Upload
observeit
View
566
Download
0
Embed Size (px)
Citation preview
OPERATIONALIZING YOURINSIDER THREAT PROGRAM
Copyright Notice: © 2016By INSIDER THREAT DEFENSE, INC.
Agenda
Common pitfalls of insider threat initiatives Four best practices essential for a successful program Overcoming obstacles while operationalizing your program Insider Threat Program checklist
Common Pitfalls
Too Many Definitions For Insider ThreatToo Many Definitions For Insider Threat• Disgruntled Employees
• Workplace Violence
• Divided Loyalty Or Allegiance To U.S. / Terrorism
• Espionage (National Security, Economic, Industrial, Corporate)
• Data Destruction, Information Technology Sabotage
• Fraud, Theft
• Insiders Who Are: Ignorant, Negligent, Cyber Insider Threat
• Insiders Who Affect The: Confidentiality, Integrity And Availability Of Information (Wittingly, Un-Witting Causing Damage)
These Are All Threats
Un-Witting Is The Biggest
Problem
UBS PaineWebber Systems Administrator Attack Impairs Trading Impacting On Over 1,000 ServersAnd 17,000 Work Stations
Employee Sabotages Company's Network Servers - Company Permanently Loses Data And SpentHundreds Of Thousands Of Dollars Repairing Equipment & Recovering Data. ($1 Million In LostBusiness)
Low-Level Engineer Managed To Steal $1 Billion Worth Of Intellectual Property Former Security Director For Lottery Charged With Tampering Equipment Before Secretly Buying
$14.3 Million Winning Ticket Virginia Man Pleads Guilty To Attempted Espionage For Stealing Aircraft Carrier Design Details Former Georgia Pacific Employee Charged with Damaging Computers Log Audit Reveals Developer Outsourced His Job To China, While He Surfed The Internet All Day
At Work Management Information Systems Professional At Military Facility Encrypts Large Parts Of
Organization’s Database And Holds It Hostage-Company Pays Ransom Money U.S. Embassy Official Charged With Sextortion, Cyber Stalking Scheme Secret Service Agent Sentenced In Online Currency Theft FBI Busts Comcast Hacking Suspects - Including Comcast Employee Who Helped Hackers FBI Arrests Pharmaceutical CEO Martin Shkreli On Securities Fraud Charges Virginia Businessman Sentenced to 88 Months in Prison for Role in Bribery Scheme Involving
Government Contract Report Shows FBI Ignored Accused Fort Hood Shooter Nidal Hasan Out Of Political Correctness Disgruntled Employee Shot CEO Before Killing Himself FCC Fines AT&T $25 Million For Privacy Breach-Insider Threat Securities Firm Avoids FTC Action By Standing Up Insider Threat Program And So Many More.............................................
Companies Have Too Narrow Of Focus
Companies Don’t Get Employees Consent To
Credit Check Background Check (Checking Databases) Rules Of Behavior Login Banners
Note: For continuous employee evaluation, having a statement explicitly stating that this is a "continuous process" is essential.
Companies Don’t Identify Right Stakeholders
Putting Together An “A” Team
Many of the components needed for an effective Insider Threat Program are already available within an organization; Senior Management Legal / General Counsel Human Resources, Personnel Security Corporate Security, Facilities Security Information Technology (IT) Information Assurance (IA) Incident Response (IR) (CSIRT) Counterintelligence (CI) Contracting
Identify Gaps, Enhancements, Build Better Working Relationship
Companies Don’t Have The Right Information
Computer Activity (MS Windows Event Logs) USB, CD / DVD Usage Network Folder & File Access E-Mails Being Sent And Received, Including Attachments Databases (Access, Queries, Exports) Software Application Usage, Custom Software Applications Remote Access / VPN Access Print Usage Monitoring Network Bandwidth Analysis (NetFlow, SolarWinds) Internet Usage (Websites Visited, Uploads, Downloads, Searches),
Web Chat / Messenger Copy Machine Usage Mutli-Function Printer Usage (Copier, Scanner, Fax) Fax Machine Usage
Or Use A Comprehensive Insider Threat Management Solution Such As ObserveIT = Holistic, User Monitoring, Behavioral Analytics, Policy Enforcement, Forensic Recording (Video) --- A Complete Picture
People Centric A Holistic View
Labor Intensive
4 Best Practices
Best Practice # 1
GET BUY INProtecting an organization’s assets requires getting the right executives / legal on board, gaining buy-in and continued support. This is essential. (Assets = Data, Information Systems, Networks, Personnel)
Organizational leaders must see risk management and informationsecurity as a core enterprise business function rather than a mere task the IT team or security is handling.
