Скачать презентацию CORPORATE CYBER SECURITY INSIDER THREATS Dan Maloney Скачать презентацию CORPORATE CYBER SECURITY INSIDER THREATS Dan Maloney

1a35eabdc9438587e1edada75b911506.ppt

  • Количество слайдов: 22

CORPORATE CYBER SECURITY INSIDER THREATS Dan Maloney CORPORATE CYBER SECURITY INSIDER THREATS Dan Maloney

Insider Threat - Traveler Case Study An Executive travelled to a restricted country on Insider Threat - Traveler Case Study An Executive travelled to a restricted country on a visit declared as personal: Ø Took a personal flight, later expensed to Verizon; Ø Required a subordinate to travel at Verizon expense; Ø Conducted Verizon business without the appropriate travel visa; Ø Took Verizon issued smart phone and laptop to other countries without making the appropriate Export Declaration; Ø Received gifts of travel and lodging without prior approval of the Office of Ethics and Business Conduct; This case was caught by a diligent VPN investigator with a sharp eye and management support. What is the linkage between detection and investigation?

Insider Threat - Vendor Case Study § § § Foreign company ownership Offshoring provisioning Insider Threat - Vendor Case Study § § § Foreign company ownership Offshoring provisioning non-compliance Subcontracted without approval Expired contracts Fraudulent transactions Don’t rely on the contract for compliance 4 Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written a

Insider Threat in the News “Edward Snowden Used Inexpensive ‘Web Crawler’ to Hack NSA Insider Threat in the News “Edward Snowden Used Inexpensive ‘Web Crawler’ to Hack NSA Networks” – HGN News… “Home Depot hackers used vendor log-on to steal data, emails” – USA Today… “Target Earnings Slide 46% After Data Breach” – Wall Street Journal “AT&T Admits Insider Illegally Accessed Customer Data” – securityweek. com… “F. B. I. Failed to Act on Spy, [Robert Hannsen] Despite Signals, Report Says” – NY Times… “Encryption Faulted in TJ MAXX Hacking” – Washington Post… “Fallout from Sony hack may alter how Hollywood conducts business” LA Times… Were These issues were end results of existing weaknesses? . 5

Architecture of the Insider Threat Program CPI-Audit 810 AP IM GOOD CPI-30 3 CPI-30 Architecture of the Insider Threat Program CPI-Audit 810 AP IM GOOD CPI-30 3 CPI-30 6 USB DLP C Email CPS-6 VPN PS-304 10 Proxy Partnerships 3 rd Party Team Corporate Policies Suppli er Securit y Ba Active selin e Sync Code of Condu HR/EEO ct Netwo rk S CITRIX ecurity Baseli ne Globa l Ops. Policy Ent. C le Room an Req. Secure d Work Space Req. Vendo r Contra ct Projec t Cleara nce Local Laws ISO 2700 x PCI DSS Do. D Legal 52 00. 28 HR/EEO Lo. Bs Do. D 5 VECIRT 240. 26 NIST SP 800 IT Audit E. O. 13587 Domestic/International Baselines Environmental Legal Best Practice Government 6

 Protecting Our House Historical Approach Changing Landscape Insider Threat is a reality in Protecting Our House Historical Approach Changing Landscape Insider Threat is a reality in Public and Private Sectors Softening Perimeter - Demand for remote access Focus on governance from contract through end of life. Expanded Geographic Presence Bring Your Own Device / Mobile Computing Loss of Intellectual Property Evolving Security “Lock the doors and windows” Understand what “good” looks like and look for meaningful differences Environment analysis and base lining Anomaly detection and response Big data analytics Intelligence fusion Comprehensive Security, Monitoring, Logging and Digital Analytics 7

