SlideShare uma empresa Scribd logo

Insider Threat Detection Recommendations

AlienVault
AlienVault

Read this white paper to learn what an insider threat is, types of insider threats, and the different tools and techniques used to detect them.

Tecnologia
1 de 21
Baixar para ler offline
INSIDER THREAT DETECTION RECOMMENDATIONS www.alienvault.com
According to the second annual SANS survey on the security of the financial services sector, the number one threat companies are concerned about doesn’t relate to nation-states, organised criminal gangs or ‘APTs’. Rather the main worry revolves around insider threats – but what exactly are insider threat indicators and what can be done around insider threat detection and response? Insiders, Moles & Compromises
A NEW OLD PROBLEM The discussion around insider threat detection has increased recently in the financial sector and in other areas as well. Part of this may be attributed to the spotlight Edward Snowden shone on how much damage an employee can cause to an organisation - even one as secretive as the NSA. But insider threats are nothing new. During the height of the cold war, many spies defected to opposing sides, taking with them national secrets and expertise right from under the noses of their spy bosses. As a result, many counter techniques were developed and deployed to keep an eye on insiders with valuable knowledge or skills to prevent would-be defectors to make an escape or pass over information.
WHAT ARE INDICATORS OF AN INSIDER THREAT? When it comes to trading state secrets, insider threat detection is relatively straightforward. But in today’s environments, the definitions start to blur somewhat. We can define an insider as an individual with legitimate access within the corporate perimeter - be it physical or virtual. This would include permanent & temporary employees, 3rd party contractors as well as 3rd party support companies and outsourced service providers. Typically, a threat is defined as something or someone exploiting a vulnerability in a target. In the case of insider threat detection, this can be reframed as someone abusing their trust. Therefore, we can summarize the insider threat as someone who misuses the legitimate access granted to them for the purposes of self-interest that could potentially harm the organization.
A QUESTION OF INTENT Unfortunately, whenever humans are involved, no case is so straightforward ...particularly where the malicious behaviour emanates from within the circle of trust. Differentiating malicious insider behaviour from user error, or even legitimate activity can be a challenge. For example, a user is seen to download a number of files onto their personal device. It could be they are about to tender their resignation and want to take some information with them to their next job. Alternatively, it could be a hard-working and loyal employee wanting to catch up with some work over the weekend. Or worse still, it could be that the users account has been compromised and is being under the control of an attacker masquerading as an insider.
Types of Insiders With this in mind, we can break down insiders into three broad categories: • Non-malicious insider • Malicious insider • Compromised insider
Non-malicious Insider Non-malicious insiders are those users that perform actions, which have no ill intent, but can nevertheless cause harm to an organisation. Such actions could include user error, such as running commands against a production environment believing it is development or losing a company laptop. It can also cover users who are trying to fulfill their job by using non-approved tools. Shadow IT users fall into this scope, where users procure or use a cloud application such as a file-sharing app to increase productivity, but inadvertently expose the company to threats.
Malicious Insider Malicious users are aware of their actions and the negative implications on the organisation, yet still pursue that course of action. This grouping includes a broad set of users. Users which are leaving the organisation may harvest information they believe would be of use to them in future jobs. While they are often aware their actions are in violation of company policy, actions are often justified with a sense of entitlement. This category also includes users that are disgruntled for one reason or another and seek to vent by causing as much disruption or damage to company assets. Activists or employees who feel whistleblower processes are insufficient will also react in a similar manner. At the highest level of this category, employees are engaged in corporate espionage. Providing intellectual property or other sensitive information to competitors, criminal gangs or nation-state sponsored actors.
Compromised Insider The final oft-overlooked category is that of compromised insiders. Typically this is where credentials have been guessed or captured as part of a targeted attack. Although the actor behind the account is not an employee - the use of legitimate credentials would show up as if it were an employee.
These factors combined can be represented in the following matrix where intent is measured against harm. The Insider Risk Matrix INTENT Malicious Non-Malicious Negligible SevereHARM
For example, a company may deem that the risk of shadow IT, i.e. users procuring their own SaaS applications within which they could upload sensitive company data that could be accessed by non-authorised persons, or the SaaS provider could be breached. In this case, the intent would be non-malicious in that the user was trying to perform their job, yet the consequences could be significant. INTENT Malicious Non-Malicious Shadow IT Negligible SevereHARM
Other insider threat indicators could be plotted in the same way to visualise which threats are more severe overall by how far they are positioned up and to the right. From a risk perspective, this alone won’t tell the full story as we are still missing the likelihood. The likelihood can be represented by the size of the bubble on the chart as depicted. INTENT Malicious Non-Malicious Negligible SevereHARM Shadow IT Espionage Disgruntled Employee User Error (Account lockout) User Error (Clicking on Spearphising)
