www.thinair.com
Concern about insider threats are rampant. Disgruntled employees that have access to sensitive data are common. When a breach does occur how do you identify which computers were involved in the breach? This session, originally held at Techno Security & Digital Forensics Conference, will discuss some of the major pain points of an insider threat investigation and how to mitigate them. We’ll also review three different case studies that occurred at Google, Palantir and the DOD.
Human Factors of XR: Using Human Factors to Design XR Systems
How to Catch a Wolf in Sheep's Clothing
1. How to Catch a Wolf in Sheep’s
Clothing
Techno Security & Digital Forensics Conference
2. Roadmap
o Insider Threat Landscape
□ What has changed the landscape?
□ Trends
□ Security priorities in a changing landscape
o Identifying “At Risk” assets
o Even the savviest companies have “Insider” problems
□ Google / Waymo -> unable to attribute actions to an individual
□ Palantir -> limiting scope of an investigation
o Pain points in an Insider Threat Investigation
o Mitigating an Insider Threat
o Conclusions / Recommendations
5. Quick Overview - Insider Threats
o Due to the increased importance of technology (aka
digitalization), employees have greater ability to rapidly
cause more damage
o 74% of companies feel they are vulnerable to insider threats,
with 7% reporting extreme vulnerability
o Insider threats can go undetected for years
o It is hard to distinguish harmful actions from regular work
o Data is increasingly easy to monetize on the dark web
o Access to data is required for people to do their job
These trends will result in insider threats becoming increasingly dangerous
6. Trends
Not just growth but other qualitative trends…
o Some employees are interested in personal or financial gain
o According to Verizon’s DBIR, 77 percent of internal breaches were deemed to be
by employees, 11 percent by external actors only, 3 percent were from partners
and 8 percent involved internal-external collusion
o Of that 77 percent 31.5 percent of breaches stem from malicious insiders, with
another 23.5 percent resulting from actions by inadvertent actors
o 90 percent of organizations reported suffering from at least one data breach in the
last two years, with 45 percent reporting five or more breaches (Ponemon
Institute)
7. Security Priorities - Increase Visibility and Context
Visibility Context
Who has access to sensitive data? What events lead up to a data breach?
Which computers and applications access
sensitive data?
What has an employee been doing in the days
leading up to leaving the company?
Are data governance policies being followed? Are your DLP rules providing adequate
protection?
How do you enable your employees to be productive in an increasingly fast-paced
data-driven world while maintaining the security of your organization’s data?
8. Profiles of Insider Threats
https://www.intel.com/content/dam/www/public/us/en/documents/best-practices/a-field-guide-to-insider-threat-paper.pdf
9. Identifying at Risk Assets
Easy to Monetize Easy to Remove Difficult to Attribute High Impact
13. Pain Points in an Investigation
Detecting
How do you discriminate
between normal activity and
activity leading to an insider
driven breach?
Investigating
Difficult to identify which
computer / person
was involved in the
breach. In large
organizations often 1000+
devices / people could be
involved
Attributing
Hard to prove that a
specific person performed
certain actions
15. Developing an Insider Threat Program
Gain senior leadership endorsement
Develop repeatable process to monitor and mitigate insider threats
Identify and understand critical assets
Use analytics to strengthen the program backbone
Coordinate with legal counsel to address privacy, data protection and data transfer
Screen employees and vendors regularly
Implement processes following uniform standards involving the right stakeholders
Create curriculum to generate awareness about insider threats and their risks
16. Insider Threat Solution Ecosystem
Network based tools
Behavior based tools
Employee screening tools
Endpoint tools
17. Summary
o Insider threats are a major problem and will become even
worse in the future
o Organizations need increased visibility into user-information
interaction
o Evaluate new nimble/easy to use security tools that can help
you quickly identify, investigate and mitigate insider threats
o Developing an Insider threat program needs to be a priority
and needs to be continuously updated as the organization
evolves