There's always a need to stop bad stuff from coming in, but it's important to remember that those inside the firewall can pose an even bigger risk to your network security. Whether its unsuspecting users clicking on phishing e-mails, someone running bit torrent in your datacenter, or a truly malicious user out to sabotage the network, insider threats can really keep you up at night.
Join us for this technical demo showing how USM can help you detect:
Malware infections on end-user machines
Insiders misusing network resources
Privileged users engaging in suspicious behaviors
2. About AlienVault
AlienVault has unified the security products, intelligence and
community essential for mid-sized businesses to defend against
today’s modern threats
4. Agenda
• Insider Threats & Risk Factors
• Data exfiltration methods
• Tips to mitigate these threats
• Demo: using USM to detect insider threats
5. Insider Threat Types
• Naive insiders may be “tricked” by external
parties into providing data or passwords
they shouldn’t
• Careless insiders may make inappropriate
use of company network resources
• Malicious insiders are the least frequent,
but have the potential to cause significant
damage.
85%
of insider privilege misuse
attacks used the corporate
LAN…
Source: Verizon Data Breach Report, 2014
6. Insider Risk Factors
• Ineffective management of privileged users
• Inappropriate role and entitlement assignment
• Users unaware of vulnerabilities
• Poor information classification and policy enforcement
• Inadequate auditing and analytics
• Audit log complexity
• Reactive response
• No comprehensive written acceptable use policies
• General misuse of corporate network
7. Exfiltration
• Simple encrypted transmission
• HTTP/HTTP
• Posting to WordPress or other sites
• FTP/SFTP/SCP
• Slow & low
• Hide & Seek
• Images
• Video
• Audio (via VOIP)
• New Methods created every day
8. Dealing with possible insider threats
• Identity Management
• Not just black/white – user/admin access
• Data Controls
• Auditing
• Restrict access to those on a “need-to-know” basis
• Advanced Authentication
• Network groups
• Policies
9. Firewalls/Antivirus are not enough
• Firewalls are usually not the target – too difficult to effectively penetrate
• Endpoints are the target, usually via email, url redirects, misc malicious
files, etc.
• With 160,000 new malware
samples seen every day,
antivirus apps will not find
every threat
• Needs to be bolstered by
regular and comprehensive
monitoring
10. Prevent Detect & Respond
The basics are in
place for most
companies…but
this alone is a
‘proven’ failed
strategy.
New capabilities to develop
Get (Very) good at detection & response
12. AlienVault Labs Threat Intelligence
• Weekly updates to correlation directives to detect emerging threats
• Recent updates to Data exfiltration-related threat intelligence:
• AV Malware, Ajax Security Team Data Exfiltration
• AV Malware, Operation Machete FTP exfiltration
• AV attack, malware sending exfiltrating command output
• AV Policy violation, BitTorrent P2P usage
• AV Misc, suspicious successful login from Tor anonymity
network
• AV Policy violation, Tor anonymity network usage
• *malware – 1,161 (03/2015)
13. Scenarios
• Vulnerable/Naive user
• Malware infection on end-user machine
• Vulnerable systems due to missed software updates
• Misuse
• BitTorrent
• Tor
• Malicious intent
• Users accessing info they shouldn’t be
• Data exfiltration
14. Now for some Q&A…
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Questions? hello@alienvault.com