

Audit AP

Active Sync

Partnerships3rd Party Team Domestic/International

Domestic

7

Protecting Our House

Historical Approach Changing LandscapeInsider Threat is a reality in Public and Private SectorsSoftening Perimeter - Demand for remote accessFocus on governance from contract through end of life. Expanded Geographic PresenceBring Your Own Device / Mobile ComputingLoss of Intellectual Property

Comprehensive Security, Monitoring, Logging and Digital Analytics

“Lock the doors and windows”

Understand what “good” looks like and look for meaningful differences

Environment analysis and base liningAnomaly detection and responseBig data analyticsIntelligence fusion

Evolving Security

8

2006

2008

2004

2002

2010

The focus of security was primarily on the physical perimeter. Data was protected by weak controls and was not treated as a valued asset.

Auditing of the environment was random and typically in response to an issue that had already occurred.

Global clearance council increases focus on offshore data control and access.GSOC institutes monitoring services capable of detecting malicious activity internationally.

Prior to 2006, the security of data assets was treated as an ‘add-on’ after the business was already in operation.

It was primarily focused on preventing external attacks through traditional site monitoring (cameras and badges).

Timeline

2012

2014

Security assurance was unsustainable & unpredictable.

To address growing concerns, Security expanded to provide enhanced support to the business. Security instituted additional internal legal, monitoring, and assurance services which could address insider threats from vendors, contractors and employees.

V&V begins regular reviews of control effectiveness globally to provide dedicated and ad-hoc support to the business

Reactive

Gap Awareness

Business

Enabling

9

Forensics/2nd Level Investigate Fraud

AllegationsTechnical Resource for Legal, HR, Privacy, etc.

Secured Digital Evidence Collection & AnalysisInvestigation Support

Fraud

V&V

GSOCSTS

Analytics

CorpSecurity

Enterprise Network Content InspectionCyber Event AnalysisHigh Risk User Monitoring

Secure Data StorageSensitive Application DevelopmentMaintenance and Support of Critical Systems

V&V verifies that the controls defined by a project’s governance exist in the implementation space, and validates that those controls are working effectively to prevent the egress of sensitive information

V&V is able to influence mitigation strategies by working with project owners to find solutions which will meet their operational goals and enable the business to function more securely.

Analytics categorizes issues by type and severity in order to analyze trends in control vulnerabilities based on geography and ownership.

The results of analysis often allow us to take corrective measures before a problem occurs. This has led to an overall decrease in the number of exposure opportunities as well as stronger compliance with company standards.

Cyber capability evolution…Silo to Integrated

The capabilities of the Insider Threat Program are being deployed in the known high risk vendors and locations. The Program is not everywhere, and does not cover all locations, or high risk vendors or environments.

FORENSICS FRAUD

GSOCSTS

10

Evolution of Operational Insider Risk Program

Event Collectors (Data Centers) Security

Legal

HR/EEO

CIRT

LOB

V&V

IT

Stakeholders

Contracts & Clearance

Content inspection

High risk user reports

VPN Alerts

DLP reports

Audit reports

Effectiveness is measured by changing business behavior

Insider Threat Framework

Personnel Data•

RIF List

•

EEO

•

Investigation 

Risk Profile•

Transaction based

•

Clearance

•

Contract Support

•

Due diligence

Contracts Network Access HR Data Operations Data

MessagingE-Mail

VPN

Proxy

Workstations Personnel

USB

Servers

GPS Location

Smartphones and Devices

CorpSecurity

Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.11

Identifying the Threat

Event log:PROXY

2014-03-10:22:06:15Source IP:127.0.0.1

User:V4123XXX

URL:http://dropbox.com

ACTION:UPLOAD

Category:Online Storage

Event log:Symantec

2014-03-10:22:04:22Host Name:dummyhost

User:V123XXX

Filename:Corporate_Secret Sauce

Process Name C:/Windows

Log files written to USB drive

Event log:Content Inspection

2014-03-10:22:06:16Source IP:127.0.0.1

URL:http://dropbox.com/

Filename:Corporate_Secret Sauce

File CONTENT:CONFIDENTIAL

Category Policy: Confidential

Event log:Active Directory

2014-03-10:22:01:02Host Name:dummyhost

Assigned IP:127.0.0.1

User:V123XXX

Event Type:Windows Successful Logon

MY\Domain

Correlated data 2014-03-10:22:06:20User:

