Combating the Insider Threat at the FBI: Real World Lessons Learned

Similar documents
The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Security and Privacy

The CERT Top 10 List for Winning the Battle Against Insider Threats

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

Defending Against Data Beaches: Internal Controls for Cybersecurity

Identity Centric Security: Control Identity Sprawl to Remove a Growing Risk

Practical Steps To Securing Process Control Networks

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

SIEM is only as good as the data it consumes

The Cloud App Visibility Blindspot

Data Center security trends

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

Getting real about cyber threats: where are you headed?

Enterprise Cybersecurity: Building an Effective Defense

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Cybersecurity and internal audit. August 15, 2014

Content Security: Protect Your Network with Five Must-Haves

Insider Threat: Focus on Suspicious Behaviours

Risk Mitigation Strategies: Lessons Learned from Actual Insider Attacks

After the Attack: RSA's Security Operations Transformed

Prevent Security Breaches by Protecting Information Proactively

Endpoint Threat Detection without the Pain

idata Improving Defences Against Targeted Attack

Defending against Cyber Attacks

Big Data and Security: At the Edge of Prediction

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

Software that provides secure access to technology, everywhere.

Into the cybersecurity breach

Small businesses: What you need to know about cyber security

After the Attack. The Transformation of EMC Security Operations

ITAR Compliance Best Practices Guide

Advanced Threat Protection with Dell SecureWorks Security Services

Combatting the Biggest Cyber Threats to the Financial Services Industry. A White Paper Presented by: Lockheed Martin Corporation

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Why The Security You Bought Yesterday, Won t Save You Today

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Critical Controls for Cyber Security.

Federal Bureau of Investigation. Los Angeles Field Office Computer Crime Squad

Cyber Security Metrics Dashboards & Analytics

Stay ahead of insiderthreats with predictive,intelligent security

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

Using Big Data to Align IT Security with Business Risk Mark Seward, Senior Director, Security and Compliance

September 20, 2013 Senior IT Examiner Gene Lilienthal

Hunting for the Undefined Threat: Advanced Analytics & Visualization

FBI CHALLENGES IN A CYBER-BASED WORLD

Data Loss Prevention with Platfora Big Data Analytics

Cyber Watch. Written by Peter Buxbaum

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Small businesses: What you need to know about cyber security

Privileged Users: Superman or Superthreat? A Privileged User Risk Whitepaper.

Agenda , Palo Alto Networks. Confidential and Proprietary.

SPEAR PHISHING UNDERSTANDING THE THREAT

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

How to effectively respond to an information security incident

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

AB 1149 Compliance: Data Security Best Practices

Privilege Gone Wild: The State of Privileged Account Management in 2015

RSA Security Analytics

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Intrusion Along the Kill Chain

Security Business Intelligence Big Data for Faster Detection/Response

Bryan Hadzik Network Consulting Services, inc. Endpoint Security Data At Rest

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

Dealing with Big Data in Cyber Intelligence

NATIONAL CYBER SECURITY AWARENESS MONTH

Malicious Network Traffic Analysis

End-user Security Analytics Strengthens Protection with ArcSight

The Future of the Advanced SOC

Using SIEM for Real- Time Threat Detection

Incident Response. Six Best Practices for Managing Cyber Breaches.

Evolution Of Cyber Threats & Defense Approaches

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Data Analytics for a Secure Smart Grid

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Security Analytics for Smart Grid

Advanced Threats: The New World Order

Resilience and Cyber Essentials


Privileged Users: Superman or Superthreat? A Privileged User Risk Whitepaper

Security Analytics The Beginning of the End(Point)

IT Security Risks & Trends

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Transcription:

FEDERAL BUREAU OF INVESTIGATION Fidelity, Bravery, and Integrity Combating the Insider Threat at the FBI: Real World Lessons Learned Patrick Reidy

Disclaimer and Introduction The views expressed in this presentation are those of the presenter and do not reflect the official policy or position of the Department of Justice, the Federal Bureau of Investigation, or the U.S. Government, nor does it represent an endorsement of any kind. 2

The 5 Lessons 1 Insider threats are not hackers 2 Insider threat is not a technical or cyber security issue alone 3 A good insider threat program should focus on deterrence, not detection 4 Avoid the data overload problem 1 Use behavioral analytics 3