Best Practice # 2
ESTABLISH COMMUNICATIONS / SHARING The most important part of insider threat risk mitigation is breaking down the silos and establishing communication with all pertinent and relevant departments within the organization.
Organizational risk will be addressed from an enterprise level, rather then a single departmental level.
Best Practice # 3
GAIN VISIBILITY Having visibility of employee actions / behaviors is essential for Insider Threat Risk Mitigation.
Best Practice # 4
START TRAINING Insider Threat Program Manager / Insider Threat Analyst / Insider Threat Program Support Personnel positions require a specialized skill set and could require additional training.
Insider Threat Program Concepts In-Depth Procedures for conducting “Insider Threat Incident” response
actions. Laws and regulations on gathering, integration, retention,
safeguarding and use of records and data and the consequencesof misuse of such information.
Legal, civil liberties and privacy policies.
Obstacles
Overcoming Obstacles? Insider Threat Program Is Big Brother, Witch Hunt (Consider Naming Asset
Protection & Compliance Program) (Create CEO ITP Rollout Message)
? The Challenge Of Obtaining Data (Technical & Non-Technical)
? Information Sharing / Trust (Use MOU’s-MOA’s), (For Continuity Of ITP)
? Corporate Culture (Not In My Organization Belief)
? We Do Background Checks – This Is Sufficient
? We Do Computer User Activity Monitoring - This Is Sufficient
? We Are Compliant - This Is Sufficient (Scope Of ITP, Classified Info Only)
? Funding
? Legal Resistance / Stakeholder Resistance
Overcoming Obstacles (Cont.)? Employee’s Resistance To ITP & Reluctant To Report
? Stakeholder(s) Reluctant To Share Vulnerabilities With ITPM / Insider ThreatProgram Working Group, That Identify Security Weaknesses In Other SecurityDisciplines & Departments
SUCCESSFUL INSIDER THREAT RISK MITIGATION REQUIRES: Senior Executive Management Support + Communications & Sharing OfInformation W/ITP + Visibility Of Employees Behaviors = Successful ITP
Checklist
Insider Threat Program Checklist Gaining Buy-In From Senior Management, Legal Designation Of Insider Threat Program Manager (Time Considerations) Insider Threat Program Name (Name It Something Else) Insider Threat Program Placement In Organizational Structure (Unbiased
Department) Insider Threat Program (Announced / Need To Know) Create Insider Threat Working Group / Hub – Identify Stakeholders Identify Data Sources That Will Support The ITP Scope of Insider Threat Program (Personnel, Data, Information Systems,
Classified / Un-Classified Networks) Insider Threat Program Policy (Announced / Need To Know) Insider Threat Awareness Training (How To Report?) User Monitoring (Need To Know) (Technical / Non-Technical)
(Thresholds Exceeded, Focused UAM, Approvals) Insider Threat Reporting, Case Management & Response Actions /
Incident Handling Process Insider Threat Risk Assessments – Insider Threat Risk Mitigation
Starts With Risk Management 101
Questions
Contact InfoJim Henderson, CISSP, CCISOCEO Insider Threat Defense, TopSecretProtection.Com, Inc.Insider Threat Program Training Course InstructorCyber Security-Information System Security Program Management Training Course InstructorCyber Threat - Insider Threat Risk Assessment Auditor / AnalystFounder / Chairman Of The National Insider Threat Special Interest GroupPhone: 888-363-7241 / 561-809-6800Websites / E-Mail Addresses:www.nationalinsiderthreatsig.orgjimhenderson@nationalinsiderthreatsig.orgwww.insiderthreatdefense.comjimhenderson@insiderthreatdefense.com