Embed Size (px)
Citation preview
Copyright © 2018 Forcepoint | 1
Charles Keane, CISSP – UEBA Security Specialist, Forcepoint
Extending Behavioral Insights into Risk-Adaptive Protection & Enforcement
Copyright © 2018 Forcepoint | 2
WHAT IS INSIDER THREAT?
Insider threat is unique within the broader cyber-risk landscape and must be addressed holistically:
Distinctly human element ➔ Behavior often foreshadows intent
Pre-existing familiarity with - and access to - IT systems ➔ Activity can be tracked and analyzed
Differing required responses ➔ Special considerations for enforcement and remediation based on scenario
Three basic categories of damaging actors that are targeted by an Insider Threat program:
MaliciousIntent / Motivation
Psychology indicators
Environment triggers
NegligentSloppiness
Non-compliance
Poor controls
Compromised“Partly” normal
Normal psychology
Specific anomalies
Copyright © 2018 Forcepoint | 3
PEOPLE ARE NOT COMPUTERS PEOPLE WORK IN HUMAN TIME People don’t follow
strict patterns People have
emotions – happy / sad ,etc.
People operate in minutes, hours, days, weeks
Computers operate in milliseconds (and less)
Analysis must think about risk and patterns using a Human Timescale
KEY DIFFERENCES BETWEEN CYBER AND INSIDER
Most malware investigations end with patching, reimaging or upgrades
Human investigations typically end with: policyviolations, employment terminations or legal proceedings/arrests
Copyright © 2018 Forcepoint | 4
Protect the important data wherever it resides
OverwhelmingAdministrators
Frustrating Users
Mistaking
SO WHAT ARE WE TRYING TO SOLVE?
without
for
Copyright © 2018 Forcepoint | 5
TECHNOLOGY ARCHITECTURE
1 SENSE
2CONTEXTUALIZE& UNDERSTAND
4 DYNAMICALLY ENFORCE
3 APPLY INDIVIDUAL RISK SCORE
OPERATIONAL MODEL
▸ Set unified policy▸ Orchestrate▸ Case management▸ Investigate
5
CLOSED LOOP, RISK-ADAPTIVE APPROACH
Copyright © 2018 Forcepoint | 6
CommunicationWhat are they feeling?
With whom are they interacting?Data: Email, chat, voice
SystemHow are they behaving digitally?What sites and systems are they
accessing?Data: SIEM, endpoint, web browsing,
logins, file sharing
HRWhat is their motivation?
Why might they have malicious intent?Data: Performance reviews, Active
Directory
PhysicalHow are they behaving physically?Where are they going and when?
Data: Badge data, traveling
BUILDING A HOLISTIC VIEW OF THE USER
Copyright © 2018 Forcepoint | 7
INSIDER INSIGHTS BASED ON
Enrich events with observed features of interest, scored for rarity and normalized by individual or peer group
Score non-activity based indicators about an entity to influence scoring
SCENARIOS“Connect the dots” across event/entity models
for a composite measure of risk
ENTITY ATTRIBUTE AND FEATURE COLLECTION(gathered from HR, Active Directory, CMDB)
Entity AttributeEntity Features
EVENT INGEST AND ENRICHMENT(Streaming or Batch Ingest via API)
Who They AreWhat They Do
EVENT ANALYTICS - “What They Do” ENTITY ANALYTICS - “Who They Are”
EVENTS OF INTEREST
PEOPLE OF INTEREST
USER BEHAVIOR ANALYTIC APPROACH
Copyright © 2018 Forcepoint | 8
DATA SOURCES ANALYTIC ENGINE INFORMED NARRATIVE� �
HOW A TYPICAL ANALYTICS PLATFORM WORKS
Copyright © 2018 Forcepoint | 9
ANALYTICS ALONE IS NOT ENOUGH
An effective solution should cut through the noise of alerts, highlight early warning signals to prevent the loss of important data.
Current policies are far too rigid to be effective.
Learning why something happened yesterday does not
stop the problem.
Balancing workforce privacy and IP protection is critical.
