SlideShare ist ein Scribd-Unternehmen logo

Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy

EC-Council
EC-Council

By Kevin McPeak. Presented at the Global CISO Forum in Atlanta, Georgia in 2014.

Technologie
1 von 21
Downloaden Sie, um offline zu lesen
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy Kevin McPeak, CISSP, ITILv3 Technical Architect, Security Symantec Public Sector Strategic Programs 2014 Global CISO Forum October 17, 2014 Atlanta, GA
Trends, News and What’s at Stake 64% of data loss caused by well-meaning insiders 50% of employees leave with data $5.4 million average cost of a breach Legal and compliance penalties A potential “black eye” for your company’s reputation 2Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Definitions & Baseline Definitions: Thwart: [thwawrt] to successfully oppose; to frustrate; to baffle Insider: [in-sahy-der] a person possessing information that’s not publically available Threat: [thret] a menace or warning of probable trouble Strategy: [strat-i-jee] a plan or method to reach a goal Baseline for Understanding: Cyber Defense Modeling Modeling on the C-I-A Triad: Confidentiality, Integrity, Availability Integrity & Availability: Traditional “inbound” cyber defenses (anti- malware, system hardening, inbound web and inbound mail filtering, etc.) Confidentiality: Data Loss Prevention for “outbound” defense 3Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Historically Significant “Insider Threats” The Ones You Likely Know…. Benedict Arnold, Julius & Ethel Rosenberg, Alger Hiss (still debated), Aldrich Ames, Robert Hanssen, Ana Montes, Bradley Manning, Edward Snowden, and unfortunately many others…. Some Ones You May Not Know…. • John Surratt • the Cambridge Five • Abdel Khader Khan Key Question: How many may be currently unknown because they are operating in the shadows undetected? 4Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Data Loss Prevention Guidelines for Federal Agencies NIST Special Pubs SP 800-122: Protecting the Confidentiality of PII SP 800-53R4: Security & Privacy Controls for Fed Info Systems & Organizations (Take a special look at Appendix J, entitled "Privacy Control Catalog") SP 800-144: Security & Privacy in Public Cloud Computing SP 800-137: Continuous Monitoring for Fed Info Systems & Organizations SP 800-128: Security-Focused Config Mgmt of Info Systems SP 800-124R1: Managing the Security of Mobile Devices in the Enterprise SP 800-88R1: Media Sanitization (Draft) SP 800-157: Derived PIV Credentials SP 800-79 2: Authorization of PIV Card Issuers & Derived PIV Credential Issuers(Draft) SP 800-61R2: Computer Security Incident Handling SP 800-60R1: Mapping Types of Info & Info Systems to Security Categories 5Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
NIST SP 800-144: Guidelines on Security & Privacy in Public Cloud Computing This SP discusses the concept of "Value Concentration" in Section 4.7, where it says: “A response to the question ‘Why do you rob banks?’ is often attributed to Willie Sutton, a historic and prolific bank robber. His purported answer was, ‘Because that is where the money is.’ In many ways, data records are the currency of the 21st century and cloud- based data stores are the bank vault, making them an increasingly preferred target due to the collective value concentrated there.” 6 “Just as economies of scale exist in robbing banks instead of individuals, a high payoff ratio also exists for successfully compromising a cloud.” Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
NIST SP 800-53R4: Security & Privacy Controls for Federal Information Systems & Organizations 7Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Data Loss Prevention Strategy Setting Goals 1: Safeguard the lives, safety, and reputation of your business by safeguarding your organization’s most sensitive data. Government agencies, corporations, and academic institutions can suffer an enormous reputation hit after even one embarrassing public disclosure 2: Discover sensitive data wherever it resides and identify those endpoints with the highest risk 3: Actively monitor the many ways sensitive data can be used on the endpoint and flag all abnormal activities 4: Utilize the most efficient and unobtrusive methods possible 8Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Data Loss Prevention Strategy….. …..in Ten Easy Steps! I: Identify the Appropriate Data Owners (Operating Units, Specialized Teams, Task Forces, Specific Individuals) II: Locate All of the Places Where Sensitive Data Resides III: Tag your Sensitive Data IV: Monitor/Learn How Sensitive Data is Typically Used by Your Workforce V: Determine Where Sensitive Data Goes VI: Implement Automatic “Real-Time” Methods to Enforce Your CISO Approved Data Security Policies (Visibility, Remediation, Notification & Prevention) VII: Educate Your Sys Admins as Well as Your End Users about Sensitive Data Security VIII: De-escalate Excessive Sys Admin Privileges IX: Wrap Additional Security Around Sensitive Data X: Halt Data Leaks Before Spillage Occurs 9Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Data Loss Prevention Strategy I. Identify the Appropriate Data Owners 1: Identify the Appropriate Operating Units, Specialized Teams, Task Forces, Specific Individuals 2: Work with these Data Owners to further identify additional priority data types. This is an iterative process for risk reduction 10Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy II. Locate All of the Places Where Your Organization’s Sensitive Data Resides 1: Consider data at rest, data in use, data in motion, archived data, & encrypted data 2: Consider standard locations: network devices, storage, databases, file servers, web portals and other applications, laptops, e-mail servers (MTA or Proxy), PST files 3: Consider other locations: mobile devices, printers, scanners, fax machines, copiers, file sharing apps like Dropbox or Evernote, USB drives, CD/DVDs, paper copies, IM, "free" webmail services, university webmail for students & alumni, FTP puts
