Combating Insider Threats – Protecting Your Agency from the Inside Out
•Download as PPTX, PDF•
1 like•411 views
Whether they realize it or not, all enterprises have valuable data to protect. Credit card information, trade secrets, and patient data, for example, are all prime targets for cyber criminals. You can reduce risk to your sensitive data through the use of compliance/segmentation monitoring. But what happens when malicious insiders or external attackers bypass these controls? Join Lancope’s Consulting Security Architect, Charles Herring, to learn how network behavioral anomaly detection (NBAD) and deep visibility through NetFlow can be used to quickly alert administrators to these violations. Discover how to detect anomalies such as data hoarding and data loss to more effectively safeguard your crown jewels.
Report
Share
Combating Insider Threats – Protecting Your Agency from the Inside Out
- 1. Charles Herring Cyber Security Specialist @charlesherring Introduction
- 2. © 2014 Lancope, Inc. All rights reserved. Crown Jewels • Card holder data (PCI) • Patient records (HIPAA) • Trade secrets • Competitive information (M&A) • Employee data (PII) • State Secrets • Customer Data Data that is valuable to attackers
- 3. © 2014 Lancope, Inc. All rights reserved. Why do attackers care? Attacker Jewel Motivation Criminals PCI Data $4-$12/card Criminals Patient Records $30-$50/record Activists Anything Shaming State Sponsored Trade Secrets Geopolitical State Sponsored Patient Records ?!?!!!! Insiders IP and Customer Data Professional Advantage
- 4. © 2014 Lancope, Inc. All rights reserved. WAN DATACENTER ACCESS CORE3560-X Atlanta New York San Jose 3850 Stack(s) Cat4k ASA Internet Cat6k VPC Servers 3925 ISR ASR-1000 Nexus 7000 UCS with Nexus 1000v © 2014 Lancope, Inc. All rights reserved. Where to Look? North, South, EAST AND WEST = Every Communication
- 5. Signature Anomaly Behavior How to Look Signature = Object against blacklist • IPS, Antivirus, Content Filter Behavior = Inspect Victim behavior against blacklist • Malware Sandbox, NBAD, HIPS, SEIM Anomaly = Inspect Victim behavior against whitelist • NBAD, Quantity/Metric based—not Signature based Signature Behavior Anomaly Known Exploits BEST Good Limited 0-day Exploits LimIted BEST Good Credential Abuse Limited Limited BEST
- 6. © 2014 Lancope, Inc. All rights reserved. By Data Grouping – Data Inventory • Find your data • “Pull the thread” with Top Peers/Flow Tables • Host Group Policies with lower tolerance Find your jewels
- 7. © 2014 Lancope, Inc. All rights reserved. Data Anomaly Alarms • Suspect Data Hoarding • Target Data Hoarding • Total Traffic • Suspect Data Loss Counting Access
- 8. © 2014 Lancope, Inc. All rights reserved. Data Hoarding
- 9. © 2014 Lancope, Inc. All rights reserved. Data Loss
- 10. © 2014 Lancope, Inc. All rights reserved. Map the Segmentation • Logical vs. Physical • Map Segmentation Watch the logical roadways
- 11. © 2014 Lancope, Inc. All rights reserved. Custom Events • Evolution of HLV • Alert when Segmentation fails • Allows for NOR logic Alert on Zero Tolerance
- 12. © 2014 Lancope, Inc. All rights reserved. Logical vs. Physical Map Segmentation Watch the logical roadways 12 Segmentation Violations
Editor's Notes
- There are three ways Lancope detect things. For Signatures, Lancope augments this with our SLIC Threat Feed. Our StealthWatch Labs group of researchers work with external parties that define and develop URLs and IPs that are known to be bad, that you can put into your system and you can match those against every single conversation in your network, right. So it’s real-time, it’s ubiquitous across your enterprise, its high value. Anomaly detection is our threshold-based alerting, so that when we drop in a system, we are going to create high concern index events on day one based on devices that exceed acceptable thresholds of noise. Within our behavior-based system, you have to have thresholds on both low-end and high-end because the behavior of a host will actually live in between those two areas. But what this means is, for super slow attackers that are doing actually very little traffic, those will alert below a threshold; and for very noisy volumetric-based DDoS attacks that are coming in via UDP floods, those actually become threshold-based alarms as well. The behavior-based alarms come with the fact that we are building this learned baseline overtime. Minimum of seven days to create a baseline, expands out to 30 days, rolls overtime, most heavily weighted on the last couple weeks of activity. It is, this is where we are actually able to detect things like worm activity and worm propagation and beaconing hosts, things like data hoarding and data exfiltration. These are based on conditions, statistical conditions that we’ve learned about you as a user on your network. You the customer have already invested early in signature based technology and it is not like that stuff is no longer effective, it is just that your adversary has advanced and so must you. Behavior and Anomaly detection methods address the problem of not knowing what you are looking for ahead of time as in your zero-day exploitation. Behavior based detection contain the threat and observe the behavior with an objective to dynamically build a blacklist – or a list of bad things; Anomaly detection leverages known good behavior or actions either as inherit to the protocols, statistically collected from the traffic, or asserted by the user; this whitelist or list of norms allow the detection to be based not on abnormalities but on the differences that make the difference.