Translate

неделя, 20 ноември 2016 г.

Как да противодействаме на заплахите към информационната / кибер сигурност, предизвикани от "вътрешни" ("наши" хора) ? Част 4


Combating the Insider Threat
© 2015 Lancope, Inc.

Table of Contents

Chapter One
WHO IS ATTACKING YOUR NETWORK?
Chapter Two
INSIDER THREAT MOTIVES AND METHODS
Chapter Three
DETERRING INSIDER THREATS WITH TECHNOLOGY
Chapter Four
USING NETWORK LOGS TO THWART INSIDER THREATS
Chapter Five
BEYOND TECHNOLOGY
Chapter Six
SUMMARY & TOP 10 WAYS TO COMBAT INSIDER THREATS

Chapter Four

Using Network to thwart Insider Threats

While each type of insider threat requires a different combination of security measures, one technique
that can help across the board is the monitoring of network activity through various logs. According to
Lancope CTO TK Keanini, “In all cases of insider threat, early detection of the activities should be the
dominant strategy because no one, no matter how diligent, is going to be able to prevent these threats
100% of the time.” In order to effectively combat threats, organizations need a way to find out the who, what, when, where, why and how of specific attacks. By leveraging network activity logs from technologies such as firewalls, IPS systems, SIEMs, packet capture and NetFlow, organizations can turn the entire network into a security sensor and more easily be aware of and shut down insider attack attempts. All of these technologies have their strengths and weaknesses in terms of expense, level of network visibility provided, and privacy concerns, but should all be evaluated as part of an effective insider security strategy.

NetFlow for Combating Insider Threats

By collecting and analyzing metadata from throughout the entire network, NetFlow in particular
provides a wide breadth of visibility at a reasonable cost and without the privacy concerns associated
with full packet capture.
NetFlow is a protocol developed by Cisco that enables organizations to collect and analyze network traffic from existing infrastructure components including routers, switches, firewalls and others. Because it allows for the collection of network data from virtually anywhere in the network, NetFlow is an extremely valuable technology when it comes to finding and identifying insider threat actors.
Providing a 24/7 pervasive look at everything happening on a corporate network, NetFlow can be leveraged for both real-time threat detection, as well as to create a network audit trail of previous transactions for use in forensic investigations. Since it delivers visibility across the entire network environment, NetFlow can help organizations identify network activity associated with a wide range of cyber-attacks, such as unusually large file transfers or attempts to access restricted areas, for example.
In the case of the insider threat, excessive amounts of network traffic flowing from one user’s computer to the printer could signify an attempted theft of intellectual property. Or, if a user is frequently communicating with an unfamiliar IP address in another country, it could indicate that the user’s computer has been compromised. These are just a couple of examples of how the collection and analysis of NetFlow can help identify insider threats on the network. NetFlow is also valuable for baselining network assets so that administrators know where the organization’s sensitive data assets reside and how they are being used. After all, IT and security professionals cannot take the appropriate steps to secure critical assets and minimize risk if they do not know that the assets exist, or where they are located.

Detecting Suspicious Network Behaviors

According to TK Keanini, CTO of Lancope, “There is a difference between ‘bad’ and ‘not good.’ The insider threat requires you to have tools that can detect ‘not good.’” Collecting and analyzing NetFlow data with the right tools can help organizations detect a plethora of suspicious network behaviors that can indicate that an insider attack is taking place. These include:

Unauthorized Access
When a user attempts to access resources on the network that are prohibited

Policy Violations
When employees begin using services that are in direct violation of company policy, and may be intended to bypass company monitoring

Internal Reconnaissance
Before insiders can extract data, they must first inventory it. Organizations can use NetFlow to identify
associated internal scanning activities.

Suspect Data Loss
When privileged users send abnormal amounts of information out of the network

Suspect Data Hoarding
When a user is downloading and collecting a large amount of data, which may indicate an attempt to
package and exfiltrate sensitive information

Target Data Hoarding
When large amounts of data are being extracted from a specific host on the network
Detecting these behaviors early on can mean the difference between thwarting a potentially catastrophic
insider attack and becoming the victim of one. If you have the appropriate situational awareness and can
identify anomalous network activity in a timely fashion, you may just be able to shut down an attack before a privileged user makes off with your data. Unfortunately, however, it still takes more than just technology to adequately protect your business from insider threats.

Gaining Security Context with Lancope’s StealthWatch® System

While NetFlow provides a plethora of valuable information for combating network attacks, organizations
need a feasible means of collecting, storing and analyzing all of the data to turn it into actionable
intelligence for fending off advanced threats. With massive scalability and sophisticated security analytics,
Lancope’s StealthWatch® System enables organizations to make sense of all the information available on their networks, as well as quickly act on it.
By collecting and analyzing mass quantities of NetFlow and other types of data from across an
organization’s entire network, the StealthWatch System can quickly identify anomalous behaviors that
could be indicative of an attack. The system can also store months or even years’ worth of NetFlow to
facilitate more comprehensive forensic investigations into previous security incidents.
According to a May 2014 Ponemon Institute Study, the biggest hurdle to determining if insider actions
pose a threat is a lack of contextual information from security tools. That is why the StealthWatch System
provides additional layers of security context to help administrators make more informed decisions for
threat mitigation, including: user identity, device awareness, application-level visibility and threat feed data.

Няма коментари:

Публикуване на коментар