Data Loss Prevention Strategy III. Tag your Sensitive Data IV. Monitor & Learn How Sensitive Data is Typically Used and Typically Generated by Your Workforce 11Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy V. Determine Where Sensitive Data Goes …. Don’t be Lookin' for Data in All the Wrong Places....
Data Loss Prevention Strategy VI. Implement Automatic “Real-Time” Methods to Enforce Your CISO Approved Data Security Policies Visibility: The first step is to understand where your data is stored & how it is used across your enterprise Remediation: Once you’ve identified broken business processes & high-risk users, then you can improve processes, clean up misplaced data, & provide specialized training to high-risk users Notification: Next, turn on automated e-mail & onscreen pop-up notifications to educate users about data loss policies - this alone can dramatically cut down the number of repeat offenses Prevention: And lastly, stop users from accidentally or maliciously leaking information by quarantining, encrypting & blocking inappropriate outbound communications 12Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Data Loss Prevention Strategy VII. Educate Your Sys Admins as Well as Your End Users about Sensitive Data Security 1: Sys Admins may not realize CISO approved policies exist for certain data types 2: Sys Admins (as well as end users) may be more receptive than you would initially think… VIII. De-escalate Excessive Sys Admin Privileges 1: Most Sys Admins don’t want admin rights beyond what they need to do their assigned job functions 2: Separation of duties is a cybersecurity best practice for thwarting the Sys Admin “Insider Threat” 13Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Data Loss Prevention Strategy IX. Wrap Additional Security Around Sensitive Data 1: The best Incident Response (IR) is for the incident to have been thwarted in the first place, long before it became an incident 2: Review your file permissions 3: Consider using additional encryption for sensitive data as part of your defense in depth posture 14Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Data Loss Prevention Strategy X. Halt Data Leaks Before Spillage Occurs 15Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Well-meaning Insiders Malicious Insiders Malicious Outsiders It’s about people The Faces of your Data Loss Prevention Strategy 16Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Potential Actions DLP is About People 17 Detection and Response Problem Betty is working on a spreadsheet that has multiple worksheet tabs within the overall workbook. PII resides on a different tab than the one that Betty is working on. Betty attempts to e- mail PII data without even knowing it Response Content inspection & context for policy match as e-mail leaves server Endpoint: DLP inspects the mail when user hits “send” Monitor, notify user, encrypt or block Endpoint: Display pop-up, justify, block e-mail, remove content Result Help users understand and justify risk transparently Block or encrypt data in some cases Betty G. Well Meaning Insider Human Resources Specialist| Your Organization’s Admin Services Department SITUATION: Sending PII data over e-mail Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Sanjay V. Well Meaning Insider Accountant | Finance Department SITUATION: Copying sensitive data to removable storage devices Potential Actions 18 Problem Sanjay is relatively new to the organization and although he completed security training, he is relying on methods that he used at his previous job With no bad intent, he nonetheless copies sensitive financial data to removable media, thus violating your CISO’s policy Response Endpoint: analyzes content based on policies Monitor Record Notify Automatically encrypt files Result Automatically encrypt content Higher visibility into where data is going Change user behavior DLP is About People Detection and Response Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Potential Actions 19 Problem Due to his mission’s extreme op tempo, Charles has been awake for over 24 hours. Prior to going off shift, he inadvertently stores a specific Interstate Joint Task Force’s sensitive data on an unprotected share Response A scan finds the exposed data Charles is identified as the file owner Notify Charles Encrypt the data Move the file Apply rights management policies Result Secure your most sensitive assets – keep the malicious outsider from finding them Charles N. Well Meaning Insider Special Agent | Your City’s Law Enforcement Agency SITUATION: Discovering data spills and cleaning them up DLP is About People Detection and Response Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Potential Actions 20 Problem Mimi has been compromised Industrial espionage or criminal intent motives She attempts to share sensitive (perhaps even USG classified) data via e-mail or removable storage Response Data Loss Prevention strategy has put tools in place to monitor desktop and network activity Mimi is caught in the act Notify (warn) the user of their actions Inform manager, security and/or HR Stop the transmission or copy Contact Law Enforcement Result Sensitive or even classified information doesn’t leave the appropriate accreditation boundary Personnel know they are being monitored Mimi L. Malicious Insider Soon-to-be-Behind-Bars Chemical Engineer| Manufacturing Department SITUATION: Attempting to copy classified data DLP is About People Detection and Response Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
Thank you! Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 21 2014 Global CISO Forum October 17, 2014 Atlanta, GA http://www.symantec.com/data-loss-prevention Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy Kevin McPeak kevin_mcpeak@symantec.com @kevin_mcpeak