Timeline instituted additional internal legal, monitoring, and It was primarily focused on preventing external Timeline instituted additional internal legal, monitoring, and It was primarily focused on preventing external attacks assurance services which could address insider through traditional site monitoring (cameras and badges). threats from vendors, contractors and employees. Auditing of the environment was random and typically in response to an issue that had already occurred. V&V begins regular reviews of control effectiveness globally to provide dedicated and ad-hoc support to the business 2006 2008 2010 2012 2014 Business Enabling Global clearance council increases focus on offshore data control and access. GSOC institutes monitoring services capable of detecting malicious activity internationally. 2004 Gap Awareness Security assurance was unsustainable & unpredictable. 2002 Reactive Prior to 2006, the security of data assets was treated as To address growing concerns, Security expanded to an ‘add-on’ after the business was already in operation. provide enhanced support to the business. Security The focus of security was primarily on the physical perimeter. Data was protected by weak controls and was not treated as a valued asset. 8

Cyber capability evolution…Silo to Integrated Investigate Fraud V&V verifies that the controls defined by Cyber capability evolution…Silo to Integrated Investigate Fraud V&V verifies that the controls defined by a project’s Allegations governance exist in the Technical Resource for Fraud FRAUD implementation space, and Legal, HR, Privacy, etc. validates that those controls Fraud Level are working effectively to prevent the egress of Corp V&V sensitive information V&V Security Analytics categorizes issues Secured Digital by type and severity in order Evidence Collection & Forensic to analyze trends in control Analysis s/2 nd Level vulnerabilities based on Investigation Support FORENSICS geography and ownership. Forensics / 2 nd The results of analysis often Analytics allow us to take corrective cs measures before a problem V&V is able to influence occurs. This has led to an STS GSOC mitigation strategies by overall decrease in the working with project owners number of exposure STS GSOC to find solutions which will opportunities as well as Secure Data Storage Enterprise Network meet their operational goals stronger compliance with Sensitive Application The capabilities of the Insider Threat Program are being deployed in the known high risk Content Inspection and enable the business to company standards. vendors and locations. Development Cyber Event Analysis STS function more securely. GSOC Maintenance and High Risk User The Program is not everywhere, and does not cover all locations, or high risk vendors or Support of Critical Monitoring environments. Systems 9

 Evolution of Operational Insider Risk Program Effectiveness is measured by changing business behavior Evolution of Operational Insider Risk Program Effectiveness is measured by changing business behavior Event Collectors (Data Centers) Security Contracts & Clearance VPN Alerts E-Mail Messaging Servers Proxy Workstations Contracts Audit reports Corp Security VPN USB Stakeholders Insider Threat Framework Content inspection High risk user reports GPS Location DLP reports Smartphones and Devices Legal HR/EEO CIRT LOB IT V&V Personnel Network Access HR Data Risk Profile Personnel Data • Transaction based • Clearance • Contract Support • Due diligence Operations Data • RIF List • EEO • Investigation 10

Identifying the Threat Event log: Active Directory 2014 -03 -10: 22: 01: 02 Host Identifying the Threat Event log: Active Directory 2014 -03 -10: 22: 01: 02 Host Name: dummyhost Assigned IP: 127. 0. 0. 1 User: V 123 XXX Event Type: Windows Successful Logon: Windows Successful Logon V 123 XXX Host: dummyhost MYDomain Event log: Symantec 2014 -03 -10: 22: 04: 22 Host Name: dummyhost User: V 123 XXX Filename: Corporate_Secret Sauce Process Name C: /Windows Corporate_Secret Sauce Log files written to USB drive Event log: PROXY 2014 -03 -10: 22: 06: 15 Source IP: 127. 0. 0. 1 User: V 4123 XXX URL: http: //dropbox. com ACTION: UPLOAD Category: Online Storage Event log: Content Inspection 2014 -03 -10: 22: 06: 16 Source IP: 127. 0. 0. 1 URL: http: //dropbox. com/ Filename: Corporate_Secret Sauce File CONTENT: CONFIDENTIAL Category Policy: Confidential Correlated data creates the bigger picture: Correlated data 2014 -03 -10: 22: 06: 20 User: V 4123 XXX Host Name: dummyhost URL: http: //dropbox. com/ ACTION: UPLOAD Filename: Corporate_Secret Sauce File CONTENT: Corporate CONFIDENTIAL “The whole is greater than the sum of the individual parts. ” 11 Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written a

