CORPORATE CYBER SECURITY INSIDER THREATS Dan Maloney.
-
Upload
amice-chapman -
Category
Documents
-
view
224 -
download
0
Transcript of CORPORATE CYBER SECURITY INSIDER THREATS Dan Maloney.
Insider Threat - Traveler Case Study
What is the linkage between detection and investigation?
An Executive travelled to a restricted country on a visit declared as personal:
Took a personal flight, later expensed to Verizon; Required a subordinate to travel at Verizon expense; Conducted Verizon business without the appropriate travel visa; Took Verizon issued smart phone and laptop to other countries without
making the appropriate Export Declaration; Received gifts of travel and lodging without prior approval of the Office
of Ethics and Business Conduct;
This case was caught by a diligent VPN investigatorwith a sharp eye and management support.
Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.4
Foreign company ownership
Offshoring provisioning non-compliance
Subcontracted without approval
Expired contracts
Fraudulent transactions
Don’t rely on the contract for compliance
Insider Threat - Vendor Case Study
5
“Edward Snowden Used Inexpensive ‘Web Crawler’ to Hack NSA Networks” – HGN News…
“Home Depot hackers used vendor log-on to steal data, emails” – USA Today…
“Target Earnings Slide 46% After Data Breach” – Wall Street Journal
“AT&T Admits Insider Illegally Accessed Customer Data” – securityweek.com…
“F.B.I. Failed to Act on Spy, [Robert Hannsen] Despite Signals, Report Says” – NY Times…
“Encryption Faulted in TJ MAXX Hacking” – Washington Post…
“Fallout from Sony hack may alter how Hollywood conducts business” LA Times…
Insider Threat in the News
Were These issues were end results of existing weaknesses?.
6
Architecture of the Insider Threat Program
Supplier Security BaselineCode of Conduct
Network Security Baseline
CPI-810
CPI-306CPI-303
CPS-304CPS-610
Global Ops. PolicyEnt. Clean Room Req.Secured Work Space Req.
Vendor Contract
Project Clearance
Local Laws
ISO 2700x
PCI DSS
NIST SP800
DoD 5200.28
DoD 5240.26
E.O. 13587
HR/EEO
CITRIXProxy
EmailVPN
DLP
USBGOOD
IM
Audit AP
Active Sync
Partnerships3rd Party Team Domestic/International
Domestic
7
Protecting Our House
Historical Approach Changing LandscapeInsider Threat is a reality in Public and Private SectorsSoftening Perimeter - Demand for remote accessFocus on governance from contract through end of life. Expanded Geographic PresenceBring Your Own Device / Mobile ComputingLoss of Intellectual Property
Comprehensive Security, Monitoring, Logging and Digital Analytics
“Lock the doors and windows”
Understand what “good” looks like and look for meaningful differences
Environment analysis and base liningAnomaly detection and responseBig data analyticsIntelligence fusion
Evolving Security
8
2006
2008
2004
2002
2010
The focus of security was primarily on the physical perimeter. Data was protected by weak controls and was not treated as a valued asset.
Auditing of the environment was random and typically in response to an issue that had already occurred.
Global clearance council increases focus on offshore data control and access.GSOC institutes monitoring services capable of detecting malicious activity internationally.
Prior to 2006, the security of data assets was treated as an ‘add-on’ after the business was already in operation.
It was primarily focused on preventing external attacks through traditional site monitoring (cameras and badges).
Timeline
2012
2014
Security assurance was unsustainable & unpredictable.
To address growing concerns, Security expanded to provide enhanced support to the business. Security instituted additional internal legal, monitoring, and assurance services which could address insider threats from vendors, contractors and employees.
V&V begins regular reviews of control effectiveness globally to provide dedicated and ad-hoc support to the business
Reactive
Gap Awareness
Business
Enabling
9
Forensics/2nd Level Investigate Fraud
AllegationsTechnical Resource for Legal, HR, Privacy, etc.
Secured Digital Evidence Collection & AnalysisInvestigation Support
Fraud
V&V
GSOCSTS
Analytics
CorpSecurity
Enterprise Network Content InspectionCyber Event AnalysisHigh Risk User Monitoring
Secure Data StorageSensitive Application DevelopmentMaintenance and Support of Critical Systems
V&V verifies that the controls defined by a project’s governance exist in the implementation space, and validates that those controls are working effectively to prevent the egress of sensitive information
V&V is able to influence mitigation strategies by working with project owners to find solutions which will meet their operational goals and enable the business to function more securely.
Analytics categorizes issues by type and severity in order to analyze trends in control vulnerabilities based on geography and ownership.
The results of analysis often allow us to take corrective measures before a problem occurs. This has led to an overall decrease in the number of exposure opportunities as well as stronger compliance with company standards.
Cyber capability evolution…Silo to Integrated
The capabilities of the Insider Threat Program are being deployed in the known high risk vendors and locations. The Program is not everywhere, and does not cover all locations, or high risk vendors or environments.