Empfohlen

Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
EC-Council
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
EC-Council
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
Dragos, Inc.
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber Intelligence
Tieu Luu
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshop
Ty Sbano
 

Empfohlen

Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
EC-Council
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
Phases of Incident Response
Phases of Incident ResponsePhases of Incident Response
Phases of Incident Response
EC-Council
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
Threat Activity Groups - Dragos
Threat Activity Groups - Dragos Threat Activity Groups - Dragos
Threat Activity Groups - Dragos
Dragos, Inc.
 
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK FrameworkOutpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24 webinar - Mapping Vulnerabilities with the MITRE ATT&CK Framework
Outpost24
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber Intelligence
Tieu Luu
 
Threat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshopThreat modeling (Hacker Stories) workshop
Threat modeling (Hacker Stories) workshop
Ty Sbano
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
marketingunitrends
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Sounil Yu
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
Sounil Yu
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Priyanka Aash
 
Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015
Roy Ramkrishna
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDR
Netpluz Asia Pte Ltd
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
asherad
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Dragos, Inc.
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
Dragos, Inc.
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
North Texas Chapter of the ISSA
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
Robert Hurlbut
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
DevOps Indonesia
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
North Texas Chapter of the ISSA
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
Ricardo Resnik
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
Adam Shostack
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
APNIC
 
Information security
Information securityInformation security
Information security
AlaaMahmoud108
 
A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOs
gppcpa
 

Weitere ähnliche Inhalte

Was ist angesagt?

Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
Steve Lodin
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
North Texas Chapter of the ISSA
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
North Texas Chapter of the ISSA
 

Was ist angesagt? (20)

Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
 
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
Understanding The Security Vendor Landscape Using the Cyber Defense Matrix (R...
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015Sans cyber-threat-intelligence-survey-2015
Sans cyber-threat-intelligence-survey-2015
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDR
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response Rising Cyber Escalation US Iran Russia ICS Threats and Response
Rising Cyber Escalation US Iran Russia ICS Threats and Response
 
2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups2018 Year in Review- ICS Threat Activity Groups
2018 Year in Review- ICS Threat Activity Groups
 
Threat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
 
Threat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - SubmittedThreat Intelligence 101 - Steve Lodin - Submitted
Threat Intelligence 101 - Steve Lodin - Submitted
 
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad AndrewsNTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
NTXISSACSC2 - Threat Modeling Part 1 - Overview by Brad Andrews
 
Developing a Threat Modeling Mindset
Developing a Threat Modeling MindsetDeveloping a Threat Modeling Mindset
Developing a Threat Modeling Mindset
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
 
Threat Modeling In 2021
Threat Modeling In 2021Threat Modeling In 2021
Threat Modeling In 2021
 
Setting up CSIRT
Setting up CSIRTSetting up CSIRT
Setting up CSIRT
 

Ähnlich wie Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy

CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
mccormicknadine86
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
sleeperharwell
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
shahadd2021
 
Information System Security
Information System Security Information System Security
Information System Security
Syed Asif Sherazi
 

Ähnlich wie Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy (20)

Information security
Information securityInformation security
Information security
 
A Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOsA Cybersecurity Planning Guide for CFOs
A Cybersecurity Planning Guide for CFOs
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dips
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
 
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docxCISSPCertified Information SystemsSecurity ProfessionalCop.docx
CISSPCertified Information SystemsSecurity ProfessionalCop.docx
 
IT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 ConferenceIT Security Presentation - IIMC 2014 Conference
IT Security Presentation - IIMC 2014 Conference
 
Kevin Wharram Security Summit
Kevin Wharram Security SummitKevin Wharram Security Summit
Kevin Wharram Security Summit
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.INFORMATION SECURITY: THREATS AND SOLUTIONS.
INFORMATION SECURITY: THREATS AND SOLUTIONS.
 
Lecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.pptLecture 01- What is Information Security.ppt
Lecture 01- What is Information Security.ppt
 
3 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 20173 Tips to Stay Safe Online in 2017
3 Tips to Stay Safe Online in 2017
 
Small Business Administration Recommendations
Small Business Administration RecommendationsSmall Business Administration Recommendations
Small Business Administration Recommendations
 
Chapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdfChapter 1 - Introduction.pdf
Chapter 1 - Introduction.pdf
 
Perimeter Security is Failing
Perimeter Security is FailingPerimeter Security is Failing
Perimeter Security is Failing
 
Information System Security
Information System Security Information System Security
Information System Security
 
Cybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdfCybersecurity Interview Questions and Answers.pdf
Cybersecurity Interview Questions and Answers.pdf
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Lecture 1-2.pdf
Lecture 1-2.pdfLecture 1-2.pdf
Lecture 1-2.pdf
 
Are you the next target?
Are you the next target?Are you the next target?
Are you the next target?
 

Mehr von EC-Council

Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019
EC-Council
 

Mehr von EC-Council (20)

CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber WorldCyberOm - Hacking the Wellness Code in a Chaotic Cyber World
CyberOm - Hacking the Wellness Code in a Chaotic Cyber World
 
Cloud Security Architecture - a different approach
Cloud Security Architecture - a different approachCloud Security Architecture - a different approach
Cloud Security Architecture - a different approach
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
 
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith TurpinHacking Your Career – Hacker Halted 2019 – Keith Turpin
Hacking Your Career – Hacker Halted 2019 – Keith Turpin
 