The size of the bubbles (likelihood) help visualise that whereas espionage can have the biggest impact and is undertaken with the most malicious intent, the likelihood of it occurring is potentially less than that of a disgruntled employee or even shadow IT proliferating within the enterprise. User error encompasses many activities – all of which are non-malicious in nature, however the harm caused could range from negligible such as an account lockout through to severe by allowing an attacker a foothold inside the network by clicking on a phishing link. Shadow IT Espionage
DETECTING INSIDER THREATS Perimeter and preventative controls are largely ineffective in insider threat detection and response, as by their very nature these are threats from within. As a result, different techniques should be deployed to address each type of specific threat based upon the insider threat indicators. Like many security controls, the concept of defense in depth can be applied whereby a collection of procedural, user and technical controls can be applied to detect suspicious insider activity, as depicted in the following controls pyramid. Policies Exec Support User Awareness & Education Whistleblowing & Reporting Channels Outbound Traffic Analysis Login patterns Threat Intelligence Eastwest Traffic Analysis Heuristics Algorithms Endpoint Activily Analytics Access Deviation from Past or Peer Group File Access Patterns Sentiment Analysis Social Media Tracking Machine Learning Procedural & User Controls Technical Controls Emerging Techniques
PROCEDURAL & USER CONTROLS Procedural and user controls are important to get management support and ensure policies implemented are acceptable from a legal as well as cultural perspective. Privacy is a discussion topic that comes up frequently and having transparency in how a company uses data it collects about its employees is required in retaining trust. It also provides a framework whereby aggrieved employees can escalate issues without the need to resorting to conducting harmful acts against the company. Finally, it also raises awareness so that employees can potentially detect and alert suspicious activity.
TECHNICAL CONTROLS The technical controls are an area which has seen a lot of development in recent years. This primarily focuses on analytical techniques to identify suspicious user activity. Primarily these will baseline user activity against its own past actions in addition to base lining against peer activity to identify outliers. The baselines can be set against logins (times / locations), file or system access, network traffic or even endpoint activity amongst others. Threat intelligence can also be a valuable asset in understanding whether outbound traffic is communicating with known command and control or other suspicious transfers. In addition to these techniques, traditional technologies can also be utilized as insider threat detection tools that help identify suspicious activity that may point towards a rogue insider. Endpoint or network DLP (data loss prevention) tools can monitor where excessive files are being exfiltrated out of the organisation. SIEM rules can also be tuned to alert on certain events that are indicative of malicious insider activity.
EMERGING TECHNIQUES Alongside threat intelligence, a number of newer approaches are being developed which can directly or indirectly assist in finding insiders. Social media channels play an ever-increasing role in both legitimate and not so legitimate communications. Having the ability to monitor these channels, particularly where enhanced by specific threat intelligence, greatly increases chances of isolating activity on these typically out-of-band channels. Sentiment analysis is another insider threat detection tool in the arsenal that is garnering more interest. It seeks to identify where an employee may be disgruntled or activist-tendencies which are contrary to the business values.
RESPONSE One of the challenges with any form of detection technology is having adequate skills and resources to investigate and respond to alerts. For this reason, some technologies and businesses are moving to more of a reporting framework for insider threat detection as opposed to raising alerts. With reports, a broader picture is painted around a user and their activity, thus allowing investigations to be conducted based on richer context versus merely a one-off alert. Such mechanisms could include a risk-score against each user based on a number of factors such as grade, access to information, length of service, recent appraisal and so on. Whichever method is adopted, it will still require manual effort to investigate and validate any suspicions of wrongful behaviour.
BATTLE OF ATTRITION While many new techniques have been developed and are continually being developed for insider threat detection and response – dealing with humans, particularly trusted employees, requires a different strategy and approach than dealing with malware. Whereas any suspicious email or file can be relatively easily quarantined or blocked until proven otherwise – employees cannot be suspended or fired based on a couple of indicators or mere suspicion. Also, bear in mind that a large portion of suspicious activity can take place outside the realm of IT systems. This means that companies will need to work with HR and legal departments in advance to determine the best strategy to investigate suspicious activity and how to interact with suspected employees. It becomes a matter of balancing risk – a company may be able to recover a lot easier from an ex-employee taking a copy of the customer database than from an unfair dismissal lawsuit. In the financial sector especially, the stakes are high all around.
AlienVault Unified Security Management (USM) delivers essential Insider Threat Detection and Management capabilities: Behavioral Monitoring • Network Intrusion Detection System (NIDS) • Network flow analysis • Network protocol analysis & packet capture Privilege Escalation Detection • Host Intrusion Detection System (HIDS) • File Integrity Monitoring (FIM) • Detect unauthorized user access attempts Event Correlation • Security Information and Event Management (SIEM) • Detect communications with malicious hosts • Centralized dashboard that prioritizes threats the way you want to see them
Next Steps: Play, share, enjoy! www.alienvault.com • Learn more about AlienVault USM • Watch our 3-minute overview video • Start detecting threats today with a free 30-day trial • Join the Open Threat Exchange

