Whitepaper MANAGING INSIDER THREATS THROUGH ENDPOINT DETECTION AND RESPONSE

Transcription

1 Whitepaper MANAGING INSIDER THREATS THROUGH ENDPOINT DETECTION AND RESPONSE

2 Recommended Best Practices for Managing Insider Threats: Maintain a foundation of technology to monitor and analyze employee interaction. Increase detection by integrating improved activity monitoring and analysis of behavior patterns. Transform security awareness into positive security behavior. - Gartner, June 2014 EXECUTIVE SUMMARY Insider incidents continue to rise and damages resulting from insider attacks are increasing in severity. Consequently, the problem has been garnering considerable interest inside corporations and government agencies, as well as business and technology media. There have been numerous studies published on this growing concern by various government agencies, organizations, and analysts. Studies continue to conclude that insider threat detection and incident response processes are complex, costly, and entirely too reactive, but because most security teams are already overwhelmed with managing the perimeter, they cannot detect or react swiftly to targeted insider attacks. Only through proactive endpoint-deep threat detection and response can organizations effectively and efficiently contain insider attacks. Gartner recently classified this emerging approach as Endpoint Threat Detection and Response (ETDR), also referred to as EDR, and has recommended it be adopted as a way to help overcome this sensitive, elusive, and complex challenge. Gartner noted that most security teams cannot detect and react fast enough to targeted attacks with the tools they have. However, there is an emerging market of dedicated solutions that can enable security teams to more thoroughly prevent, detect and respond to sophisticated attacks. 1 This document addresses some of the complexities with insider threats facing information security (infosec) groups, defines EDR and illustrates how it is subtly applied through an insider use case. The user scenario demonstrates how EnCase Endpoint Security proactively detect and remediate a complex, hidden insider threat. INTRODUCTION Information security teams rely upon a set of foundational policies and procedures to curtail insider incidents. The FBI, CERT, and other public and private groups have published best practices to address insider threats. In this current environment, it is safe to assume that most organizations have already adopted and actively enforce these best practices in one form or another. SIEM, NAC and various perimeter-based tools are applied to help enforce practices, but such technologies and practices alone are insufficient. Insiders--with their intimate knowledge of and access to an organization s business practices, systems, and applications are increasingly presenting the greatest security risk to networks, applications, and data. There are three categories of insider threats. The first, and most prevalent, involves the unintentional mishandling of intellectual property (IP), the result of human error and often due to inexperience or insufficient security training. In the modern digital enterprise, security threats from insiders whether driven by malice or simple ineptitude are nothing new. However, the potential frequency and impact of insider threats have increased Gartner Report, Market Guide for Endpoint Detection and Response Solutions The second category is the insider that intentionally removes sensitive information but means no harm. Research has shown that 87 percent2 of senior managers regularly upload work files to a personal or cloud account, and 51 percent were reported to have files with them after leaving a job. While these acts seem innocuous, they still place data at risk. The third and most damaging threat is the insider with intent to do harm. This category includes acts of deliberate sabotage, through the introduction of malware, deletion of assets, or efforts to disrupt business operations, as well as intentional theft of intellectual property (IP). Organizations today have adopted numerous preventive measures, such as allowing only approved software, enforcing policies such as the use of strong passwords, separation of duties, policy of least privilege, no overarching access and granting 2