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle LeeHacking Diversity – Hacker Halted . 2019 – Marcelle Lee
Hacking Diversity – Hacker Halted . 2019 – Marcelle Lee
 
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff SilverCloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
Cloud Proxy Technology – Hacker Halted 2019 – Jeff Silver
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea AmicoData in cars can be creepy – Hacker Halted 2019 – Andrea Amico
Data in cars can be creepy – Hacker Halted 2019 – Andrea Amico
 
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel NaderBreaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
Breaking Smart [Bank] Statements – Hacker Halted 2019 – Manuel Nader
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019War Game: Ransomware – Global CISO Forum 2019
War Game: Ransomware – Global CISO Forum 2019
 
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
How to become a Security Behavior Alchemist – Global CISO Forum 2019 – Perry ...
 
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
Introduction to FAIR Risk Methodology – Global CISO Forum 2019 – Donna Gall...
 
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes WidnerAlexa is a snitch! Hacker Halted 2019 - Wes Widner
Alexa is a snitch! Hacker Halted 2019 - Wes Widner
 
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law EnforcementHacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
Hacker Halted 2018: Don't Panic! Big Data Analytics vs. Law Enforcement
 
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
Hacker Halted 2018: HACKING TRILLIAN: A 42-STEP SOLUTION TO EXPLOIT POST-VOGA...
 
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
Hacker Halted 2018: SE vs Predator: Using Social Engineering in ways I never ...
 
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
Global CCISO Forum 2018 | Sebastian Hess "Cyber Insurance and Cyber Risk Quan...
 

Kürzlich hochgeladen

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Kürzlich hochgeladen (20)

MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy

  • 1. Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy Kevin McPeak, CISSP, ITILv3 Technical Architect, Security Symantec Public Sector Strategic Programs 2014 Global CISO Forum October 17, 2014 Atlanta, GA
  • 2. Trends, News and What’s at Stake 64% of data loss caused by well-meaning insiders 50% of employees leave with data $5.4 million average cost of a breach Legal and compliance penalties A potential “black eye” for your company’s reputation 2Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 3. Definitions & Baseline Definitions: Thwart: [thwawrt] to successfully oppose; to frustrate; to baffle Insider: [in-sahy-der] a person possessing information that’s not publically available Threat: [thret] a menace or warning of probable trouble Strategy: [strat-i-jee] a plan or method to reach a goal Baseline for Understanding: Cyber Defense Modeling Modeling on the C-I-A Triad: Confidentiality, Integrity, Availability Integrity & Availability: Traditional “inbound” cyber defenses (anti- malware, system hardening, inbound web and inbound mail filtering, etc.) Confidentiality: Data Loss Prevention for “outbound” defense 3Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 4. Historically Significant “Insider Threats” The Ones You Likely Know…. Benedict Arnold, Julius & Ethel Rosenberg, Alger Hiss (still debated), Aldrich Ames, Robert Hanssen, Ana Montes, Bradley Manning, Edward Snowden, and unfortunately many others…. Some Ones You May Not Know…. • John Surratt • the Cambridge Five • Abdel Khader Khan Key Question: How many may be currently unknown because they are operating in the shadows undetected? 4Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 5. Data Loss Prevention Guidelines for Federal Agencies NIST Special Pubs SP 800-122: Protecting the Confidentiality of PII SP 800-53R4: Security & Privacy Controls for Fed Info Systems & Organizations (Take a special look at Appendix J, entitled "Privacy Control Catalog") SP 800-144: Security & Privacy in Public Cloud Computing SP 800-137: Continuous Monitoring for Fed Info Systems & Organizations SP 800-128: Security-Focused Config Mgmt of Info Systems SP 800-124R1: Managing the Security of Mobile Devices in the Enterprise SP 800-88R1: Media Sanitization (Draft) SP 800-157: Derived PIV Credentials SP 800-79 2: Authorization of PIV Card Issuers & Derived PIV Credential Issuers(Draft) SP 800-61R2: Computer Security Incident Handling SP 800-60R1: Mapping Types of Info & Info Systems to Security Categories 5Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 6. NIST SP 800-144: Guidelines on Security & Privacy in Public Cloud Computing This SP discusses the concept of "Value Concentration" in Section 4.7, where it says: “A response to the question ‘Why do you rob banks?’ is often attributed to Willie Sutton, a historic and prolific bank robber. His purported answer was, ‘Because that is where the money is.’ In many ways, data records are the currency of the 21st century and cloud- based data stores are the bank vault, making them an increasingly preferred target due to the collective value concentrated there.” 6 “Just as economies of scale exist in robbing banks instead of individuals, a high payoff ratio also exists for successfully compromising a cloud.” Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 7. NIST SP 800-53R4: Security & Privacy Controls for Federal Information Systems & Organizations 7Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 8. Data Loss Prevention Strategy Setting Goals 1: Safeguard the lives, safety, and reputation of your business by safeguarding your organization’s most sensitive data. Government agencies, corporations, and academic institutions can suffer an enormous reputation hit after even one embarrassing public disclosure 2: Discover sensitive data wherever it resides and identify those endpoints with the highest risk 3: Actively monitor the many ways sensitive data can be used on the endpoint and flag all abnormal activities 4: Utilize the most efficient and unobtrusive methods possible 8Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 9. Data Loss Prevention Strategy….. …..in Ten Easy Steps! I: Identify the Appropriate Data Owners (Operating Units, Specialized Teams, Task Forces, Specific Individuals) II: Locate All of the Places Where Sensitive Data Resides III: Tag your Sensitive Data IV: Monitor/Learn How Sensitive Data is Typically Used by Your Workforce V: Determine Where Sensitive Data Goes VI: Implement Automatic “Real-Time” Methods to Enforce Your CISO Approved Data Security Policies (Visibility, Remediation, Notification & Prevention) VII: Educate Your Sys Admins as Well as Your End Users about Sensitive Data Security VIII: De-escalate Excessive Sys Admin Privileges IX: Wrap Additional Security Around Sensitive Data X: Halt Data Leaks Before Spillage Occurs 9Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 10. Data Loss Prevention Strategy I. Identify the Appropriate Data Owners 1: Identify the Appropriate Operating Units, Specialized Teams, Task Forces, Specific Individuals 2: Work with these Data Owners to further identify additional priority data types. This is an iterative process for risk reduction 10Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy II. Locate All of the Places Where Your Organization’s Sensitive Data Resides 1: Consider data at rest, data in use, data in motion, archived data, & encrypted data 2: Consider standard locations: network devices, storage, databases, file servers, web portals and other applications, laptops, e-mail servers (MTA or Proxy), PST files 3: Consider other locations: mobile devices, printers, scanners, fax machines, copiers, file sharing apps like Dropbox or Evernote, USB drives, CD/DVDs, paper copies, IM, "free" webmail services, university webmail for students & alumni, FTP puts
