Combating Insider Threats – Protecting Your Agency from the Inside Out
-
Upload
lancope-inc -
Category
Technology
-
view
163 -
download
0
Transcript of Combating Insider Threats – Protecting Your Agency from the Inside Out
Charles HerringCyber Security Specialist@charlesherring
Introduction
© 2014 Lancope, Inc. All rights reserved.
Crown Jewels
Card holder data (PCI)Patient records (HIPAA)Trade secretsCompetitive information (M&A)Employee data (PII)State SecretsCustomer Data
Data that is valuable to attackers
2
© 2014 Lancope, Inc. All rights reserved.
Why do attackers care?Attacker Jewel MotivationCriminals PCI Data $4-$12/cardCriminals Patient Records $30-$50/recordActivists Anything ShamingState Sponsored Trade Secrets GeopoliticalState Sponsored Patient Records ?!?!!!!Insiders IP and Customer Data Professional Advantage
© 2014 Lancope, Inc. All rights reserved.
WAN DATACENTER
ACCESS
CORE3560-X
Atlanta
New York
San Jose
3850 Stack(s)
Cat4k
ASA Internet
Cat6k
VPC Servers
3925 ISR
ASR-1000
Nexus 7000 UCS with Nexus 1000v
© 2014 Lancope, Inc. All rights reserved.
Where to Look?North, South, EAST AND WEST = Every Communication
Signature
Anomaly Behavior
How to LookSignature = Object against blacklist
• IPS, Antivirus, Content Filter
Behavior = Inspect Victim behavior against blacklist
• Malware Sandbox, NBAD, HIPS, SEIM
Anomaly = Inspect Victim behavior against whitelist
• NBAD, Quantity/Metric based—not Signature based
Signature Behavior Anomaly Known Exploits BEST Good Limited0-day Exploits LimIted BEST GoodCredential Abuse Limited Limited BEST
© 2014 Lancope, Inc. All rights reserved.
By Data Grouping – Data Inventory
Find your data“Pull the thread” with Top Peers/Flow TablesHost Group Policies with lower tolerance
Find your jewels
6
© 2014 Lancope, Inc. All rights reserved.
Data Anomaly Alarms
Suspect Data HoardingTarget Data HoardingTotal TrafficSuspect Data Loss
Counting Access
7
© 2014 Lancope, Inc. All rights reserved.
Data Hoarding
© 2014 Lancope, Inc. All rights reserved.
Data Loss
© 2014 Lancope, Inc. All rights reserved.
Map the Segmentation
Logical vs. PhysicalMap Segmentation
Watch the logical roadways
10
© 2014 Lancope, Inc. All rights reserved.
Custom Events
Evolution of HLVAlert when Segmentation failsAllows for NOR logic
Alert on Zero Tolerance
11
© 2014 Lancope, Inc. All rights reserved.
Logical vs. Physical Map Segmentation
Watch the logical roadways
12
Segmentation Violations