August Investigating an Insider Threat. A Sensage TechNote highlighting the essential workflow involved in a potential insider breach

Transcription

1 August 2011 A Sensage TechNote highlighting the essential workflow involved in a potential insider breach

2 Table of Contents Executive Summary What Just Happened?... 2 What did that user account do while it was active?... 2 Has this ever happened before and we just didn t know about it?... 3 What else happened on that server?... 3 What else has o1b01 done? Accessed critical files?... 4 CJ0115_0808 i Copyright Sensage, Inc. All rights reserved.

3 Executive Summary Regardless of the organization a large enterprise with a few thousand employees or a small branch of a Federal agency an increasing number of customers need insight into insider threats: trade secret or intellectual property theft, fraud or data theft. The analysis workflow begins with a real-time notification of suspicious activity by an employee, but quickly leads to the need for historical event analysis: What happened? Did it ever happen before? Who did it? What else did he/she do? Understanding the Complexity of an Insider Threat There are many vendors who offer Security Information and Event Management (SIEM) products. All of these vendors use the same terminology for what they do, and the value they provide, so it appears to prospects that these products are all the same, save for the price. However, while basic SIEM products are strong in real-time threat detection, they are not built for deep or long-term analysis and retention. Even traditional SIEM reporting capabilities can t address the complex needs for the discovery that needs to occur with these types of breaches. Users need to be able to look at these reports and ask questions. In order to answer those questions they need a product that is designed for dynamic user interaction which allows them to look at a situation from many different angles to determine the appropriate course of action. Here is a quick review about why this complex threat requires advanced data retention and analysis that can t be addressed with a traditional event monitoring solution: Must be able to pivot analysis based on time (now 1 hour 1 year) and data sources to obtain full picture of incident Most product architectures have different data stores and different extraction methods for short-term vs. long-term data Multi-step, multi-interface, analysis requiring third step to put all data together The following scenario will demonstrate how Sensage combines the best of both worlds real-time threat detection built on top of a patented event data warehouse that provides analysis over years and petabytes of data with a customizable workflow-based interactive interface to provide its customers with Security Intelligence they require for Insider Threat investigations. Let s begin the workflow at the Sensage Security Alerts Dashboard as a real-time correlation rule fires an alert and notification to the analyst which highlights that someone has created a user account, and then deleted it within a one hour time frame. CJ0115_ Copyright Sensage, Inc. All rights reserved.

4 What Just Happened? Sensage helps answer that by providing a graphical representation of the correlated events to allow the analyst to step through each event to see how they all fit together. However, since this alert deals with a user account being created and deleted, the playback isn t of as much value as it can be with some of the more sophisticated correlation rules. What did that user account do while it was active? Right-clicking on the value of the created account, jjones, the analyst is able to choose from a menu of customizable associated reports to find the appropriate report for this situation. Sensage automatically feeds the value of the field into the Investigation Wizard Report and the analyst chooses a time frame commensurate with when the account was active. The resulting report shows that jjones signed on locally to the database server (2 Windows events), then switched to the sa account (akin to root for databases), and issued some select commands to copy the Customers table (MSSQL events), and then logged off of the machine (last Windows events). This is a serious breach, so the analyst starts to document the investigation by exporting the report to a PDF file as part of his workflow. CJ0115_ Copyright Sensage, Inc. All rights reserved.

5 Has this ever happened before and we just didn t know about it? Using the same Investigation Wizard Report, the analyst expands the time frame of the report to look over the last year. What becomes immediately apparent is that this situation has happened a number of times before, using the same pattern signing on locally as jjones, switching the sa user and searching through the customer database. This has all the markings of a low and slow attack where the user has been performing these activities a little at a time and trying to avoid detection. The reason this had not come to our attention before is because the jjones account was always active longer than 1 hour. The user is a victim of their own success as they have gotten much quicker at what they are doing, hence triggering the correlation rule. The analyst exports this report as well for documentation and case tracking purposes. It should be noted that the advantage of a SIEM product built on top of an event data warehouse is that the data is ALWAYS online and available to query with no restoration activities, and no switching between short-term and long-term databases. Sensage is unique in this regard. What else happened on that server? Up until now, the analysis has been centered on events that contained the user account jjones, but now that there is evidence of unauthorized activity, the analyst must expand the scope of the investigation to look at data from other sources. The workflow continues as from the same report result, the analyst clicks on the IP address of the server, right-clicks to see the list of associated reports for drilldown, and selects the Investigate Specific Dest IP or Source IP report. CJ0115_ Copyright Sensage, Inc. All rights reserved.

6 The resulting report shows all events that contain the IP Address of the MSSQL Database server. In addition to the events seen earlier tied to jjones, the report also shows the user o1b01 as having signed on locally to the server. It also shows that o1b01 logged off 30 seconds before the administrator account created jjones again. While not a smoking gun, it is enough to provoke some additional questions. What else has o1b01 done? Accessed critical files? Again, from the same report result the analyst clicks on o1b01, right-clicks to see the list of associated reports for drill-down, and now selects the Windows Security Object Accessed Investigation report as part of his workflow. This report tracks access to a customized list of critical files the organization wants to monitor, and the results show that o1b01 has been looking at customer related data. It looks more and more that there is an insider taking advantage of their access, and that there may have been leakage of critical customer related data. The report is returned as another page in this view without deleting the previous report so the analyst can CJ0115_ Copyright Sensage, Inc. All rights reserved.

7 toggle back and forth without having to save or recreate their previous work. Using the reports and then being able to pivot off of a returned value into another investigation path, the analyst could continue to ask questions: Did he create a Windows/Unix user? Did he use to send the data out? The analyst can also escalate or share the information to another team for further investigation, as the output of these reports is available in a simple capture function and exported to CSV, HTML, or PDF. While this is a quick overview of a workflow based on a simple set of queries, Sensage makes it easy for organizations to institutionalize very sophisticated investigation paths of gathering information, analyzing it, asking the right questions and then getting the right answers. Sensage expedites the investigation of an Insider Threat by: Gathering any event data your organization has into a scalable event data warehouse one repository that can store years and hundreds of terabytes of data online without any restoration activities Analyzing these events in order to identify real-time security threats as well as low and slow attacks one proven method of analyzing data Providing an open interface that allows users to continue asking questions based on information they see before them no proprietary language or methodologies to learn Delivering answers to those questions from high-level information to granular details in dashboards, to reports that make sense visualization options based on user requirements For more details on Insider Threats or for a demo of the Sensage solution, please visit follow us on and watch us on About Sensage Sensage, Inc. helps organizations collect, store, analyze and interpret complex information to identify new threats, improve cyber-security defenses, and achieve industry and regulatory compliance. Combining powerful data warehousing, scalable clustered multiprocessing and sophisticated analytics, Sensage serves our customers most advanced Security Information and Event Management (SIEM), log management, Call Detail Record (CDR) retention and retrieval and Continuous Controls Monitoring (CCM) use cases. Sensage systems are open to all event data types, scale to petabytes, minimize storage costs and perform sophisticated data analysis. Hundreds of customers worldwide leverage patented Security Intelligence solutions from Sensage to identify, understand and counteract cyber-threats, fraud and compliance violations. Sensage partners include Cerner, Cisco, EMC, McAfee and SAP. CJ0115_ Copyright Sensage, Inc. All rights reserved.