Insider threats webinar 01.28.15

Charles HerringConsulting Security Architect

Insider Threats

© 2014 Lancope, Inc. All rights reserved.

What is an Insider?

The Person The Credentials The Endpoint


The Insider-Person Threat

Person

Vulnerability Attack

Ideology/Disgruntlement

Recruitment

Financial hardship/Greed Bribe/Scam

Fear Extortion

Loneliness Friendship/Romance

Love of Family Kidnapping

Self Preservation Physical harm/torture

Ego Flattery

Boredom Bad decisions


The Insider-Credentials Threat

Credentials


Cryptographic Weakness Brute force

Personal Markers Public Record Dictionary Attack

Multi-domain usage SQLi

Analog-Digital Conversion Keylogger/Camera

Transmission MitM


The Insider-Endpoint Threat

Endpoint


Decisions Made by Human Malware

Open Ports Worm

Supply Chain Control-ware (C2)

“Walk ups” Credential Abuse


Impossible Statistics

• Malware free attacks

• Ability to cover tracks

• Detailed Knowledge of Detection and Response

• Increasing Availability of Tools and Knowledge

• Attribution to user (was it malware, credential theft?)


CERT: Common Sense Guide to Prevention and Detection of Insider Threats

IT Sabotage Financial Gain Business Advantage

% of cases: 45% 44% 14%

Employment: Former Current Current

Position: Technical Data Entry & Customer Services

Technical or Sales

Authorized Access? Rarely 75% 88%

Used their own credentials?

30% 85% Almost always

Compromised an account?

43% 10% Rarely

Attack wasnon-technical:

65% 84% Almost always

When: After hours Normal hours Normal hours

Where: Remote Local Local

IDed due to: Logs Logs Logs


Reducing Insider Vulnerabilities

• Background Checks (Financial, Ideological, Criminal)

• Better Authentication (Two-factor, Biometrics, Complex Passwords)

• Endpoint Hardening (Sandboxing, Policy)

Signature

Anomaly Behavior

Advanced Detection Methods

Signature = Object against blacklist• IPS, Antivirus, Content Filter

Behavior = Inspect Victim behavior against blacklist• Malware Sandbox, NBAD, HIPS, SEIM

Anomaly = Inspect Victim behavior against whitelist• NBAD, Quantity/Metric based—not Signature

based

Signature Behavior Anomaly

Known Exploits BEST Good Limited

0-day Exploits Limited BEST Good

Credential Abuse Limited Limited BEST


Geographic User Anomaly


Data Hoarding


Data Loss


Increasing Risk to Insider through Audit Trails

• Criminals fear evidence

• Internal communications rarely monitored/collected

• Detection time exceeds data retention


Sources of visibility• Firewall logs

– Are you logging everything or just denies?

• Internal & Host IPS systems

– HIPS potentially has a lot of breadth

– Can be expensive to deploy

– Signature based

• Log Management Solutions/SIEM

– Are you collecting everything?

– You can only see what gets logged

• NetFlow

– Lots of breadth, less depth

– Lower disk space requirements

• Full Packet Capture

– Deep but not broad

– Expensive

– High disk space requirements

Tradeoffs:

• Record everything vs only bad things

• Breadth vs Depth

• Time vs Depth

• Privacy


DMZ

VPN

Internal

Network

InternetNetFlow Packets

src and dst ip

src and dst port

start time

end time

mac address

byte count

- more -NetFlow

3GInterne

t

3G Interne

t

NetFlow

NetFlow

NetFlow

Internal Visibility Through NetFlow

NetFlow

NetFlow

Collector

15


User Attribution through Context Awareness


Following the User

17

Sometimes investigations start with user intelligence

Lancope Overview

Alpharetta, GA–Headquarters

London, Germany, Dubai

$30m raised (last in 2005)

• Canaan Partners, HIG, Council Capital

• 4+ years profitability

Leadership from IBM, ISS, Dell SecureWorks, RSA,

Motorola/AirDefense, Gartner, Cisco. TripWire,

PolyCom, McKesson

• 100 +years combined experience

• 250+ employees

INVESTORS

LOCATIONS

TEAM

Leading provider of networkvisibility & security intelligenceFounded in 2000700+ Customers

StealthWatchDelivers:

StealthWatch System provides context-aware security,

enabling organizations to quickly detect a wide range of

attacks (e.g. APT, DDoS, malware, insider threat),

accelerate incident response, improve forensic

investigations and reduce enterprise risk.

Complete Network

Visibility & Security

Intelligence

Detect & Resolve

Advanced Threats

Accelerate Incident

Response & Forensic

Investigations

Reduce Operational

& Enterprise Risk



Use NetFlow Data

to Extend Visibility

to the Access Layer

WHO

WHAT

WHEREWHEN

HOW

StealthWatchYour Network Is Your Sensor

Visibility, Context, and Control

Internal Network

Identity

Routers & Switches

Firewall

Context

Hardware-enabledNetFlow Switch

Devices

Enrich Flow Data with Identity, Events and

Application to Create Context

Unify Into a Single Pane of Glass for

Detection, Investigation and Reporting

Everything must touch the network

KNOWevery host

Know what is NORMAL

What else can the

network tell me?

RECORD every conversation

Gain Context-Aware Security

Company Network

Assess

AuditPosture

Response

With StealthWatch…

Context

Detect

Alert to CHANGE

Store for MONTHS



Lancope Solution Portfolio

StealthWatchManagement

Console

StealthWatchFlowReplicator

StealthWatchFlowCollector

NetFlow,syslog, SNMP

NetFlow enabled routers, switches,

firewalls

StealthWatchFlowSensor

vSphere with StealthWatchFlowSensor VE

User and Device Information

ID1100


Thank you

Insider threats webinar 01.28.15

Technology

ways lancope

lancope augments

behaviorbased system

victim behavior

anomaly detection

thresholdbased alerting

high value

slic threat feed