Insider Threat HP ArcSight User Behavior Analytics Application Misuse Sensitive Data Access Hakan Durgut ArcSight Specialist Nordics/Baltics 1
The insider threat challenge
IT Security focus in on the external cyber threats Advanced Persistent Threats Research Infiltration Denial of service attacks Web hacking Their ecosystem Discover Capture Our enterprise Exfiltration 3
However this might be just the tip of the iceberg
Your VP sales just resigned And took position at your biggest competitor Did you remember to examine his Saleseforce.com activity to see if he downloaded your entire customer database and history of purchase? And if you did, and found the obvious, how would it help? 5
And it is not just about sales All of these have happened Research scientist stealing design secreted Yonggang "Gary" Min stealing thousands of design documents from DuPont after singing up with a competitor and before giving notice. Soldier leaking millions of classified documents PFC Bradley Manning (U.S. Army) leaking to WikiLeaks Marketing exec taking with him blueprints Ross Klein stealing from Starwood the W lifestyle hotels brand blueprint information when defecting to Hilton. 6
The Challenge: Security landscape is evolving, organizations must react In recent breaches Sony, NSA, Target a user was always involved or exploited Threats are evolving and becoming more complex Attacks are carried out with legitimate access, organizations lack context to understand when an account is used legitimately or illegitimately Data and scope are expanding Challenge to find and maintain security analytics teams 7
Insider threat is a complex challenge Inherent trust in employees Abuse of granted privileges No hack to detect 8
Introducing HP ArcSight User Behavior Analytics
HP ArcSight vision: multi-vector cyber defense Network Data User 10 Application
Use Cases Risk & impact based Sources Internal & External Security Intelligence Automation Productivity multiplier Analytics = discovery SIEM = active monitoring Network Analytics User Behavior Analytics Application Analytics Data Analytics World s premier correlation engine Powerful / flexible Use case library / Marketplace 11
Introducing HP User Behavior Analytics User Intelligence, Delivered Database Queries Users & roles USB Files Saved Events Directories Accounts VPN Logins Files Accessed Emails Sent Identify misuse of credentials Applications Screen Prints Detect anomalous behavior versus peers Web Surfing Recognize risky users and resources Hosted Apps Perform user focused investigation 12
What threats is HP User Behavior Analytics targeting? Misuse of legitimate credentials Are trusted entities: employees, contractors, partners Having (high risk) access to internal data Who misuse access and credentials, know the value of the data, and are aware of internal security controls UBA identifies emerging threats via anomalous behavior versus peers Insider Threat Are sophisticated attackers operating inside the network, are fast morphing, resident & resilient Having compromised valid accounts Who target high privileged access and confidential info UBA identifies complex threats via anomalous behavior versus historical record & syndication of network, user & perimeter data Advanced Persistent Threat 1 13
Insider threats and threats masquerading as insiders are posing new challenges and driving the need for new capabilities Identity Context Behavior Context Ability to detect the abnormal Risk Scoring & Prioritization Visualization & Investigation 14
Insider Threat Detection Techniques Peer Analysis Frequency Spike +1 +1 Event Rarity Peer Group Profiles Behavior Profiles Amount Spike +1 Peer Group Comparison +1 Behavior Analysis Suspicious Activities & Transactions Suspicious Account Usage Suspicious System Usage 15
Key Techniques and Approach #1- Entity Correlation & Enrichment>> Context #2- Behavior & Peer Group Profiling>> The Normal #3- Anomaly Detection>> The Abnormal #4- Classify, Score & Visualize, Investigate>> Actionable 16
A couple examples of behavior & peer based detection Unusual Activity Inappropriate Activity Unusual Transaction Suspicious Database Access Anomalous peer based HPA activity Never before seen IP address 1) Entity Correlation & Enrichment Poor HR Review, Upcoming Termination Database username to identity correlation Multiple user names to identity correlation High privileged account to identity correlation User name to identity correlation IP address to user mapping User IP to threat intelligence feeds 2) Behavior & Peer Profiling 3) Anamoly Detection User profile of frequency and time of DB access User/peer profile of common database commands User/peer profile of normal volume of database files accessed and removed User profile of normal privileged account activities Peer profile of normal privileged account activities User profile of normal IP addresses accessed User profile of normal VNP geo-locations and times Behavior: Monthly increase in DB access Peer: Anomalous DB command-clear logs, wire transfer, select *, Anomalous DB access activity Peer: Anomalous high privileged account entitlement & commands Behavior: Never before seen IP address, VPN geo-location 4) Clasify, Score & Visualize, Investigate Toxic combination, amplify risk score Trace user activity on separate systems and accounts Prioritize privileged account violations, Three Strike rules, Multiple Indicators Visualize user association with privileged accounts Investigate compromised account, IP associate with other users Identify activities associated with account after compromise 1 17
Behavior Anomaly Detection, frequency spike example 1. Establish behavior baseline using historical data 2. Detect anomalous behavior compared to baseline profile Suspicious Activities IP Address Date & Time John. Doe 10/10/2014, 12:03:20, 10.12.132.1, john.doe Reset password User Amount transactions User Behavior Profile Time Slices Threats Activity frequency Network Sources 18 Daily, Weekly, Monthly, Day of the Week, Time of Day, Holidays, Weekend
Event Rarity - Never Seen Before Detects suspicious accounts, transactions and IP Addresses/host names observed on system Assigns confidence factor in the form of a risk score based on aging factor of system, activities and accounts JAN FEB MAR APR MAY JUN JUL AUG Begin 10 System th Monitoring 10 th 10 th New 10 th NW Address Used 10 th 10 th 10 th 10 th 0 20% 40% 60% 80% 100% 100% RISK SCORE New Account New Activity New NW Address New Account New Activity New NW Address New Account New Activity New NW Address New Account New Activity New NW Address 1 9 19 2015 HP UBA
Thank you! For more information: http://www.hp.com/enterprisesecurity