3 only highly granular access rights at specific levels. These are all necessary and valuable practices, but they are limited in the degree to which they can protect the organization. Since insiders are likely to know where high-value information is stored, are familiar with the organization s IT and physical systems, are likely to have authorized access to at least some systems, and have the trust of co-workers, they are well positioned to successfully execute an attack. The measures enforced simply aren t designed to encompass the breadth of possibilities for insider actions. Simply by virtue of gaining authorized access to data systems within the perimeter, insiders can extract or alter data not otherwise available. Using legitimate authorized access, an insider could: Copy electronic documents to removable media with intent to steal intellectual property (IP) Sabotage data systems Commit fraud by using personally identifiable information (PII) stored on the organization s systems. CURRENT SECURITY APPROACHES ARE FOCUSED OUTSIDE THE FIREWALL Current security approaches, including the deployment of signature-based security detection methods, are not designed to address situations within the perimeter. They are designed to detect and respond to external threats, but cannot predict or avert insider behaviors. Preventing insider threats requires a new approach that enables security teams to respectfully, but easily and unobtrusively, investigate insider activities, recognize abnormal behavior, understand the scope and impact, and act on incidents with appropriate response. The only way to accomplish this effectively is through endpoint security analytics and remediation, or endpoint detection and response (EDR). THE EMERGING NEED FOR EDR Gartner reported that endpoint detection and response (EDR) approaches are evolving to satisfy the need for continuous protection from advanced threats most notably significantly improved security monitoring, threat detection and incident response capabilities. These tools record numerous endpoint and network events and store this information in a centralized database. Analytics tools are then used to continually search the database to identify tasks that can improve the security state to deflect common attacks, to provide early identification of ongoing attacks (including insider threats), and to rapidly respond to those attacks. These tools also help with rapid investigation into the scope of attacks, and provide remediation capability. 3 ENCASE ENDPOINT DETECTION AND RESPONSE Guidance Software is a leader in endpoint security and EDR, having led the industry in its approach to security analytics based on vast amounts of collective endpoint data and activity. EnCase Endpoint Security is a powerful endpoint threat detection tool and EnCase Endpoint Security is a robust incident response application. Together they deliver a complete solution for detection, validation, investigation, remediation, and reporting. Here are the capabilities of EnCase Endpoint Security as they relate to endpoint detection and response. 3

4 Detection EnCase Endpoint Security is security intelligence technology designed to derive insights from the data generated by endpoint activity. EnCase Endpoint Security provides a bird s-eye view of endpoint risks through an interactive visual interface, allowing incident responders to quickly expose anomalous activity and signs of intrusion in their systems. Enterprise-wide scans collect endpoint data relevant to the detection of insider threats from across the entire enterprise. Enterprise-wide data is collected and stored in a data warehouse. Historical data is studied to build a baseline of endpoint activity through time, providing a basis for identifying anomalies that then appear in a visual dashboard. This enables analysts to easily determine anomalous activity indicative of a threat to organizational data. Provides the most comprehensive views of endpoint activity and deviations from normal system and server activity enterprise-wide. Response EnCase Endpoint Security is software that enables rapid, largely automated, context-based incident response and comprehensive sensitive-data discovery and leverages proven forensic workflows, reducing complexity and costs. Built on EnCase cyber forensic technology, EnCase Endpoint Security helps prioritize analysis of potentially infected systems, determine incident source and scope, identify data-loss scenarios, and minimize time to remediation. Collects endpoint data from systems that have been identified as possible targets of anomalous activity. Allows for real-time validation, scope assessment, sensitive data impact assessment, and remediation of threats identified by EnCase Endpoint Security and other detection tools. Facilitates data audits and enables recovery of data spillage through the removal of sensitive data from unauthorized locations. INSIDER THREAT USE CASE: UNAUTHORIZED USE OF PROPRIETARY INFORMATION A disgruntled insider obtained access to sensitive proprietary information from his current employer with intent to share that data with competitors. An information leak was suspected when proprietary information was discovered on the Internet, so the Information Security team was alerted to the issue and opened an investigation. ENCASE IN ACTION Security analysts use EnCase Endpoint Security to perform routine endpoint scans in search of anomalous behaviors such as users accessing machines, applications or ports, or running processes with unusual frequency or outside of normal working hours. Anomalies are determined by increases in the number of standard deviations from baselines over time. Analysts use EnCase Endpoint Security visualization application to simplify the process of scanning the network for process hashes and automatically measuring them against norms. It serves as a powerful tool for identifying anomalous process activities. Analysts find specific users and machines running a particular process within a defined period of time when the breach was suspected to have occurred. These visualizations are a powerful means for identifying process names, user names, machine names, scan dates, and other points of interest. Analysts view the statistics of all users in a given peer group and narrow down the list of suspects. Analysts review all users accessing Oracle s PeopleSoft financial management, from which the financial information was obtained. Investigators easily determine a date range in which the information was leaked so an analyst enters a search term and the visualization displays the dates (shown in Figure 1 with blue dots) that the process was seen to be running. They search by filename, path name and hash to confirm anomalous activities. EnCase Endpoint Security identifies an anomaly with John Day running peoplesoft.exe on 8/22, which is unusual given the typical set of applications he runs on a daily basis. The analyst clicks on the dots to see the transaction details, including machine name, file path, hash and user name. 4