Our IA Program & Evolution Threat focus: Computer intrusion Protection: N/W perimeter, firewalls, IDS, proxies, A/V, DHCP, DNS Detection technique: signature based Threat focus: APT Protection: + Internal N/W, host A/V, OS, application logs, email, net flow Detection technique: + N/W anomaly Threat focus: Insider Protection: + DLP, DRM, Personnel data, data object interaction, non-n/w data Detection technique: + data mining, behavioral 4

The Approach Known Bad Assumed Good vs. Test: 65 espionage cases and the activities of over 200 non-model employees Control: The rest of the user population 5

NOT hackers People who joined organizations with no malicious intent Most tools and techniques are designed with the hacker in mind Lesson #1: The Misunderstood Threat VS. + 6

Not The Knuckle Head Problem We lose most battles 2 feet from the computer screen 24% of incidents, 35% of our time The knuckle head problem Policy violations, data loss, lost equipment, etc. Address with user training campaigns & positive social engineering 7% drop incidents since last year 7

The Most Common Threat of Them All!?!? Not So Fast.. 8

Joe Says... Insider threat is not the most numerous type of threat 1900+ reported incidents in the last 10 years ~ 19% of incidents involve malicious insider threat actors Insider threats are the most costly and damaging Average cost $412K per incident Average victim loss: ~$15M / year Multiple incidents exceed $1 Billion Sources: Ponemon Data Breach Reports: 08, 09, 10, 11; IDC 2008; FBI / CSI Reports: 06, 07, 08, 09, 10/ 11; Verizon Business Data Breach Reports: 09, 10, 11, 12, 13; CSO Magazine / CERT Survey: 10, 11; Carnegie Mellon CERT 2011 IP Loss Report; Cisco Risk Report 08 9

FBI Case Statistics IEA 1996 - Present Data from convictions under the Industrial Espionage Act (IEA) Title18 U.S.C., Section 1831 Average loss per case: $472M 10

Solution: Define the Insider Authorized people using their trusted access to do unauthorized things Boils down to actors with some level of legitimate access, and with some level of organizational trust Misunderstanding example: The APT is not an insider threat because they steal credentials. 11

The Threat Tree Threats Environmental Human Internal External Malicious Malicious Nonmalicious Nonmalicious Espionage I/T Sabotage Fraud / abuse IP Theft CERT Threat Models 12

Sysadmins: Evil? Not So Fast 13

1.5% of espionage cases reviewed involved the use of system admin privileges.8% of internal FBI incidents involved system admin cases CMU Cert show different statistics for IT sabotage: Joe Says 90% of IT saboteurs were system admins http://www.cert.org/blogs/insider_ threat/2010/09/insider_threat_dee p_dive_it_sabotage.html 14

The Intrusion Kill Chain The Intrusion Kill Chain is excellent for attacks, but doesn t exactly work for insider threats Reference: Intelligence-Driven Computer Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chain. E.M. Hutchings, M.J. Cloppert, et. al. 15

The Insider Threat Cyber Kill Chain Recruitment / Tipping point - Recruitment or cohesion - Going from good to bad - Hiding communications with external parties Search / Recon Acquisition / Collection Exfiltration / Action - Find the data / target - Less time the more knowledgeable the threat - Grab the data - Data hording - Game over! - Egress via printing, DVDs / CDs, USBs, network transfer, emails Operational Security - Vague searching - Asking coworkers to find data for them - Use of crypto - Renaming file extensions - Off hour transfers - Spreading data downloads over multiple sessions 16

Beware the Silver Bullet Many want you to believe insider threats are hackers in order to sell you things IDS, Firewalls, AV, etc. do not work No rules are being broken! Question vendor claims Some great capabilities, but no out of the box solutions Data loss prevention, digital rights management, and IP theft protection products are maturing Click Here to Catch Spy 17

Lesson # 2: This is Not a Simple Cyber Security Problem We trust the threat Insider threat programs are not just policy compliance shops 90% of problems are not technical Programs do not just bolt into Security Operations Centers Dedicated staff with clear objectives are a must 18

Solution: The Multidisciplinary Approach Goal: Deter Identify: CI / Intel Detect Disrupt Personnel Cyber Security Focus: People Enemy Data 19

