Как да противодействаме на заплахите към информационната / кибер сигурност, предизвикани от "вътрешни" ("наши" хора) ? Част 6

Combating the Insider Threat

© 2015 Lancope, Inc.

Table of Contents

Chapter One

WHO IS ATTACKING YOUR NETWORK?

Chapter Two

INSIDER THREAT MOTIVES AND METHODS

Chapter Three

DETERRING INSIDER THREATS WITH TECHNOLOGY

Chapter Four

USING NETWORK LOGS TO THWART INSIDER THREATS

Chapter Five

BEYOND TECHNOLOGY

Chapter Six

SUMMARY & TOP 10 WAYS TO COMBAT INSIDER THREATS

Chapter Six

Summary & Top 10 ways to combat insider threats

In conclusion, it is critical to recognize that insider threats come in different forms, and technologies that

stop one type of insider attack may not necessarily be effective against others. Nonetheless, it is important to adopt a comprehensive range of solutions such as access control and encryption technologies, which can play a big role in deterring insider attacks.

And don’t forget about the use of network logs, particularly NetFlow, for continuously monitoring user

activity. Advanced technologies can take the capabilities of NetFlow even further by providing additional

security context and helping organizations make sense of the plethora of data available on the network.

In the end, however, insider threat prevention is about more than just technology. Other key groups

within the organization, including HR, Management and Legal, for example, also need to join IT in the

fight against insider threats.

Please refer to the following Top 10 List for a comprehensive recap of insider threat prevention methods.

Top 10 Ways to Combat Insider Threats

1. First and foremost, it is important that your company conducts thorough background checks before

hiring employees, contractors or third-party vendors.

2. Once employees are hired and given access to sensitive systems, establishing appropriate checks and balances for access to confidential data is key.

3. Thorough measures must also be taken to revoke previous employee and contractor access to

your company’s systems.

4. Understand the different types and characteristics of insider threats – negligent, malicious and

compromised – so that you can better detect and protect against them.

5. Remember that access controls can serve as a key deterrent for both negligent and malicious insiders.

6. Additionally, encryption of data at rest is crucial for minimizing the impact should a negligent employee lose his/her laptop or other equipment.

7. Of course, user education should not be overlooked. It is a lot easier for employees to abide by best

practices if they are aware of them.

8. The collection, analysis and storage of various types of network logs should be a critical component of any insider threat security program.

9. Remember that some monitoring solutions provide additional security context, such as identity

awareness, which can be invaluable for quickly tracking down the source of insider attacks.

10. Last but not least, it is important to realize that the IT department alone cannot adequately protect a

company from its own insiders. Insider threat programs must also involve Management, HR and Legal.

Как да противодействаме на заплахите към информационната / кибер сигурност, предизвикани от "вътрешни" ("наши" хора) ? Част 5

Combating the Insider Threat

© 2015 Lancope, Inc.

Table of Contents

Chapter One

WHO IS ATTACKING YOUR NETWORK?

Chapter Two

INSIDER THREAT MOTIVES AND METHODS

Chapter Three

DETERRING INSIDER THREATS WITH TECHNOLOGY

Chapter Four

USING NETWORK LOGS TO THWART INSIDER THREATS

Chapter Five

BEYOND TECHNOLOGY

Chapter Six

SUMMARY & TOP 10 WAYS TO COMBAT INSIDER THREATS

Chapter Five

Beyond Technology

A 2014 survey by the Ponemon Institute uncovered that only 26 percent of respondents had a multidisciplinary insider threat management program in place within their organization. It is important to

recognize that technology alone cannot prevent insider threats. It has to be a cross-organizational effort

that also involves other groups such as HR, Management and Legal.

For example, if HR alerts IT about a disgruntled employee, their network activity can be monitored so that anomalous behaviors such as logging on at unusual hours of the day can be swiftly investigated. And without the involvement of other groups within the company, malicious behaviors discovered by IT cannot be properly addressed.

Specifically, companies that wish to adequately address the insider threat problem should

consider the following:

Background Checks and Screening

First and foremost, it is important that your company conducts thorough background checks before hiring employees, contractors or third-party vendors so you will know exactly who you are working with.

Partner Evaluation

According to the 2014 U.S. State of Cybercrime Survey, “Recent contractor data leaks and payment card heists have proved that adversaries can and will infiltrate systems via third parties, but most organizations do not address third-party security.” Also according to the survey, only 44 percent of respondents have a process for evaluating third parties before the launch of business operations, and only 31 percent include security provisions in contracts with external vendors and suppliers. No matter how strong your security program is, if you are working with insecure partners, it won’t take long for the attackers to find them and use them to infiltrate your network.

Comprehensive Employee Exit Strategies

Research by the CERT Insider Threat Center has shown that malicious insiders typically conduct their

unsavory activities within 30 days of giving their resignation. It sounds obvious, but thorough measures

need to be taken to revoke employee and contractor access to your company’s systems upon

resignation. Also pay particular attention to the person’s active sessions at the time they leave, as they

may still be logged in somewhere and able to do damage if they wish.

Management Training

Also according to the CERT Insider Threat Center, insiders who commit crimes often engage

in certain behaviors prior to or in the course of committing that crime, such as threatening the

organization or bragging publicly about how much damage they could do. If managers are trained

to recognize and report these kinds of behaviors, they may identify a potential problem before it

becomes a serious security incident.

Employee Assistance

In some cases, personal and financial stress may motivate people to commit crimes at work. There are a number of steps that organizations can take to help employees find constructive approaches to handling difficult personal circumstances, such as establishing a confidential Employee Assistance Program that can provide counseling and advice.