Recomendados

Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Phil Legg
 
Malicious Insiders
Malicious InsidersMalicious Insiders
Malicious Insidersgjohansen
 
A field guide to insider threat helps manage the risk
A field guide to insider threat helps manage the riskA field guide to insider threat helps manage the risk
A field guide to insider threat helps manage the riskPriyanka Aash
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityDavid Mai, MBA
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?ObserveIT
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 

Recomendados

Proactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatProactive Measures to Defeat Insider Threat
Proactive Measures to Defeat Insider ThreatAndrew Case
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...Phil Legg
 
Malicious Insiders
Malicious InsidersMalicious Insiders
Malicious Insidersgjohansen
 
A field guide to insider threat helps manage the risk
A field guide to insider threat helps manage the riskA field guide to insider threat helps manage the risk
A field guide to insider threat helps manage the riskPriyanka Aash
 
Why Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityWhy Insider Threat is a C-Level Priority
Why Insider Threat is a C-Level PriorityDavid Mai, MBA
 
Identify and Stop Insider Threats
Identify and Stop Insider ThreatsIdentify and Stop Insider Threats
Identify and Stop Insider ThreatsLancope, Inc.
 
Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?Insider Threats: Out of Sight, Out of Mind?
Insider Threats: Out of Sight, Out of Mind?ObserveIT
 
How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes How to Build an Insider Threat Program in 30 Minutes
How to Build an Insider Threat Program in 30 Minutes ObserveIT
 
Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionObserveIT
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlienVault
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider ThreatMurray Security Services
 
System Security Threats and Risks)
System Security Threats and Risks)System Security Threats and Risks)
System Security Threats and Risks)BPalmer13
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeDavid Mai, MBA
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 
External Attacks Against Pivileged Accounts
External Attacks Against Pivileged AccountsExternal Attacks Against Pivileged Accounts
External Attacks Against Pivileged AccountsLindsay Marsh
 
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...BeyondTrust
 
Insider Threat
Insider ThreatInsider Threat
Insider ThreatAndy Thompson
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 
Multimedia Privacy
Multimedia PrivacyMultimedia Privacy
Multimedia PrivacySymeon Papadopoulos
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziKashif Semple
 

Mais conteúdo relacionado

Mais procurados

Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasuresKAMRAN KHALID
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRIZivaro Inc
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionObserveIT
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessmentprimeteacher32
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider ThreatPECB
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatMike Saunders
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Resilient Systems
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlienVault
 
System Security Threats and Risks)
System Security Threats and Risks)System Security Threats and Risks)
System Security Threats and Risks)BPalmer13
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeDavid Mai, MBA
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationPriyanka Aash
 
External Attacks Against Pivileged Accounts
External Attacks Against Pivileged AccountsExternal Attacks Against Pivileged Accounts
External Attacks Against Pivileged AccountsLindsay Marsh
 
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...BeyondTrust
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider ThreatLancope, Inc.
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue TeamEC-Council
 

Mais procurados (20)

Insider threats and countermeasures
Insider threats and countermeasuresInsider threats and countermeasures
Insider threats and countermeasures
 
