Upload
lancope-inc
View
370
Download
1
Embed Size (px)
Citation preview
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Andrew Wild
The Insider Threat: Protecting Your Organization from the Inside Out
Chief Information Security Officer
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Who am I?• Information security professional• Background in network engineering• U.S. Army veteran
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Evolution of Cyber Conflict
War Dialing, Phone Phreaking …
Manual Attacks (1980s)
Viruses, Worms …
Mechanized Attacks (1988)
Google, RSA …
Talented Human / Mechanized Attackers (2009)
Target, Neiman Marcus …
DIY Human / Mechanized Attackers (2011)
Intelligence Driven Human Defenders
Manual DefensesUnplug
Mechanized DefensesFirewall, IDS/IPS
Targeted Human/Mechanized DefendersReputation, App-aware Firewall
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Today’s Threat Landscape
Despite $32 billion spent on conventional tools, threats continue to evade detection…
…data breaches continue
17http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Sobering Statistics
http://www.idtheftcenter.org/images/breach/DataBreachReports_2015.pdf
Company Confidential - © 2016 Lancope, Inc. All rights reserved. http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReportSummary2015.pdf
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
http://espn.go.com/mlb/story/_/id/14531169/christopher-correa-former-st-louis-cardinals-executive-pleads-guilty-hacking-houston-astros-database
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
CISO Thoughts on Another Breach in the News• Not another one….
• Is my organization prepared?– Could we detect this event?– Would we do better or worse than the latest victim?– Asset Management
• Do we know what we have?– Access Control
• Privileged Credential Management/Monitoring.• Egress filtering & monitoring• Network segmentation
– Detection• How mature are our capabilities?• Do we have pervasive visibility across our entire environment?
– Incident Response• Are we prepared to manage an incident like this?
• What can we learn from the this recent breach?
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Today Top Threats Still Get Through
243 days before attackerswere discovered621 incidents & over 44 million compromised records
$3.03M is the avg. lost business cost of a breach in the US
FW
IPS
IDS
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
• Employees• Contractors• Partners
What/Who is an Insider?
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
http://www.bbc.com/news/world-us-canada-23123964
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
http://money.cnn.com/2015/10/07/media/matthew-keys-convicted-los-angeles-times/
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Why are Insider Threats on the Rise?
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
What are the Top Types of Insider Threats?
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Forrester Research: https://www.forrester.com/Understand The State Of Data Security And Privacy 2013 To 2014/fulltext/-/E-RES82021
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
https://www.clearswift.com/about-us/pr/press-releases/new-research-reveals-more-third-employees-willing-sell-private-company-data-and-proprietary
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
https://www.clearswift.com/about-us/pr/press-releases/new-research-reveals-more-third-employees-willing-sell-private-company-data-and-proprietary
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
http://www.verizonenterprise.com/DBIR/
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
5 Steps to Manage the Insider Threat• Create a strong insider policy• Improve awareness• Strong hiring processes with screening• Rigorous subcontracting & third party risk management• Monitor employees
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
We Have to Change the Game!
Company Confidential - © 2015 Lancope, Inc. All rights reserved.
Changing the GameDefenders need to find hundreds of vulnerabilities and fix them all, while the attackers only need to find one
Attackers need to complete a series of operations without being detected, while the defenders only need to detect them in one
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Phases of the Attack Continuum (chain)Infiltration
Exfiltration
Series of Operations
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Lancope’s Continuous Response Loop
Detect
AnalyzeRespond
Monitor• Monitor• Detect• Analyze• Respond
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Continuous Response along the Attack Continuum Infiltration
Exfiltration
Series of Operations
Raising the cost to adversaries through Continuous Response
Detect
AnalyzeRespond
Monitor
Detect
AnalyzeRespond
Monitor
Detect
AnalyzeRespond
Monitor
Detect
AnalyzeRespond
Monitor
Detect
AnalyzeRespond
Monitor
Detect
AnalyzeRespond
Monitor
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Detection Methodology• Signature = Inspect Object against blacklist
– IPS, Antivirus, Content Filter• Behavioral = Inspect Victim behavior against blacklist
– Malware Sandbox, NBAD, HIPS, SIEM• Anomaly = Inspect Victim behavior against whitelist
– NBAD, Quantity/Metric-based – Not Signature-based
Signature Behavioral Anomaly
Known Exploits BEST Good Limited
0-day Exploits Limited BEST Good
Credential Abuse Limited Limited BEST
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
WAN DATACENTER
ACCESS
CORE3560-X
Atlanta
New York
San Jose
3850 Stack(s)
Cat4k
ASA Internet
Cat6k
VPC Servers
3925 ISR
ASR-1000
Nexus 7000 UCS with Nexus 1000v
© 2014 Lancope, Inc. All rights reserved.
Network As A Sensor (NaaS)Internal Visibility from Edge to Access
EdgeWANFirewallIPSProxyCoreDistributionAccessUCSISEReputation
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Flow – The Network Phone Bill
Flow CacheDestination IP
Origin IPDestination PortOrigin PortL3 ProtocolDSCP
Flow Info Packet Bytes/PacketOrigin IP , Port, Proto...
11000 1528
… … …… … …
Monthly StatementBill At-A-Glance
Flow Record
Telephone Bill
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Network As A Sensor (NaaS)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Behavioral Detection Model
As flows are collected, behavioral algorithms are applied to build “Security Events.” Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected.
Detect Behavioral Change
Addr_ScanBad_FlagBeaconing HostBot Infected Host – SuccessfulBrute Force LoginFake ApplicationFlow_DeniedICMP FloodMax Flows InitiatedMax Flows ServedSuspect Quiet Long FlowSuspect Data LossSYN FloodUDP Received…(+255 custom defined events)
Security Events (94 +)
ReconC&CExploitationData HoardingExfiltrationPolicy ViolationDDoS Target
Alarm Category
Alarm TableHost SnapshotEmailSyslog/ SIEMMitigation
Response
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Behavioral Detection Model
As flows are collected, behavioral algorithms are applied to build “Security Events”. Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected.
• 100% LAN accountability • 90+ days flow storage
average• 365+ days summary data
stored• Profile over 1M internal hosts
Continuous Network Monitoring
Apply Network SegmentationThe network is your
sensor
Outside - Internet• Geo Location• Business Partners• Cloud Providers• Social Media
Inside - Internal
• Location – Site - Branch• Datacenter• Function - Application• Business Unit• Sensitivity - Compliance
Build logical boundaries
Command & Control
• New Malware Families
• Point-of-Sale malware
• Banking malware• Keylogger, Exfil data• DDOS
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
What is Context-Aware Security?The use of situational information (e.g. identity, location, time of day or type of endpoint device) to operationalize security and improve information security decisions.
Context-Aware Security
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Breaking Down the Boundaries
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Conclusion• Data breaches are continuing, and growing in size
• Shortage of IT security experts and the need for talent is growing. Automation is the way forward.
• Cybersecurity is a knowledge-based game
• Use your network as a sensor
• Context-aware Security Analytics can improve detection and accelerate response through a Continuous Response Loop:
• Monitor, Detect, Analyze, Respond (Repeat)
Company Confidential - © 2016 Lancope, Inc. All rights reserved.
Thank you! Andrew Wild, Lancope@[email protected]