TRADITIONAL UEBA
ForensicAnalysis
TRADITIONALINSIDER THREAT
Constant Monitoring
TRADITIONALDLP
Block it orAllow it
Copyright © 2018 Forcepoint | 10
A POWERFUL WAY TO LEVERAGE ANALYTICS
DATA SOURCES ANALYTIC ENGINE AND INSIGHTS POLICY ENFORCEMENT� �
3rd Party Data Sources
Decision Making
Channels
(DLP, CASB, NGFW, WEB)
Decision Making
Channels
(DLP, CASB, NGFW, WEB)
Non-Security Log Data
gTraditional Security
Log Data
Copyright © 2018 Forcepoint | 11
RISK-ADAPTIVE PROTECTION
Risk-adaptive protection dynamically applies monitoring and enforcement controls to protect data based on calculated behavioral risk level of users and the value of data accessed.
This allows security organizations to better understand risky behavior and automate policies, dramatically reducing the quantity of alerts requiring investigation.
1) Risk levels are driven up and down by human behavior
2) Each user has a unique and dynamic risk level which changes based upon behavior
3) Risk levels drive different outcomes
4) The security adapts to the risk levels as behaviors change
HOW RISK-ADAPTIVE PROTECTION WORKS:
Copyright © 2018 Forcepoint | 12
THE ROLE OF ANALYTICS IN THE CLOSED LOOP SYSTEM
Copyright © 2018 Forcepoint | 13
SETTING UP THE DEMO: WHAT’S THE SCENARIO
User: Philip ZamudioSystem AdministratorGlobal IT Team
Current Risk Score: 31Risk Score is based on monitoring user activities through numerous channels:▸ Endpoint▸ 3rd Party Applications▸ Web & Email▸ Network
Current Risk Level: 1 (of 5)Actions of enforcement, notification, monitoring or enforcement driven by risk level
For this demonstration we’re using DLP policy
Copyright © 2018 Forcepoint | 14
FOUR STEPS TO ROLLING OUT RISK-ADAPTIVE PROTECTION
4. Launch Risk-Adaptive
Protection
1. Establish Privacy Policy
3. EstablishEnforcement
Baselines
2. Establish Risk Policy
Copyright © 2018 Forcepoint | 15
ESTABLISH THE PRIVACY POLICY
Respect the privacy of employees.
Conform with privacy laws in relevant nations.
Privacy and Security are not mutually exclusive. Involve Legal and HR.
Focus on transparent communications with employees.
Establish clear Workforce Defense Policy & Procedure.
Copyright © 2018 Forcepoint | 16
SAMPLE PSEUDONYMIZATION WORKFLOW
Document• Details of the
event• Date & time• Attack Vector• System/Data
> Risk/Criticality
Event Severity• High• Medium• Low
Analyst escalates event to SOC Lead
SOC Lead and Director opens investigation and escalates to incident. Incident severity re-assessed.
Steering Committee (IT, HR, Legal) must approve Investigator’s access to FIT Video/Keyboard Data
EVENT EVENT
Investigation Closed
Investigation Closed
Investigator Assigned
Security Analyst Assigned
No
No
No
Yes
YesYes
• Reasonable Suspicion of Criminal Activity and/or
• Cyber Threat to Forcepoint Information Systems
Access toFIT Video/ Keyboard
Data
Cyber Defence
Workforce Event
User Unmasked (FIT)
Copyright © 2018 Forcepoint | 17
ESTABLISH RISK POLICY
For policies governing compliance use-cases or highly sensitive information, “Block All” was the action plan for all risk levels
For policies where additional context can help inform decisions, additional granularity can get added
Copyright © 2018 Forcepoint | 18
ESTABLISH RISK POLICY MULTI-CHANNEL ENFORCEMENT
Multiple Action Plans
Protect data in motion and at rest
Cloud and on-premise protection
Copyright © 2018 Forcepoint | 19
Identify users to pilot
Enable Audit-only rules to fine-tune policies
Learn behavior baselines for 30-45 days
Calibrate risk policies and enforcement procedure
ESTABLISH ENFORCEMENT BASELINE
Copyright © 2018 Forcepoint | 20
IN CLOSING
Focus on user behavior and data interactions
Analytics is critical to solve this challenge, but it’s only part of the solution
Automating leads to speedy resolution of high risk events
Risk-Adaptive Protection will deliver better cybersecurity
