#TDPARTNERS16 GEORGIA WORLD CONGRESS CENTER Insider Threat Detection: Behavioral Pattern Analysis to Identify Risks Dave Gebala & Hannah Chen Aster Solutions, Center of Innovation
#TDPARTNERS16 GEORGIA WORLD CONGRESS CENTER
Insider Threat Detection:Behavioral Pattern Analysis to Identify RisksDave Gebala & Hannah ChenAster Solutions, Center of Innovation
At Teradata, we believe…
Analytics and data unleash the potential of great companies
• What is an insider threat?
• How big is the problem?
• Teradata Aster Insider Threat Solution• Threat dashboards• Integrations• Descriptive use cases
Agenda
3
The Source of The Threat is Evolving
It’s coming from inside the organization
Confidential Data
Phone
Laptop
BYODSocial
Cloud
Tablet
Multi-user Collaboration
Sensitive data is increasingly accessible and distributed throughout an organization
Outsiders (hackers) get the headlines; but Insiders are the bigger risk
Data Breaches
Cloud
Outsiders 42%
Insiders 58%
Employees
Contractors/Partners
Former Employees
4
Insider Threats are Hard To Detect
Insiders are authorized to access confidential information as part of their jobs
• Sales records• Customer data• Financial records• Operating plans• Release schedules
Insider actions (malicious or not) leave you exposed
• Use of USB or other storage devices
• Inadvertent human error (sharing credentials)
• Sending messages/files via personal email over public networks
5
Any Insider Can Evolve into a Threat
How do you know when this metamorphosis is occurring?
Former employees
Departing employees
Contractors Partners
Anyone losing network access…
Lateral Data
MovementData
Exfiltration
Privilege Escalation Internal
Reconnaissance
…may engage in damaging behavior
6
Digital Information Loss is a Top Priority
72%Struggling with changing landscape;
unsure what to do
43%U.S. firms with a data breach
in the past year
We hear about big breaches by hackers who hit the DoD, Target, The Home Depot, the DNC…
…but most companies are caught flat footed and resort to damage control after a breach has been discovered
7
Point Solutions have Limited Scope
Baseline Facts Limited Security checks
Sales Exec Trusted actor who relies on data access to perform job
Accesses CRM System Authentication via user name and password
Explores Account List Varying levels of role-based access
Performs Custom Searches Standard activity
Downloads Opportunity Pipeline Standard activity
Syncs CRM Contact database Standard activity
Logs into shared storage Authenticated via SSO
Sends emails with attachments Attachment types checked; documents are under size limit
An example of “benign” activity…
8
See All Activity and Its Context.
Sales Exec who missed quota for 2 quarters
who is not on track to meet quota
who has recently received notice
Accesses CRM System from a new location outside of historical access
norms on a new device
Explores Account List outside of assigned geography
outside of assigned industry vertical
does not update or save any data
Performs CustomSearches
attempts to access account details
with multiple probing attempts
for high dollar value prospects
Downloads Opportunity Pipeline
requests all interaction records for entire date range for all geographies
Syncs CRM Contact database
to local address book on Outlook
syncs Outlook to Google contacts
Syncs to a personal iPhone
Logs into shared storage
bulk uploads/downloads documents
attaches a USB drive to laptop
Performs bulk upload to Dropbox
Sends emails with attachments
from corporate server to a webmail address
which is outside of expected community
destination address has high match as predicted
personal webmail
9
Teradata Aster Insider Threat Solution
Interactive Dashboard feeding Splunk console
10
Teradata Aster Insider Threat Solution
Network Traffic Log Analysis to highlight threats
11
Insider Threat Analytics Demo
12
• Path Analytics • Sessionizes across multiple log inputs • Constructs a comprehensive record of activity in context
• Behavioral Analytics against structured and unstructured data to intelligently score an Insider Threat event
• Splunk logs • HR personnel profiles• Badge access • VPN access logs
• Graph Analytics to reveal the context of information flow and detect anomalous patterns of behavior
• Machine Learning to automate detection of risky patterns of activity
• Text Analytics to screen and flag messages at scale
Built on the Aster Analytic Platform
13
Descriptive Use Case
Employee’s Average # of violations
increasing over time
Compare individual’s DLP violations to detect drift over time
14
Descriptive Use CaseCompare individual’s behavior (network activity) to that of peers
Department Average Violation
Count
15
Descriptive Use Case
USB removable media is leading
violation for terminated
employees/expiring contractors
Combine personnel records/profiles with data loss prevention alerts
16
Descriptive Use CaseModularity reveals communities of violators with similar behavior
Clusters of employees with
similar, multi-violation behavior
17
Descriptive Use CaseIdentify anomalies that policies and point solutions are not catching
Simultaneous badge in/network access at HQ while connected from remote geo via
VPN
18
At Teradata…
We empower companies to achieve high-impact business outcomes
through analytics at scale on an agile data foundation
Thank You
Questions/CommentsEmail:
Follow MeTwitter @
Rate This Session # with the PARTNERS Mobile App
Remember To Share Your Virtual Passes
[email protected] or [email protected]
748
20
APPENDIX and REFERENCE
21
APPENDIX
22
Splunk Screenshots
Login Threats• SSH attack detection• Data source: authentication logs (e.g. SSH, VPN, RSA)
Teradata Confidential23
Splunk Screenshots
Network Traffic• Traffic threat detection• Data source: network log (e.g. IP tables, Snort)
Teradata Confidential24
Splunk Screenshots
Insider Threat• Behavioral anomaly detection• Data source: corporate network log
Teradata Confidential25
Data Source: Corporate Network Log
90%
26
AppCenter + Tableau Screenshots
Web Logs• Web attack detection• Data source: Apache web log
Teradata Confidential27
Tableau Screenshots
Insider Threat• Behavioral anomaly detection• Data source: corporate network log
Teradata Confidential28
Teradata Aster + Splunk
Enhance & Enrich• Enhance Splunk’s feature set with Aster advanced analytics. Enrich Splunk’s data set with
multi-channel and profile data stored in Aster.• Connect Splunk to Aster using SQL-MR or Splunk’s DB Connect App.• Push (or Pull) Splunk data into Aster to take advantage of advanced Path & Pattern
Analytics, Text Analytics, Predictive Analytics and more.
29
Teradata Aster + Splunk
• Enhance Splunk search and reporting with Aster’s advanced analytics capabilities.
• Move data from Splunk into Aster. Execute analytics either on schedule or on demand. View result sets and visualizations produced by Aster inside of Splunk.
Type 1: For the Splunk User
Type 2: For the Aster User• Extract greater analytics value from the data that you are
currently investigating inside of Splunk.• Make Splunk data available for more iterative analysis using Aster
out-of-the-box techniques including Path & Pattern Analytics, Text Analytics, Predictive Analytics, etc…
Integration Types
30
Conceptual Workflow Splunk DB Connect
1. Data is streamed into Splunk from one or more sources.
2. Splunk data is pushed (or pulled) into Aster using DB Connect or SQL-MR.
3. Aster Analytics are executed on either a scheduled or ad hoc basis. Results from these analyses are now available to query in Splunk via DB Connect.
4. Aster AppCenter Apps are built to run further analytics and produce visualizations.
5. A Splunk App is built to view results and visualizations produced by AppCenter IN Splunk via the AppCenter REST API.
Teradata Aster + Splunk
Data
Aster AppCenter
Aster SQL-MR Splunk Connector
Aster Apps
AppCenter REST API
Splunk Aster App(s)
31
32