Combating the Insider Threat
© 2015 Lancope, Inc.
Table of Contents
Chapter One
WHO IS ATTACKING YOUR NETWORK?
Chapter Two
INSIDER THREAT MOTIVES AND METHODS
Chapter Three
DETERRING INSIDER THREATS WITH TECHNOLOGY
Chapter Four
USING NETWORK LOGS TO THWART INSIDER THREATS
Chapter Five
BEYOND TECHNOLOGY
Chapter Six
SUMMARY & TOP 10 WAYS TO COMBAT INSIDER THREATS
Chapter Four
Using Network to thwart
Insider Threats
While each type of insider threat requires a different
combination of security measures, one technique
that can help across the board is the monitoring of network
activity through various logs. According to
Lancope CTO TK Keanini, “In all cases of insider threat, early
detection of the activities should be the
dominant strategy because no one, no matter how diligent, is
going to be able to prevent these threats
100% of the time.” In order to effectively combat threats,
organizations need a way to find out the who, what, when, where, why and how of specific attacks. By leveraging network activity logs
from technologies such as firewalls, IPS systems, SIEMs, packet capture and
NetFlow, organizations can turn
the entire network into a security sensor and more easily be aware of and shut down insider attack
attempts. All of these technologies have their strengths and weaknesses in
terms of expense, level of network visibility provided, and privacy concerns,
but should all be evaluated as part of an effective insider security strategy.
NetFlow for Combating Insider
Threats
By collecting and analyzing metadata from throughout the entire
network, NetFlow in particular
provides a wide breadth of visibility at a reasonable cost and
without the privacy concerns associated
with full packet capture.
NetFlow is a protocol developed by Cisco that enables
organizations to collect and analyze network traffic from existing infrastructure components including routers,
switches, firewalls and others. Because it allows for the collection of network data from virtually anywhere in
the network, NetFlow is an extremely valuable technology when it comes to finding and identifying insider
threat actors.
Providing a 24/7 pervasive look at everything happening on a
corporate network, NetFlow can be leveraged for both real-time threat
detection, as well as to create a network audit trail of previous transactions
for use in forensic investigations. Since it delivers visibility across the
entire network environment, NetFlow can help organizations identify network
activity associated with a wide range of cyber-attacks, such as unusually large
file transfers or attempts to access restricted areas, for example.
In the case of the insider threat, excessive amounts of network
traffic flowing from one user’s computer to the printer could signify an attempted theft of intellectual
property. Or, if a user is frequently communicating with an unfamiliar IP
address in another country, it could indicate that the user’s computer has been
compromised. These are just a couple of examples of how the collection and
analysis of NetFlow can help identify insider threats on the network. NetFlow
is also valuable for baselining network assets so that administrators know
where the organization’s sensitive data assets reside and how they are being
used. After all, IT and security professionals cannot take the appropriate
steps to secure critical assets and minimize risk if they do not know that the
assets exist, or where they are located.
Detecting Suspicious Network
Behaviors
According to TK Keanini, CTO of Lancope, “There is a difference
between ‘bad’ and ‘not good.’ The insider threat requires you to have tools
that can detect ‘not good.’” Collecting and analyzing NetFlow data with the
right tools can help organizations detect a plethora of suspicious network
behaviors that can indicate that an insider attack is taking place. These
include:
Unauthorized Access
When a user attempts to access resources on the network that are
prohibited
Policy Violations
When employees begin using services that are in direct violation
of company policy, and may be intended to bypass company monitoring
Internal Reconnaissance
Before insiders can extract data, they must first inventory it.
Organizations can use NetFlow to identify
associated internal scanning activities.
Suspect Data Loss
When privileged users send abnormal amounts of information out
of the network
Suspect Data Hoarding
When a user is downloading and collecting a large amount of
data, which may indicate an attempt to
package and exfiltrate sensitive information
Target Data Hoarding
When large amounts of data are being extracted from a specific host on the network
Detecting these behaviors early on can mean the difference
between thwarting a potentially catastrophic
insider attack and becoming the victim of one. If you have the
appropriate situational awareness and can
identify anomalous network activity in a timely fashion, you may
just be able to shut down an attack before a privileged user makes off with your data. Unfortunately,
however, it still takes more than just technology to adequately protect your business from insider threats.
Gaining Security Context with Lancope’s
StealthWatch® System
While
NetFlow provides a plethora of valuable information for combating network
attacks, organizations
need
a feasible means of collecting, storing and analyzing all of the data to turn
it into actionable
intelligence
for fending off advanced threats. With massive scalability and sophisticated
security analytics,
Lancope’s
StealthWatch® System enables organizations to make sense of all the information
available on their
networks, as well as quickly act on it.
By
collecting and analyzing mass quantities of NetFlow and other types of data
from across an
organization’s
entire network, the StealthWatch System can quickly identify anomalous
behaviors that
could
be indicative of an attack. The system can also store months or even years’
worth of NetFlow to
facilitate
more comprehensive forensic investigations into previous security incidents.
According
to a May 2014 Ponemon Institute Study, the biggest hurdle to determining if
insider actions
pose
a threat is a lack of contextual information from security tools. That is why
the StealthWatch System
provides
additional layers of security context to help administrators make more informed
decisions for
threat
mitigation, including: user identity, device awareness, application-level
visibility and threat feed data.
Няма коментари:
Публикуване на коментар