The Insider's Guide to the Insider Threat

Rob Rachwald Director of Security Strategy

The Insider's Guide To Insider Threats

© 2012 Imperva, Inc. All rights reserved.



Past Insider Threat Research Our Methodology Common Practices

Agenda



Research + Directs security strategy + Works with the Imperva Application Defense Center

Security experience + Fortify Software and Coverity + Helped secure Intel’s supply chain software + Extensive international experience in Japan, China, France, and

Australia

Thought leadership + Presented at RSA, InfoSec, OWASP, ISACA + Appearances on CNN, SkyNews, BBC, NY Times, and USA Today

Graduated from University of California, Berkeley

Today’s Presenter Rob Rachwald, Dir. of Security Strategy, Imperva



70% of employees plan to take something with them when they leave the job

+ Intellectual property: 27% + Customer data: 17%

Over 50% feel they own the data

United Kingdom: Taking it with them when they go

Source: November 2010 London Street Survey of 1026 people, Imperva



62% took data when they left a job

56% admit to internal hacking

70% of Chinese admit to accessing information they shouldn’t have

36% feel they own the data

Shanghai and Beijing: Human nature at work?

Source: February 2011 Shanghai and Beijing Street Survey of 1012 people, Imperva



Did not provide a holistic approach and often focused on piecemeal activities, such as:

+ Threat modeling + Technology

Vendor centric: Focused on the latest three-letter acronym (TLA) approach

Difficult to implement

6

Insider Threat Research in the Past



Jim’s Approach Start with 1,435 good companies.

Examine their performance over 40 years. Find the 11 companies that became great.

Our Variation Start with 1,000 good companies.

+ Collect good practices. + But harder to qualify statistically.

7

Our Methodology


Our Sample

Global Audience Enterprises across five

continents.

8

Many Shapes and Sizes Multiple verticals across a

broad revenue spectrum.



Someone who has trust and access, and acquires intellectual property and/or data in excess of acceptable business requirements.

They do so: + Maliciously + Accidentally + By being compromised

9

Insider Threat Defined



The Catalog


#1 Information security enables the business to

grow, but grow securely

11



What: + Understand appetite for

business risk and work with business to put a plan in place

How: + Work with line of business and

speak to the right people, and understand what they protect and how much they would be willing to protect — early in the process

+ Make it personal + Explain how to strengthen the

business + Use compliance to differentiate + Create informal teams

12

Practice #1: Building a Business Case



What: + Organizational model

How (two approaches): + Centralized model: one team

that oversees all security + Decentralized model: Embed

security with various business units

13

Practice #2: Build the A-Team



What: + InfoSec works with HR during

the onboarding and offboarding process as well as implementing security programs

How (checklist): + Training and communications

around security + Onboarding

– Background checks – Psych testing – Special screening for executives

+ Violations + Terminations

14

Practice #3: Work with HR



What: + Create a legal environment that

promotes security

How: + Create scary legal policies, for

example, implement compliance and legal policies around on and offboarding

+ Contract reviews with partners + Approve policies (email usage,

network usage, social network usage, care of laptops and other portable devices, monitoring of user behavior)

15

Practice #4: Work with Legal



What: + Education programs to raise

security awareness and efficacy

How: + Regular security training to cover

threats and LOB role – Ideally, twice per year – Constant training that uses real

world episodes (email, newsletters) that are not subject to timing

– Online security awareness training

+ Educate yourself!

16

Practice #5: Education


#2 Prioritizing

17



What: + Identify what makes your

company unique

How (checklist): + Build a full employee inventory:

total, transient, permanent, mobility, access restrictions

+ Partner profiling + Map threats

– Identify malicious scenarios – Identify accidental scenarios

+ Define audit requirements + Define visibility requirements

18

Practice #1: Size the Challenge



What: + Know who and what to secure

How: + Do not become inundated by

data + Build and parse an inventory of

what needs to be secured + Put in the basic controls, and

then build + Determine what needs to be

automated

19

Practice #2: Start small, think BIG



What: + Automate certain security

processes

How: + Find what systems you can

automate, such as: – Online training – System inventory by an automated

server discovery process – Fraud prevention – Provisioning and de-provisioning

privileges – Employee departure (HR systems can

notify IT immediately and remove permissions)

– Clean-up dormant accounts

20

Practice #3: Automation


#3 Access Controls

21



What: + Lockdown admins and superusers,

and develop a separate policy

How: + Use business owner to verify + Privileged user monitoring + Periodic review by business + Eliminate dormant accounts + Separate policies for

administrators

22

Practice #1: Quis custodiet ipsos custodes?



What: + Permissions structure that is

comprehensive and flexible

How: + Use business owner to verify + Start with permissions discovery + Recognize key events:

– Job changes – Terminations – Sensitive transactions should require

additional approvals to prevent fraud – Cloud

+ Automate

23

Practice #2: Develop a Permissions Strategy



What: + Weirdness probably means

trouble

How: + Profile normal, acceptable usage

and access to sensitive items by… – Volume – Access speed – Privilege level

+ Put in place monitoring or “cameras in the vault”

24

Practice #3: Look for Aberrant Behavior



What: + Manage company and personal

devices

How: + View data theft as a function of

aberrant behavior + Put controls and monitoring on

apps and databases + Remote wipe

25

Practice #4: Device Management


#4 Technology

26



What: + Pick the right technology with

constant readjustments

How: + Map back to threats + Key: Rebalance your portfolio

periodically and assess what you need and what you don’t!

27

Practice #1: Rebalancing the Portfolio



Webinar Materials

Post-Webinar Discussions

Answers to Attendee Questions

Webinar Recording Link Webinar Slides

Join LinkedIn Group Imperva Data Security Direct for…

http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609

http://www.linkedin.com/groups/Imperva-Data-Security-Direct-3849609


www.imperva.com

The Insider's Guide to the Insider Threat

Technology

Transcript of The Insider's Guide to the Insider Threat