Insider Threat Solution from GTRI
Insider Threat Solution from GTRIInsider Threat Solution from GTRI
Insider Threat Solution from GTRI
 
Insider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat DetectionInsider Threat Summit - The Future of Insider Threat Detection
Insider Threat Summit - The Future of Insider Threat Detection
 
Vulnerability Assessment
Vulnerability AssessmentVulnerability Assessment
Vulnerability Assessment
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 
The Insider Threat
The Insider ThreatThe Insider Threat
The Insider Threat
 
Detecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-ThreatDetecting-Preventing-Insider-Threat
Detecting-Preventing-Insider-Threat
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)Craft Your Cyber Incident Response Plan (Before It's Too Late)
Craft Your Cyber Incident Response Plan (Before It's Too Late)
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
Alien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligenceAlien vault sans cyber threat intelligence
Alien vault sans cyber threat intelligence
 
The Accidental Insider Threat
The Accidental Insider ThreatThe Accidental Insider Threat
The Accidental Insider Threat
 
System Security Threats and Risks)
System Security Threats and Risks)System Security Threats and Risks)
System Security Threats and Risks)
 
Unintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric ColeUnintentional Insider Threat featuring Dr. Eric Cole
Unintentional Insider Threat featuring Dr. Eric Cole
 
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity CollaborationIntegrated Security Operations Center (ISOC) for Cybersecurity Collaboration
Integrated Security Operations Center (ISOC) for Cybersecurity Collaboration
 
External Attacks Against Pivileged Accounts
External Attacks Against Pivileged AccountsExternal Attacks Against Pivileged Accounts
External Attacks Against Pivileged Accounts
 
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
External Attacks Against Privileged Accounts - How Federal Agencies Can Build...
 
Insider Threat
Insider ThreatInsider Threat
Insider Threat
 
5 Signs you have an Insider Threat
5 Signs you have an Insider Threat5 Signs you have an Insider Threat
5 Signs you have an Insider Threat
 
Red Team vs. Blue Team
Red Team vs. Blue TeamRed Team vs. Blue Team
Red Team vs. Blue Team
 

Destaque

Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziKashif Semple
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentationIISPEastMids
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoMatt Frowert
 
Snowden slides
Snowden slidesSnowden slides
Snowden slidesDavid West
 

Destaque (6)

Multimedia Privacy
Multimedia PrivacyMultimedia Privacy
Multimedia Privacy
 
Insider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint PreziInsider Threat Final Powerpoint Prezi
Insider Threat Final Powerpoint Prezi
 
Insider threat event presentation
Insider threat event presentationInsider threat event presentation
Insider threat event presentation
 
Insider threat
Insider threatInsider threat
Insider threat
 
Insider Threats Webinar Final_Tyco
Insider Threats Webinar Final_TycoInsider Threats Webinar Final_Tyco
Insider Threats Webinar Final_Tyco
 
Snowden slides
Snowden slidesSnowden slides
Snowden slides
 

Semelhante a Insider Threat Detection Recommendations

Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badbanerjeea
 
An Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationAn Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationIJERA Editor
 
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfInsider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfEnterprise Insider
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackMekhi Da ‘Quay Daniels
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...IOSR Journals
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...Ahmad Sharifi
 
ISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloJohn Intindolo
 
Interset-advanced threat detection wp
Interset-advanced threat detection wpInterset-advanced threat detection wp
Interset-advanced threat detection wpCMR WORLD TECH
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForcePatrick Bouillaud
 
Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalCMR WORLD TECH
 
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...Hansa Edirisinghe
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security indexsukiennong.vn
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyRussell Publishing
 
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxRunning head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxtodd581
 

Semelhante a Insider Threat Detection Recommendations (20)

Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
Whitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-badWhitepaper-When-Admins-go-bad
Whitepaper-When-Admins-go-bad
 
An Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an OrganizationAn Improved Method for Preventing Data Leakage in an Organization
An Improved Method for Preventing Data Leakage in an Organization
 
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdfInsider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
Insider Threats_ Top Four Ways to Protect Enterprises - ITSecurityWire.pdf
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 
Internal Threats: The New Sources of Attack
Internal Threats: The New Sources of AttackInternal Threats: The New Sources of Attack
Internal Threats: The New Sources of Attack
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and Security...
 
