Security technologists, practitioners, and the media love to talk about the latest malware, and zero-day attacks that hackers and nation states direct against their targets. The reality is that a significant portion of security incidents and data breaches come from within an organization’s security perimeter. The insider threat is the unglamorous side of security, and one that most vendors and industry professionals tend to ignore. Which tools in your security stack truly address the insider threat problem? What percentage of your security budget is dedicated to this issue?
This presentation will explore the rise of the insider threat, and the five essential components of an effective approach to identifying and investigating breaches that result from the malicious or innocent actions of internal actors.
Learning Objectives:
• Learn about the trends, size & scope of the insider threat problem
• How to Evaluate your security stack against the insider threat problem
• Explore emerging concept of insider detection and investigation and the five required components of an insider threat approach.
4. How Serious is Insider Threat?
25% of breaches come
from insiders
58% of Financial Services
attacks come from insiders
80% of Healthcare breaches
come from insiders
8. 1. Endpoint Visibility
» Endpoint is the point of
interaction between
people and data
» Endpoint is where a lot of
IP is created
» Endpoint is often the blind
spot
9. 2. Deep Context Visibility
• M&A documents
• PHI
• PII
• Financial information
• Source code
• Blueprints, etc.
Network
Device
Application
User
Data
(sensitive
stuff here)
10. 3. Continuous Visibility
» Track all interactions with
information, continuously
» Maintain historical audit log
(6-24 months or longer)
• Even if evidence has been
tampered with or deleted
11. 4. Insider Behavior Detection
» Detect insiders along the threat kill chain stages
• Proactive prediction of exfiltration
12. 5. Business Impact
» Provide business impact
assessment
» Value breach risk in $$$ vs.
number of records lost
13. Let’s get started!
» Insider threats are here to stay…
» Visibility into user-information interaction is a
must
» Need the ability to quickly identify and
investigate insider threats
» Comprehensive program requires a blend of
technology, policies and cultural changes
Strong position/fully credentialed. Need complete visibility at every stage and earlier the better…
Many security tools are focused on the Exfil stage only (DLP, FW), but they always find a way…sophisticated insiders (they have insider knowledge of org’s security control)…Innocent can catch, but not highly motivated
Growth of unstructured data vs. structured – faster. IDG: Unstructured data is growing at the rate of 62% per year.
IDG: By 2022, 93% of all data in the digital universe was unstructured.
Gartner: Data volume is set to grow 800% over the next 5 years and 80% of it will reside as unstructured data.
Endpoint is the point of interaction between people and data
You don’t know in advance what is or will be sensitive…you cannot predict the future. M&A example – your partner becomes your acquirer…
As much as 80% of company’s worth lies in its IP. At the same time, up to 50% of this IP lives exclusively on endpoints (Deloitte).
Average time to identify the breach – 191 days. Average time to contain the breach – 66 days.
Typical insider campaigns last for months or even years….
Of course you can’t store data in perpetuity, so there a ways to address that.
Timing is important, but you also need to know where your insider are along the stages of exfiltration...by stage, by office, by department, by system type, etc.
What does a lost record mean to you? 10m records lost? What is you could say it is $25M to the organization…Attach a real dollar value..prioritize the efforts…Bio-tech
What if you could tell your CISO or CFO the exact value of a particular device or a team? Or the exact cost of a specific breach? And all of that in minutes or seconds, instead of weeks or months.
Business impact – two elements: ….(2) This gives you an ability to justify a insider threat program and tool.
Average enterprise employee will leave for a new job in 2-5 years and 50% will take data with them when they go.