  • 11. Data Loss Prevention Strategy III. Tag your Sensitive Data IV. Monitor & Learn How Sensitive Data is Typically Used and Typically Generated by Your Workforce 11Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy V. Determine Where Sensitive Data Goes …. Don’t be Lookin' for Data in All the Wrong Places....
  • 12. Data Loss Prevention Strategy VI. Implement Automatic “Real-Time” Methods to Enforce Your CISO Approved Data Security Policies Visibility: The first step is to understand where your data is stored & how it is used across your enterprise Remediation: Once you’ve identified broken business processes & high-risk users, then you can improve processes, clean up misplaced data, & provide specialized training to high-risk users Notification: Next, turn on automated e-mail & onscreen pop-up notifications to educate users about data loss policies - this alone can dramatically cut down the number of repeat offenses Prevention: And lastly, stop users from accidentally or maliciously leaking information by quarantining, encrypting & blocking inappropriate outbound communications 12Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 13. Data Loss Prevention Strategy VII. Educate Your Sys Admins as Well as Your End Users about Sensitive Data Security 1: Sys Admins may not realize CISO approved policies exist for certain data types 2: Sys Admins (as well as end users) may be more receptive than you would initially think… VIII. De-escalate Excessive Sys Admin Privileges 1: Most Sys Admins don’t want admin rights beyond what they need to do their assigned job functions 2: Separation of duties is a cybersecurity best practice for thwarting the Sys Admin “Insider Threat” 13Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 14. Data Loss Prevention Strategy IX. Wrap Additional Security Around Sensitive Data 1: The best Incident Response (IR) is for the incident to have been thwarted in the first place, long before it became an incident 2: Review your file permissions 3: Consider using additional encryption for sensitive data as part of your defense in depth posture 14Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 15. Data Loss Prevention Strategy X. Halt Data Leaks Before Spillage Occurs 15Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 16. Well-meaning Insiders Malicious Insiders Malicious Outsiders It’s about people The Faces of your Data Loss Prevention Strategy 16Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 17. Potential Actions DLP is About People 17 Detection and Response Problem Betty is working on a spreadsheet that has multiple worksheet tabs within the overall workbook. PII resides on a different tab than the one that Betty is working on. Betty attempts to e- mail PII data without even knowing it Response Content inspection & context for policy match as e-mail leaves server Endpoint: DLP inspects the mail when user hits “send” Monitor, notify user, encrypt or block Endpoint: Display pop-up, justify, block e-mail, remove content Result Help users understand and justify risk transparently Block or encrypt data in some cases Betty G. Well Meaning Insider Human Resources Specialist| Your Organization’s Admin Services Department SITUATION: Sending PII data over e-mail Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 18. Sanjay V. Well Meaning Insider Accountant | Finance Department SITUATION: Copying sensitive data to removable storage devices Potential Actions 18 Problem Sanjay is relatively new to the organization and although he completed security training, he is relying on methods that he used at his previous job With no bad intent, he nonetheless copies sensitive financial data to removable media, thus violating your CISO’s policy Response Endpoint: analyzes content based on policies Monitor Record Notify Automatically encrypt files Result Automatically encrypt content Higher visibility into where data is going Change user behavior DLP is About People Detection and Response Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 19. Potential Actions 19 Problem Due to his mission’s extreme op tempo, Charles has been awake for over 24 hours. Prior to going off shift, he inadvertently stores a specific Interstate Joint Task Force’s sensitive data on an unprotected share Response A scan finds the exposed data Charles is identified as the file owner Notify Charles Encrypt the data Move the file Apply rights management policies Result Secure your most sensitive assets – keep the malicious outsider from finding them Charles N. Well Meaning Insider Special Agent | Your City’s Law Enforcement Agency SITUATION: Discovering data spills and cleaning them up DLP is About People Detection and Response Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 20. Potential Actions 20 Problem Mimi has been compromised Industrial espionage or criminal intent motives She attempts to share sensitive (perhaps even USG classified) data via e-mail or removable storage Response Data Loss Prevention strategy has put tools in place to monitor desktop and network activity Mimi is caught in the act Notify (warn) the user of their actions Inform manager, security and/or HR Stop the transmission or copy Contact Law Enforcement Result Sensitive or even classified information doesn’t leave the appropriate accreditation boundary Personnel know they are being monitored Mimi L. Malicious Insider Soon-to-be-Behind-Bars Chemical Engineer| Manufacturing Department SITUATION: Attempting to copy classified data DLP is About People Detection and Response Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy
  • 21. Thank you! Copyright © 2012 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 21 2014 Global CISO Forum October 17, 2014 Atlanta, GA http://www.symantec.com/data-loss-prevention Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Loss Prevention Strategy Kevin McPeak kevin_mcpeak@symantec.com @kevin_mcpeak