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
An Overview of Intrusion Detection and Prevention Systems (IDPS) and security...
 
ISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_IntindoloISSC422_Project_Paper_John_Intindolo
ISSC422_Project_Paper_John_Intindolo
 
Interset-advanced threat detection wp
Interset-advanced threat detection wpInterset-advanced threat detection wp
Interset-advanced threat detection wp
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
 
IBM X-Force.PDF
IBM X-Force.PDFIBM X-Force.PDF
IBM X-Force.PDF
 
Securité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-ForceSecurité : Le rapport 2Q de la X-Force
Securité : Le rapport 2Q de la X-Force
 
Darktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digitalDarktrace enterprise immune system whitepaper_digital
Darktrace enterprise immune system whitepaper_digital
 
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
 
Cyber Security index
Cyber Security indexCyber Security index
Cyber Security index
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Airport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthyAirport IT&T 2013 John McCarthy
Airport IT&T 2013 John McCarthy
 
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docxRunning head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
Running head ORGANIZATIONAL SECURITY1ORGANIZATIONAL SECURITY.docx
 

Mais de AlienVault

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsAlienVault
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?AlienVault
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultAlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMAlienVault
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...AlienVault
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienVault
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideAlienVault
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmAlienVault
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuideAlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmAlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICAlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides finalAlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMAlienVault
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesAlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware WorksAlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverAlienVault
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than EverAlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMAlienVault
 

Mais de AlienVault (20)

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 

Último

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Último (20)

Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Insider Threat Detection Recommendations