FORENSICS FRAUD
GSOCSTS
10
Evolution of Operational Insider Risk Program
Event Collectors (Data Centers) Security
Legal
HR/EEO
CIRT
LOB
V&V
IT
Stakeholders
Contracts & Clearance
Content inspection
High risk user reports
VPN Alerts
DLP reports
Audit reports
Effectiveness is measured by changing business behavior
Insider Threat Framework
Personnel Data•
RIF List
•
EEO
•
Investigation
Risk Profile•
Transaction based
•
Clearance
•
Contract Support
•
Due diligence
Contracts Network Access HR Data Operations Data
MessagingE-Mail
VPN
Proxy
Workstations Personnel
USB
Servers
GPS Location
Smartphones and Devices
CorpSecurity
Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.11
Identifying the Threat
Event log:PROXY
2014-03-10:22:06:15Source IP:127.0.0.1
User:V4123XXX
URL:http://dropbox.com
ACTION:UPLOAD
Category:Online Storage
Event log:Symantec
2014-03-10:22:04:22Host Name:dummyhost
User:V123XXX
Filename:Corporate_Secret Sauce
Process Name C:/Windows
Log files written to USB drive
Event log:Content Inspection
2014-03-10:22:06:16Source IP:127.0.0.1
URL:http://dropbox.com/
Filename:Corporate_Secret Sauce
File CONTENT:CONFIDENTIAL
Category Policy: Confidential
Event log:Active Directory
2014-03-10:22:01:02Host Name:dummyhost
Assigned IP:127.0.0.1
User:V123XXX
Event Type:Windows Successful Logon
MY\Domain
Correlated data 2014-03-10:22:06:20User:
V4123XXXHost Name:dummyhost
URL:http://dropbox.com/
ACTION:UPLOAD
Filename:Corporate_Secret Sauce
File CONTENT:Corporate CONFIDENTIAL
“The whole is greater than the sum of the individual parts.”
Correlated data creates the bigger picture:
Event Type:Windows Successful Logon:
V123XXXHost: dummyhost
ACTION:UPLOAD
URL:http://dropbox.com
Corporate_Secret Sauce written to USB drive
File CONTENT:CONFIDENTIAL
Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.12
V&V: Extending the Security Ecosystem
V&V MISSION
V&V verifies that the controls defined by a project’s governance exist in the implementation space, and validates that those controls are working effectively to prevent the egress of sensitive information or the intrusion of unauthorized persons into the network.
V&V deploys embedded regional IST program managers and operational personnel in a “tactical spread” fashion in order to have proximity and capability in areas with high volume of VZ business activities.
V&V’s directive extends that of the typical audit function to implement appropriate mitigation responses that will support the mission of the business.
Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written agreement.15
Insider Risk Reporting
New vendor engagement
16
Program Evolution
Sub-Category
(1) Initial
Planning
(2) Identify
Stakeholders
(3) Achieve & Sustain
Leadership Buy-in
(4) Risk Management
Process
(5) Detailed Project
Planning
(6) Governance
Structure, Policies & Procedures
(7) Communication,
Training & Awareness
(8) Establish Detection Indicators
(9) Data & Tool Requirements
(10) Data Fusion
(11) Analysis & Incident
Management
(12) Management
Reporting
(13) Feedback &
Lessons Learned
VZ Corporate Security x x x x x x x
The Corporate Security Insider Threat Program (ITP) began in its current form in 2010 with the addition of the V&V program. The program shifted from silos to an integrated framework based on the 13 traditional U.S.CERT elements of a formal ITP.
When the ITP is engaged, especially in environments that have not gone through the traditional clearance process, we see immediate evidence of non-compliance in all categories.
As the ITP is embedded with the business and matures, we see sustainable categorical improvements, severity of issues decrease or level off and business response to issues improves:
• Global finding to review ratio decreased 30%. On-time resolution of findings increased by 32%• Occurrence of severe issues reduced from common to rare• Mean time to resolve issues dropped below target from a peak average of 70 days to an average of 2.3 days. Occurrence of top four
categorical finding types continues to decline
17
• Assuming that Serious Insider Problems are in someone else’s organization • Disproportionate reliance on background checks, policy or contracts, assuming these will care for potential
concerns.
• Assuming that indicators will be interpreted properly…or assuming that all environments have indicators to interpret.
• Relying solely on periodic quality checks, or assuming that Cyber Security Rules are followed because of
vendor agreements. • Assuming employees or vendors are aware and savvy around security controls • Assuming that only intentional actions will cause damage • Relying on a heavy, reactive response capability in lieu of an integrated, preventative programmatic approach.
• Not knowing the security posture of day to day activities in international vendor environments
Missteps which lead to Insider Threat
21
Does your contract establish cyber penalties, or financial (or other) impact for cyber non compliance?
a.Yesb.No
a. Thought it was greatb. Very Satisfiedc. Slightly satisfiedd. Dissatisfied
How satisfied were you with today’s program/session?