5 Figure 1: Search by Process Name. Top pane displays processes running on date range, with each date represented by blue dot. Click on dot for details. Bottom pane provides process details. Having identified the perpetrator, Security analysts then use EnCase Endpoint Security Snapshot technology subtly and unobtrusively delving deeper into John Day s machine. The Snapshot module allows investigators to see all open files, processes, and ports on a remote system, effectively capturing volatile data with minimum preparation and invasiveness. EnCase Endpoint Security has the ability to capture volatile data from machines anywhere on the network without disrupting business operations and to preserve it in a logical evidence file. The examiner can view active processes, open ports and files, live Windows Registry, DLLs, cached NetBIOS name table, internal routing tables, and encrypted volumes or RAM drives. This data reveals valuable information both during and after the time that an incident has occurred. EnCase Endpoint Security enables security analysts to identify documents with sensitive information, and the date and time that the information was collected, as shown in Figure 2. Security analysts identify the user that leaked the information and also discover other proprietary information, including a customer list, thus thwarting any further damage. 5

6 Figure 2: Review in process. The red highlighted box on the top pane shows responsive files based on search. The box on the lower left pane shows the tagging feature, and the box on the lower right pane shows the hit review within the files. Security analysts schedule file-remediation jobs upon completion of the review process. For quick remediation jobs, EnCase Endpoint Security includes a streamlined one pass wipe-and-delete feature. This forensic-grade wipe capability significantly reduces risk and simplifies compliance with data policies. EnCase Endpoint Security securely wipes the files from the source by overwriting with zeroes and then deleting the file, rendering it undetectable and unrecoverable. SUMMARY Effectively dealing with advanced threats [including insider threats] that bypass traditional signature-based approaches [and policies] will require monitoring, detection and response capabilities at endpoints. 4 The use case in this paper illustrates how EnCase Endpoint Security work together to accelerate the detection and remediation of insider threats, including both accidental and intentional theft of intellectual property, altering data or sabotage. Endpoint detection and response (EDR) using EnCase products enables organizations with powerful and distinctive capabilities to proactively monitor, detect, and remediate insider threats at a comprehensive level unlike other methods. The EnCase solution provides end-to-end signature-less workflow, unrestricted visibility and control of endpoint data, and fills a critical gap leading to reduced time-to-detect, time-to-respond, and time-to-recover at an enterprise-wide level. 6

7 ABOUT GUIDANCE SOFTWARE (NASDAQ: GUID) At Guidance, we exist to turn chaos and the unknown into order and the known so that companies and their customers can go about their daily lives as usual without worry or disruption, knowing their most valuable information is safe and secure. Makers of EnCase, the gold standard in digital investigations and endpoint data security, Guidance provides a missioncritical foundation of applications that have been deployed on an estimated 25 million endpoints and work in concert with other leading enterprise technologies from companies such as Cisco, Intel, Box, Dropbox, Blue Coat Systems, and LogRhythm. Our field-tested and court-proven solutions are used with confidence by more than 70 of the Fortune 100 and hundreds of agencies worldwide. Get to know us at guidancesoftware.com. Guidance Software, EnCase, EnScript, EnCE, EnCEP, Linked Review, EnPoint and Tableau are trademarks owned by Guidance Software and may not be used without prior written permission. All other trademarks and copyrights are the property of their respective owners.