User Education

According to a study by Forrester Research of information workers in North America and Europe, only 57 percent said they were aware of their organization’s current security policies and only 42 percent said they received training on how to stay secure at work. User education can go a long way in helping to protect against insider threats. It is a lot easier for employees to abide by best practices for security if they are aware of them, and if they are educated on the serious impact and dramatic consequences that their careless actions could have on the organization. This is especially important in light of new forms of attack such as ransomware.

Users can also be educated about helping to detect potential insider attacks by others. According to the

Verizon 2014 Data Breach Investigations Report, the most common way organizations detected insider

crimes was when employees reported them.

Как да противодействаме на заплахите към информационната / кибер сигурност, предизвикани от "вътрешни" ("наши" хора) ? Част 4

Combating the Insider Threat

© 2015 Lancope, Inc.

Table of Contents

Chapter One

WHO IS ATTACKING YOUR NETWORK?

Chapter Two

INSIDER THREAT MOTIVES AND METHODS

Chapter Three

DETERRING INSIDER THREATS WITH TECHNOLOGY

Chapter Four

USING NETWORK LOGS TO THWART INSIDER THREATS

Chapter Five

BEYOND TECHNOLOGY

Chapter Six

SUMMARY & TOP 10 WAYS TO COMBAT INSIDER THREATS

Chapter Four

Using Network to thwart Insider Threats

While each type of insider threat requires a different combination of security measures, one technique

that can help across the board is the monitoring of network activity through various logs. According to

Lancope CTO TK Keanini, “In all cases of insider threat, early detection of the activities should be the

dominant strategy because no one, no matter how diligent, is going to be able to prevent these threats

100% of the time.” In order to effectively combat threats, organizations need a way to find out the who, what, when, where, why and how of specific attacks. By leveraging network activity logs from technologies such as firewalls, IPS systems, SIEMs, packet capture and NetFlow, organizations can turn the entire network into a security sensor and more easily be aware of and shut down insider attack attempts. All of these technologies have their strengths and weaknesses in terms of expense, level of network visibility provided, and privacy concerns, but should all be evaluated as part of an effective insider security strategy.

NetFlow for Combating Insider Threats

By collecting and analyzing metadata from throughout the entire network, NetFlow in particular

provides a wide breadth of visibility at a reasonable cost and without the privacy concerns associated

with full packet capture.

NetFlow is a protocol developed by Cisco that enables organizations to collect and analyze network traffic from existing infrastructure components including routers, switches, firewalls and others. Because it allows for the collection of network data from virtually anywhere in the network, NetFlow is an extremely valuable technology when it comes to finding and identifying insider threat actors.

Providing a 24/7 pervasive look at everything happening on a corporate network, NetFlow can be leveraged for both real-time threat detection, as well as to create a network audit trail of previous transactions for use in forensic investigations. Since it delivers visibility across the entire network environment, NetFlow can help organizations identify network activity associated with a wide range of cyber-attacks, such as unusually large file transfers or attempts to access restricted areas, for example.

In the case of the insider threat, excessive amounts of network traffic flowing from one user’s computer to the printer could signify an attempted theft of intellectual property. Or, if a user is frequently communicating with an unfamiliar IP address in another country, it could indicate that the user’s computer has been compromised. These are just a couple of examples of how the collection and analysis of NetFlow can help identify insider threats on the network. NetFlow is also valuable for baselining network assets so that administrators know where the organization’s sensitive data assets reside and how they are being used. After all, IT and security professionals cannot take the appropriate steps to secure critical assets and minimize risk if they do not know that the assets exist, or where they are located.

Detecting Suspicious Network Behaviors

According to TK Keanini, CTO of Lancope, “There is a difference between ‘bad’ and ‘not good.’ The insider threat requires you to have tools that can detect ‘not good.’” Collecting and analyzing NetFlow data with the right tools can help organizations detect a plethora of suspicious network behaviors that can indicate that an insider attack is taking place. These include:

Unauthorized Access

When a user attempts to access resources on the network that are prohibited

Policy Violations

When employees begin using services that are in direct violation of company policy, and may be intended to bypass company monitoring

Internal Reconnaissance

Before insiders can extract data, they must first inventory it. Organizations can use NetFlow to identify

associated internal scanning activities.

Suspect Data Loss

When privileged users send abnormal amounts of information out of the network

Suspect Data Hoarding

When a user is downloading and collecting a large amount of data, which may indicate an attempt to

package and exfiltrate sensitive information

Target Data Hoarding

When large amounts of data are being extracted from a specific host on the network

Detecting these behaviors early on can mean the difference between thwarting a potentially catastrophic

insider attack and becoming the victim of one. If you have the appropriate situational awareness and can

identify anomalous network activity in a timely fashion, you may just be able to shut down an attack before a privileged user makes off with your data. Unfortunately, however, it still takes more than just technology to adequately protect your business from insider threats.

Gaining Security Context with Lancope’s StealthWatch® System

While NetFlow provides a plethora of valuable information for combating network attacks, organizations

need a feasible means of collecting, storing and analyzing all of the data to turn it into actionable

intelligence for fending off advanced threats. With massive scalability and sophisticated security analytics,

Lancope’s StealthWatch® System enables organizations to make sense of all the information available on their networks, as well as quickly act on it.

By collecting and analyzing mass quantities of NetFlow and other types of data from across an

organization’s entire network, the StealthWatch System can quickly identify anomalous behaviors that

could be indicative of an attack. The system can also store months or even years’ worth of NetFlow to

facilitate more comprehensive forensic investigations into previous security incidents.

According to a May 2014 Ponemon Institute Study, the biggest hurdle to determining if insider actions

pose a threat is a lack of contextual information from security tools. That is why the StealthWatch System

provides additional layers of security context to help administrators make more informed decisions for

threat mitigation, including: user identity, device awareness, application-level visibility and threat feed data.