Terry Ray VP Global Security Engineering The Insider's View To Insider Threats © 2012 Imperva, Inc....

Terry RayVP Global Security Engineering

The Insider's View To Insider Threats

© 2012 Imperva, Inc. All rights reserved.

© 2012 Imperva, Inc. All rights reserved.© 2012 Imperva, Inc. All rights reserved.

Agenda

Insider Threat Research in the Past Our Methodology Common Practices

CONFIDENTIAL2


UK: Taking it with them when they go

70% of employees plan to take something with them when they leave the job

+ Intellectual Property: 27%+ Customer data: 17%

Over 50% feel they own it

Source: November 2010 London Street Survey of 1026 people, Imperva


Human nature at work?

62% took data when they left a job

56% admit internal hacking

70% of Chinese admit to accessing information they shouldn’t

36% feel they own it

Source: February 2011 Shanghai and Beijing Street Survey of 1012 people, Imperva


Insider Threat Research in the Past

Didn’t provide a holistic approach and often focused on piecemeal activities, such as:

+ Threat modeling+ Technology

Vendor centric: Focus on the latest three-letter acronym (TLA) approach.

Difficult to implement.

CONFIDENTIAL5


Our Methodology

CONFIDENTIAL6

Jim’s ApproachStart with 1,435 good companies. Examine their performance over 40 years. Find the 11 companies that became great.

Our ApproachStart with 1,000 good companies. Examine their breach history. Examine the 30 companies that became great.


Our Sample

Global AudienceEnterprises across

five continents.

7

Many Shapes and Sizes

Multiple verticals across a broad revenue

spectrum.


Someone who has trust and access and acquires intellectual property and/or data in excess of acceptable business requirements. They do so:+Maliciously+Accidentally+By being compromised

8

Insider Threat Defined


The Catalog


#1Information security enables the business

to grow, but grow securely


What: Understand appetite for business risk and work with business to put a plan in place.

How+ Work with line of business

and speak to the right people and understand what they protect and how much would be willing to protect—early in the process.

+ Make it personal+ Explains how to strengthen

the business.+ Use compliance to

differentiate+ Create informal teams11

Practice #1: Building A Business Case


What: Organizational model

Two approaches+ Centralized model: one

team that oversees all security.

+ Decentralized model: Embed security with various business units

12

Practice #2: Build the A-Team


What: InfoSec works with HR during on boarding and off boarding process as well as implementing security programs

Checklist:+ Training and

communications around security.

+ Onboarding– Background checks– Psych testing

+ Violations+ Terminations

13

Practice #3: Work with HR


What: Creating a legal environment that promotes security.

How+ Create scary legal policies,

for example, implements compliance and legal policies around on and off boarding.

+ Contract reviews with partners.

+ Approve policies (email usage, network usage, social networks usage, care of laptops and other portable devices, monitoring of user behavior).

14

Practice #4: Work with Legal


What: Education programs to raise security awareness and efficacy.

How+ Regular security training

to cover threats and LOB role.

– Ideally would like to be done twice per year.

– Training is constant and uses real world episodes: email, newsletters, and is not subject to timing.

– Online security awareness training

+ Educate yourself!15

Practice #5: Education


#2Prioritizing


What:+ Identify what makes your

company unique How (Checklist):

+ Build a full employee inventory: total, transient, permanent, mobility, access restrictions

+ Partner profiling+ Map threats

– Identify malicious scenarios– Identify accidental scenarios

+ Define audit requirements+ Define visibility

requirements17

Practice #1: Size the Challenge


What: Know who and what to secure.

How+ Don’t get inundated by

data.+ Build and parse an

inventory of what needs to be secured

+ Put in the basic controls and then build

+ Determine what needs to be automated

18

Practice #2: Start small, think BIG


What: Automate certain security processes.

How: Find what systems you can automate, such as:

+ Online training+ System inventory by an

automated server discovery process

+ Fraud prevention+ Provisioning and de-

provisioning privileges+ Employee departure (HR

system can notify the IT immediately and remove the permissions)

+ Clean up of dormant accounts

19

Practice #3: Automation


#3Access Controls


What: Lock down admins and superusers and develop a separate policy.

How+ Use business owner to

verify.+ Privileged user monitoring + Periodic review by

business+ Eliminate dormant

accounts+ Separate policies for

administrators21

Practice #1: Quis custodiet ipsos custodes?


What: Comprehensive permissions structure that is comprehensive and flexible.

How+ Use business owner to

verify.+ Start with permissions

discovery+ Recognizes key events:

– Job changes– Terminations– Sensitive transactions should

require additional approvals to prevent fraud.

– Cloud

+ Automate22

Practice #2: Develop a Permissions Strategy


What: Weirdness probably means trouble.

How+ Profile normal, acceptable

usage and access to sensitive items by

– Volume– Access speed– Privilege level

+ Put in place monitoring or “cameras in the vault.”

23

Practice #3: Look for Aberrant Behavior


What: Dealing with company and personal devices.

How+ View data theft as a

function of aberrant behavior

+ Put controls and monitoring on apps and databases.

+ Remote wipe.

24

Practice #4: Device Management


#4Technology


What: Pick the right technology with constant readjustment.

How+ Maps back to threats+ KEY: Rebalance your

portfolio, periodically assessing what you need and what you don’t.

26

Practice #1: Rebalancing the Portfolio

Crap


Thanks

Terry Ray VP Global Security Engineering The Insider's View To Insider Threats © 2012 Imperva, Inc....

Documents

Transcript of Terry Ray VP Global Security Engineering The Insider's View To Insider Threats © 2012 Imperva, Inc....