V&V: Extending the Security Ecosystem V&V MISSION V&V verifies that the controls defined by V&V: Extending the Security Ecosystem V&V MISSION V&V verifies that the controls defined by a project’s governance exist in the implementation space, and validates that those controls are working effectively to prevent the egress of sensitive information or the intrusion of unauthorized persons into the network. V&V’s directive extends that of the typical audit function to implement appropriate mitigation responses that will support the mission of the business. V&V deploys embedded regional IST program managers and operational personnel in a “tactical spread” fashion in order to have proximity and capability in areas with high volume of VZ business activities. 12 Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written a

Primary Responsibilities & Capabilities Compliance Activities Governance Reviews Contract Reviews Investigation Support Monitoring Activities Primary Responsibilities & Capabilities Compliance Activities Governance Reviews Contract Reviews Investigation Support Monitoring Activities Citrix & Smart Auditor Log Analysis Walkthroughs Consulting Activities Contract & Clearance Mergers & Acquisitions Pre-assessments 13

Improvement – 2012 -2014 14 Improvement – 2012 -2014 14

Insider Risk Reporting New vendor engagement 15 Confidential and proprietary materials for authorized Corporate Insider Risk Reporting New vendor engagement 15 Confidential and proprietary materials for authorized Corporate personnel and outside agencies only. Use, disclosure or distribution of this material is not permitted to any unauthorized persons or third parties except by written a

Program Evolution The Corporate Security Insider Threat Program (ITP) began in its current form Program Evolution The Corporate Security Insider Threat Program (ITP) began in its current form in 2010 with the addition of the V&V program. The program shifted from silos to an integrated framework based on the 13 traditional U. S. CERT elements of a formal ITP. (1) Initial Planning Sub-Category VZ Corporate Security x (2) Identify Stakeholders x (3) Achieve & Sustain Leadership Buy-in (4) Risk Management Process (5) (6) (7) Detailed Governance Communication, Training Project Structure, Policies & Awareness Planning & Procedures (8) (9) Data & Establish Tool Requirements Detection Indicators x (10) (11) Data Fusion Analysis & Incident Management x x (12) Management Reporting (13) Feedback & Lessons Learned x x When the ITP is engaged, especially in environments that have not gone through the traditional clearance process, we see immediate evidence of non-compliance in all categories. As the ITP is embedded with the business and matures, we see sustainable categorical improvements, severity of issues decrease or level off and business response to issues improves: • Global finding to review ratio decreased 30%. On-time resolution of findings increased by 32% • Occurrence of severe issues reduced from common to rare • Mean time to resolve issues dropped below target from a peak average of 70 days to an average of 2. 3 days. Occurrence of top four categorical finding types continues to decline 16

Missteps which lead to Insider Threat • • Assuming that Serious Insider Problems are Missteps which lead to Insider Threat • • Assuming that Serious Insider Problems are in someone else’s organization • Assuming that indicators will be interpreted properly…or assuming that all environments have indicators to interpret. • • • Disproportionate reliance on background checks, policy or contracts, assuming these will care for potential concerns. Relying solely on periodic quality checks, or assuming that Cyber Security Rules are followed because of vendor agreements. Assuming employees or vendors are aware and savvy around security controls Assuming that only intentional actions will cause damage Relying on a heavy, reactive response capability in lieu of an integrated, preventative programmatic approach. Not knowing the security posture of day to day activities in international vendor environments 17

Do you have an Insider Threat Mitigation Program? a. b. Yes No Do you have an Insider Threat Mitigation Program? a. b. Yes No

Do you think you need one? a. b. Yes No Do you think you need one? a. b. Yes No

Does your contract establish cyber penalties, or financial (or other) impact for cyber non Does your contract establish cyber penalties, or financial (or other) impact for cyber non compliance? a. Yes b. No 21

How satisfied were you with today’s program/session? a. b. c. d. Thought it was How satisfied were you with today’s program/session? a. b. c. d. Thought it was great Very Satisfied Slightly satisfied Dissatisfied