V4123XXXHost Name:dummyhost

URL:http://dropbox.com/

ACTION:UPLOAD

Filename:Corporate_Secret Sauce

File CONTENT:Corporate CONFIDENTIAL

“The whole is greater than the sum of the individual parts.”

Correlated data creates the bigger picture:

Event Type:Windows Successful Logon:

V123XXXHost: dummyhost

ACTION:UPLOAD

URL:http://dropbox.com

Corporate_Secret Sauce written to USB drive

File CONTENT:CONFIDENTIAL

Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.12

V&V: Extending the Security Ecosystem

V&V MISSION

V&V verifies that the controls defined by a project’s governance exist in the implementation space, and validates that those controls are working effectively to prevent the egress of sensitive information or the intrusion of unauthorized persons into the network.

V&V deploys embedded regional IST program managers and operational personnel in a “tactical spread” fashion in order to have proximity and capability in areas with high volume of VZ business activities.

V&V’s directive extends that of the typical audit function to implement appropriate mitigation responses that will support the mission of the business.

13

Primary Responsibilities & Capabilities

14

Improvement – 2012-2014

Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.15

Insider Risk Reporting

New vendor engagement

16

Program Evolution

Sub-Category

(1) Initial

Planning

(2)   Identify

Stakeholders

(3) Achieve & Sustain

Leadership Buy-in

(4) Risk Management

Process

(5) Detailed Project

Planning

(6) Governance

Structure, Policies & Procedures

(7) Communication,

Training & Awareness

(8) Establish Detection Indicators

(9) Data & Tool Requirements

(10) Data Fusion

(11)   Analysis & Incident

Management

(12)   Management

Reporting

(13)   Feedback &

Lessons Learned

VZ Corporate Security x x x x x x x

The Corporate Security Insider Threat Program (ITP) began in its current form in 2010 with the addition of the V&V program. The program shifted from silos to an integrated framework based on the 13 traditional U.S.CERT elements of a formal ITP.

When the ITP is engaged, especially in environments that have not gone through the traditional clearance process, we see immediate evidence of non-compliance in all categories.

As the ITP is embedded with the business and matures, we see sustainable categorical improvements, severity of issues decrease or level off and business response to issues improves:

• Global finding to review ratio decreased 30%. On-time resolution of findings increased by 32%• Occurrence of severe issues reduced from common to rare• Mean time to resolve issues dropped below target from a peak average of 70 days to an average of 2.3 days. Occurrence of top four

categorical finding types continues to decline

17

• Assuming that Serious Insider Problems are in someone else’s organization • Disproportionate reliance on background checks, policy or contracts, assuming these will care for potential

concerns.

• Assuming that indicators will be interpreted properly…or assuming that all environments have indicators to interpret.

 • Relying solely on periodic quality checks, or assuming that Cyber Security Rules are followed because of

vendor agreements.  • Assuming employees or vendors are aware and savvy around security controls • Assuming that only intentional actions will cause damage • Relying on a heavy, reactive response capability in lieu of an integrated, preventative programmatic approach.

• Not knowing the security posture of day to day activities in international vendor environments

Missteps which lead to Insider Threat

Do you have an Insider Threat Mitigation Program?  

a.Yesb.No

Do you think you need one?

a.Yesb.No

21

Does your contract establish cyber penalties, or financial (or other) impact for cyber non compliance?

a.Yesb.No

a. Thought it was greatb. Very Satisfiedc. Slightly satisfiedd. Dissatisfied

How satisfied were you with today’s program/session?