Do You Know Your People? Work schedule Badge# 2345 Serial #: 1234567 A A A A A 703-555-1212 A A A IP Addrs: 1.1.1.1 Patterns of activity Jdoe@ic.fbi.gov Works for Business Development 20

The Whole Person Approach Contextual Psychosocial Cyber 21

Know Your Enemy Who would be targeting your organization? Who would they target inside your organization? Who are the high risk individuals in your organization? 22

Know Your Data What are the crown jewels of your organization? What data / people would the enemy want to target? Action: Identify sensitive data Rate top 5 most important systems in terms of sensitive data 23

The Value Proposition of Insider Threat and Data Protection Programs It s complex It s expensive It may take years to achieve tangible results However This is about survival in a hostile market place If your data is secure you can penetrate risky markets Your enemy is your business partner, are you designed that way? 24

Lesson #3: Focus on Deterrence Not Detection Make environment where being an insider is not easy Deploy data-centric, not system-centric security Crowd-source security Use positive social engineering Risk Averse Risk Takers 25

Solution: Crowdsource Security! Francis Galton (1822-1911) Aren t security subject matter experts the best to make decisions? Nope! British scientist who wanted to show empirically that educated people are superior Asked commoners to guess the weight of an ox at a fair Results: No single villager correct, but average < 2 lbs. off No single SME correct, average SME > 6 lbs off 26

Crowdsourcing Security at the FBI 13,900 people come to work armed everyday Our people are trusted to enforce the law and keep the country safe VS. If we can train them to use guns, we can train them to use data 27

Solution: Positive Social Engineering Users will make good decisions given timely guidance Risk reduction with no impact to workflow, etc. 28

Positive Social Engineering: RESULTS! Source: Internal FBI Computer Security Logs 29

Lesson #4: The Data Overload Problem 2500 2000 Data Growth (TB) 2048 1500 1000 Data Growth 500 0 0.5 1 6 10 50 160 D+1 yr D+2 yr D+3 yr D+4 yr D+5 yr D+6 yr D+7 yr Individual Audits Critical App Logs Host Monitoring N/W Monitoring 30

FEDERAL BUREAU OF INVESTIGATION Fidelity, Bravery, and Integrity Every time Someone says BYOD, god kills a kitten

Solution: Focus on Two Sources You don t need everything HR data: To know your people Workplace/personnel issues System logs tracking data egress and ingress: Printing, USB, CD/DVD, etc. 32

Lesson #5: Detection of Insiders = Kinda Hard Prediction of rare events (i.e. insider threats) may not be possible Don t waste time and money on the impossible Look for red flag indicators as they happen 33

The Insider Threat Continuum Most people don t evolve into true threats ~5% of the 65 espionage cases came in bad There are observable red flags we call indicators Indicators must be observable and differentiating 34

The Problem with Prediction A rodent out-predicted our first generation systems 35

The Detection Problem: A Needle in a Stack of Needles 36

Solution: Use Behavioral Detection Behavioral based detection Think more like a marketer and less like an IDS analyst Build a baseline based on users volume, velocity, frequency, and amount based on hourly, weekly, and monthly normal patterns Cyber actions that differentiate possible insiders: data exfiltration volumetric anomalies 37

Looking at Averages All 5 egress points turned up nothing No statically relevant differences So what s going on? 38

The Problem with Assumptions 39

Findings in Data Movement Standard distributions (bell curves) are very rare >80% of data movement done by <2% of population Hint: Know your data or make huge analytic mistakes D a t a Per User Enterprise Data Egress Over 51 st Week of 2012 A m o u n t Users Source: Internal FBI Computer Security Logs 40

Focus on the Individual - 21% of test users showed a volumetric anomalies in a 90 day window more than once versus 12% of the control 41

The 5 Lessons & Solutions 1 Insider threats are not hackers. Frame and define the threat correctly and focus on the insider threat kill chain 2 Insider threat is not a technical or cyber security issue alone Adopt a multidisciplinary whole threat approach 3 A good insider threat program should focus on deterrence, not detection Create an environment that discourages insiders by crowd sourcing security and interacting with users 4 Avoid the data overload problem Gather HR data and data egress/ingress logs 5 Detection of insider threats has to use behavioral based techniques Base detection on user s personal cyber baselines 42

Questions? Or sit in uncomfortable silence. Your choice. 43

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information