Charles Herring Consulting Security Architect Insider Threats
Jul 17, 2015
Charles HerringConsulting Security Architect
Insider Threats
© 2014 Lancope, Inc. All rights reserved.
What is an Insider?
The Person The Credentials The Endpoint
© 2014 Lancope, Inc. All rights reserved.
The Insider-Person Threat
Person
Vulnerability Attack
Ideology/Disgruntlement
Recruitment
Financial hardship/Greed Bribe/Scam
Fear Extortion
Loneliness Friendship/Romance
Love of Family Kidnapping
Self Preservation Physical harm/torture
Ego Flattery
Boredom Bad decisions
© 2014 Lancope, Inc. All rights reserved.
The Insider-Credentials Threat
Credentials
Vulnerability Attack
Cryptographic Weakness Brute force
Personal Markers Public Record Dictionary Attack
Multi-domain usage SQLi
Analog-Digital Conversion Keylogger/Camera
Transmission MitM
© 2014 Lancope, Inc. All rights reserved.
The Insider-Endpoint Threat
Endpoint
Vulnerability Attack
Decisions Made by Human Malware
Open Ports Worm
Supply Chain Control-ware (C2)
“Walk ups” Credential Abuse
© 2014 Lancope, Inc. All rights reserved.
Impossible Statistics
• Malware free attacks
• Ability to cover tracks
• Detailed Knowledge of Detection and Response
• Increasing Availability of Tools and Knowledge
• Attribution to user (was it malware, credential theft?)
© 2014 Lancope, Inc. All rights reserved.
CERT: Common Sense Guide to Prevention and Detection of Insider Threats
IT Sabotage Financial Gain Business Advantage
% of cases: 45% 44% 14%
Employment: Former Current Current
Position: Technical Data Entry & Customer Services
Technical or Sales
Authorized Access? Rarely 75% 88%
Used their own credentials?
30% 85% Almost always
Compromised an account?
43% 10% Rarely
Attack wasnon-technical:
65% 84% Almost always
When: After hours Normal hours Normal hours
Where: Remote Local Local
IDed due to: Logs Logs Logs
© 2014 Lancope, Inc. All rights reserved.
Reducing Insider Vulnerabilities
• Background Checks (Financial, Ideological, Criminal)
• Better Authentication (Two-factor, Biometrics, Complex Passwords)
• Endpoint Hardening (Sandboxing, Policy)
Signature
Anomaly Behavior
Advanced Detection Methods
Signature = Object against blacklist• IPS, Antivirus, Content Filter
Behavior = Inspect Victim behavior against blacklist• Malware Sandbox, NBAD, HIPS, SEIM
Anomaly = Inspect Victim behavior against whitelist• NBAD, Quantity/Metric based—not Signature
based
Signature Behavior Anomaly
Known Exploits BEST Good Limited
0-day Exploits Limited BEST Good
Credential Abuse Limited Limited BEST
© 2014 Lancope, Inc. All rights reserved.
Geographic User Anomaly
© 2014 Lancope, Inc. All rights reserved.
Data Hoarding
© 2014 Lancope, Inc. All rights reserved.
Data Loss
© 2014 Lancope, Inc. All rights reserved.
Increasing Risk to Insider through Audit Trails
• Criminals fear evidence
• Internal communications rarely monitored/collected
• Detection time exceeds data retention
© 2014 Lancope, Inc. All rights reserved.
Sources of visibility• Firewall logs
– Are you logging everything or just denies?
• Internal & Host IPS systems
– HIPS potentially has a lot of breadth
– Can be expensive to deploy
– Signature based
• Log Management Solutions/SIEM
– Are you collecting everything?
– You can only see what gets logged
• NetFlow
– Lots of breadth, less depth
– Lower disk space requirements
• Full Packet Capture
– Deep but not broad
– Expensive
– High disk space requirements
Tradeoffs:
• Record everything vs only bad things
• Breadth vs Depth
• Time vs Depth
• Privacy
© 2014 Lancope, Inc. All rights reserved.
DMZ
VPN
Internal
Network
InternetNetFlow Packets
src and dst ip
src and dst port
start time
end time
mac address
byte count
- more -NetFlow
3GInterne
t
3G Interne
t
NetFlow
NetFlow
NetFlow
Internal Visibility Through NetFlow
NetFlow
NetFlow
Collector
15
© 2014 Lancope, Inc. All rights reserved.
User Attribution through Context Awareness
© 2014 Lancope, Inc. All rights reserved.
Following the User
17
Sometimes investigations start with user intelligence
Lancope Overview
Alpharetta, GA–Headquarters
London, Germany, Dubai
$30m raised (last in 2005)
• Canaan Partners, HIG, Council Capital
• 4+ years profitability
Leadership from IBM, ISS, Dell SecureWorks, RSA,
Motorola/AirDefense, Gartner, Cisco. TripWire,
PolyCom, McKesson
• 100 +years combined experience
• 250+ employees
INVESTORS
LOCATIONS
TEAM
Leading provider of networkvisibility & security intelligenceFounded in 2000700+ Customers
StealthWatchDelivers:
StealthWatch System provides context-aware security,
enabling organizations to quickly detect a wide range of
attacks (e.g. APT, DDoS, malware, insider threat),
accelerate incident response, improve forensic
investigations and reduce enterprise risk.
Complete Network
Visibility & Security
Intelligence
Detect & Resolve
Advanced Threats
Accelerate Incident
Response & Forensic
Investigations
Reduce Operational
& Enterprise Risk
© 2014 Lancope, Inc. All rights reserved.
© 2014 Lancope, Inc. All rights reserved.
Use NetFlow Data
to Extend Visibility
to the Access Layer
WHO
WHAT
WHEREWHEN
HOW
StealthWatchYour Network Is Your Sensor
Visibility, Context, and Control
Internal Network
Identity
Routers & Switches
Firewall
Context
Hardware-enabledNetFlow Switch
Devices
Enrich Flow Data with Identity, Events and
Application to Create Context
Unify Into a Single Pane of Glass for
Detection, Investigation and Reporting
Everything must touch the network
KNOWevery host
Know what is NORMAL
What else can the
network tell me?
RECORD every conversation
Gain Context-Aware Security
Company Network
Assess
AuditPosture
Response
With StealthWatch…
Context
Detect
Alert to CHANGE
Store for MONTHS
© 2014 Lancope, Inc. All rights reserved.
© 2014 Lancope, Inc. All rights reserved.
Lancope Solution Portfolio
StealthWatchManagement
Console
StealthWatchFlowReplicator
StealthWatchFlowCollector
NetFlow,syslog, SNMP
NetFlow enabled routers, switches,
firewalls
StealthWatchFlowSensor
vSphere with StealthWatchFlowSensor VE
User and Device Information
ID1100
© 2014 Lancope, Inc. All rights reserved.
Thank you