Terry Ray VP Global Security Engineering The Insider's View To Insider Threats © 2012 Imperva, Inc....
-
Upload
howard-webster -
Category
Documents
-
view
218 -
download
2
Transcript of Terry Ray VP Global Security Engineering The Insider's View To Insider Threats © 2012 Imperva, Inc....
Terry RayVP Global Security Engineering
The Insider's View To Insider Threats
© 2012 Imperva, Inc. All rights reserved.
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
Agenda
Insider Threat Research in the Past Our Methodology Common Practices
CONFIDENTIAL2
© 2012 Imperva, Inc. All rights reserved.
UK: Taking it with them when they go
70% of employees plan to take something with them when they leave the job
+ Intellectual Property: 27%+ Customer data: 17%
Over 50% feel they own it
Source: November 2010 London Street Survey of 1026 people, Imperva
© 2012 Imperva, Inc. All rights reserved.
Human nature at work?
62% took data when they left a job
56% admit internal hacking
70% of Chinese admit to accessing information they shouldn’t
36% feel they own it
Source: February 2011 Shanghai and Beijing Street Survey of 1012 people, Imperva
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
Insider Threat Research in the Past
Didn’t provide a holistic approach and often focused on piecemeal activities, such as:
+ Threat modeling+ Technology
Vendor centric: Focus on the latest three-letter acronym (TLA) approach.
Difficult to implement.
CONFIDENTIAL5
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
Our Methodology
CONFIDENTIAL6
Jim’s ApproachStart with 1,435 good companies. Examine their performance over 40 years. Find the 11 companies that became great.
Our ApproachStart with 1,000 good companies. Examine their breach history. Examine the 30 companies that became great.
© 2012 Imperva, Inc. All rights reserved.
Our Sample
Global AudienceEnterprises across
five continents.
7
Many Shapes and Sizes
Multiple verticals across a broad revenue
spectrum.
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
Someone who has trust and access and acquires intellectual property and/or data in excess of acceptable business requirements. They do so:+Maliciously+Accidentally+By being compromised
8
Insider Threat Defined
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
#1Information security enables the business
to grow, but grow securely
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: Understand appetite for business risk and work with business to put a plan in place.
How+ Work with line of business
and speak to the right people and understand what they protect and how much would be willing to protect—early in the process.
+ Make it personal+ Explains how to strengthen
the business.+ Use compliance to
differentiate+ Create informal teams11
Practice #1: Building A Business Case
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: Organizational model
Two approaches+ Centralized model: one
team that oversees all security.
+ Decentralized model: Embed security with various business units
12
Practice #2: Build the A-Team
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: InfoSec works with HR during on boarding and off boarding process as well as implementing security programs
Checklist:+ Training and
communications around security.
+ Onboarding– Background checks– Psych testing
+ Violations+ Terminations
13
Practice #3: Work with HR
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: Creating a legal environment that promotes security.
How+ Create scary legal policies,
for example, implements compliance and legal policies around on and off boarding.
+ Contract reviews with partners.
+ Approve policies (email usage, network usage, social networks usage, care of laptops and other portable devices, monitoring of user behavior).
14
Practice #4: Work with Legal
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: Education programs to raise security awareness and efficacy.
How+ Regular security training
to cover threats and LOB role.
– Ideally would like to be done twice per year.
– Training is constant and uses real world episodes: email, newsletters, and is not subject to timing.
– Online security awareness training
+ Educate yourself!15
Practice #5: Education
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What:+ Identify what makes your
company unique How (Checklist):
+ Build a full employee inventory: total, transient, permanent, mobility, access restrictions
+ Partner profiling+ Map threats
– Identify malicious scenarios– Identify accidental scenarios
+ Define audit requirements+ Define visibility
requirements17
Practice #1: Size the Challenge
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: Know who and what to secure.
How+ Don’t get inundated by
data.+ Build and parse an
inventory of what needs to be secured
+ Put in the basic controls and then build
+ Determine what needs to be automated
18
Practice #2: Start small, think BIG
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: Automate certain security processes.
How: Find what systems you can automate, such as:
+ Online training+ System inventory by an
automated server discovery process
+ Fraud prevention+ Provisioning and de-
provisioning privileges+ Employee departure (HR
system can notify the IT immediately and remove the permissions)
+ Clean up of dormant accounts
19
Practice #3: Automation
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
#3Access Controls
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: Lock down admins and superusers and develop a separate policy.
How+ Use business owner to
verify.+ Privileged user monitoring + Periodic review by
business+ Eliminate dormant
accounts+ Separate policies for
administrators21
Practice #1: Quis custodiet ipsos custodes?
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: Comprehensive permissions structure that is comprehensive and flexible.
How+ Use business owner to
verify.+ Start with permissions
discovery+ Recognizes key events:
– Job changes– Terminations– Sensitive transactions should
require additional approvals to prevent fraud.
– Cloud
+ Automate22
Practice #2: Develop a Permissions Strategy
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: Weirdness probably means trouble.
How+ Profile normal, acceptable
usage and access to sensitive items by
– Volume– Access speed– Privilege level
+ Put in place monitoring or “cameras in the vault.”
23
Practice #3: Look for Aberrant Behavior
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: Dealing with company and personal devices.
How+ View data theft as a
function of aberrant behavior
+ Put controls and monitoring on apps and databases.
+ Remote wipe.
24
Practice #4: Device Management
© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.
What: Pick the right technology with constant readjustment.
How+ Maps back to threats+ KEY: Rebalance your
portfolio, periodically assessing what you need and what you don’t.
26
Practice #1: Rebalancing the Portfolio
Crap