  • 2. According to the second annual SANS survey on the security of the financial services sector, the number one threat companies are concerned about doesn’t relate to nation-states, organised criminal gangs or ‘APTs’. Rather the main worry revolves around insider threats – but what exactly are insider threat indicators and what can be done around insider threat detection and response? Insiders, Moles & Compromises
  • 3. A NEW OLD PROBLEM The discussion around insider threat detection has increased recently in the financial sector and in other areas as well. Part of this may be attributed to the spotlight Edward Snowden shone on how much damage an employee can cause to an organisation - even one as secretive as the NSA. But insider threats are nothing new. During the height of the cold war, many spies defected to opposing sides, taking with them national secrets and expertise right from under the noses of their spy bosses. As a result, many counter techniques were developed and deployed to keep an eye on insiders with valuable knowledge or skills to prevent would-be defectors to make an escape or pass over information.
  • 4. WHAT ARE INDICATORS OF AN INSIDER THREAT? When it comes to trading state secrets, insider threat detection is relatively straightforward. But in today’s environments, the definitions start to blur somewhat. We can define an insider as an individual with legitimate access within the corporate perimeter - be it physical or virtual. This would include permanent & temporary employees, 3rd party contractors as well as 3rd party support companies and outsourced service providers. Typically, a threat is defined as something or someone exploiting a vulnerability in a target. In the case of insider threat detection, this can be reframed as someone abusing their trust. Therefore, we can summarize the insider threat as someone who misuses the legitimate access granted to them for the purposes of self-interest that could potentially harm the organization.
  • 5. A QUESTION OF INTENT Unfortunately, whenever humans are involved, no case is so straightforward ...particularly where the malicious behaviour emanates from within the circle of trust. Differentiating malicious insider behaviour from user error, or even legitimate activity can be a challenge. For example, a user is seen to download a number of files onto their personal device. It could be they are about to tender their resignation and want to take some information with them to their next job. Alternatively, it could be a hard-working and loyal employee wanting to catch up with some work over the weekend. Or worse still, it could be that the users account has been compromised and is being under the control of an attacker masquerading as an insider.
  • 6. Types of Insiders With this in mind, we can break down insiders into three broad categories: • Non-malicious insider • Malicious insider • Compromised insider
  • 7. Non-malicious Insider Non-malicious insiders are those users that perform actions, which have no ill intent, but can nevertheless cause harm to an organisation. Such actions could include user error, such as running commands against a production environment believing it is development or losing a company laptop. It can also cover users who are trying to fulfill their job by using non-approved tools. Shadow IT users fall into this scope, where users procure or use a cloud application such as a file-sharing app to increase productivity, but inadvertently expose the company to threats.
  • 8. Malicious Insider Malicious users are aware of their actions and the negative implications on the organisation, yet still pursue that course of action. This grouping includes a broad set of users. Users which are leaving the organisation may harvest information they believe would be of use to them in future jobs. While they are often aware their actions are in violation of company policy, actions are often justified with a sense of entitlement. This category also includes users that are disgruntled for one reason or another and seek to vent by causing as much disruption or damage to company assets. Activists or employees who feel whistleblower processes are insufficient will also react in a similar manner. At the highest level of this category, employees are engaged in corporate espionage. Providing intellectual property or other sensitive information to competitors, criminal gangs or nation-state sponsored actors.
  • 9. Compromised Insider The final oft-overlooked category is that of compromised insiders. Typically this is where credentials have been guessed or captured as part of a targeted attack. Although the actor behind the account is not an employee - the use of legitimate credentials would show up as if it were an employee.
  • 10. These factors combined can be represented in the following matrix where intent is measured against harm. The Insider Risk Matrix INTENT Malicious Non-Malicious Negligible SevereHARM
  • 11. For example, a company may deem that the risk of shadow IT, i.e. users procuring their own SaaS applications within which they could upload sensitive company data that could be accessed by non-authorised persons, or the SaaS provider could be breached. In this case, the intent would be non-malicious in that the user was trying to perform their job, yet the consequences could be significant. INTENT Malicious Non-Malicious Shadow IT Negligible SevereHARM
  • 12. Other insider threat indicators could be plotted in the same way to visualise which threats are more severe overall by how far they are positioned up and to the right. From a risk perspective, this alone won’t tell the full story as we are still missing the likelihood. The likelihood can be represented by the size of the bubble on the chart as depicted. INTENT Malicious Non-Malicious Negligible SevereHARM Shadow IT Espionage Disgruntled Employee User Error (Account lockout) User Error (Clicking on Spearphising)
  • 13. The size of the bubbles (likelihood) help visualise that whereas espionage can have the biggest impact and is undertaken with the most malicious intent, the likelihood of it occurring is potentially less than that of a disgruntled employee or even shadow IT proliferating within the enterprise. User error encompasses many activities – all of which are non-malicious in nature, however the harm caused could range from negligible such as an account lockout through to severe by allowing an attacker a foothold inside the network by clicking on a phishing link. Shadow IT Espionage
  • 14. DETECTING INSIDER THREATS Perimeter and preventative controls are largely ineffective in insider threat detection and response, as by their very nature these are threats from within. As a result, different techniques should be deployed to address each type of specific threat based upon the insider threat indicators. Like many security controls, the concept of defense in depth can be applied whereby a collection of procedural, user and technical controls can be applied to detect suspicious insider activity, as depicted in the following controls pyramid. Policies Exec Support User Awareness & Education Whistleblowing & Reporting Channels Outbound Traffic Analysis Login patterns Threat Intelligence Eastwest Traffic Analysis Heuristics Algorithms Endpoint Activily Analytics Access Deviation from Past or Peer Group File Access Patterns Sentiment Analysis Social Media Tracking Machine Learning Procedural & User Controls Technical Controls Emerging Techniques
  • 15. PROCEDURAL & USER CONTROLS Procedural and user controls are important to get management support and ensure policies implemented are acceptable from a legal as well as cultural perspective. Privacy is a discussion topic that comes up frequently and having transparency in how a company uses data it collects about its employees is required in retaining trust. It also provides a framework whereby aggrieved employees can escalate issues without the need to resorting to conducting harmful acts against the company. Finally, it also raises awareness so that employees can potentially detect and alert suspicious activity.
  • 16. TECHNICAL CONTROLS The technical controls are an area which has seen a lot of development in recent years. This primarily focuses on analytical techniques to identify suspicious user activity. Primarily these will baseline user activity against its own past actions in addition to base lining against peer activity to identify outliers. The baselines can be set against logins (times / locations), file or system access, network traffic or even endpoint activity amongst others. Threat intelligence can also be a valuable asset in understanding whether outbound traffic is communicating with known command and control or other suspicious transfers. In addition to these techniques, traditional technologies can also be utilized as insider threat detection tools that help identify suspicious activity that may point towards a rogue insider. Endpoint or network DLP (data loss prevention) tools can monitor where excessive files are being exfiltrated out of the organisation. SIEM rules can also be tuned to alert on certain events that are indicative of malicious insider activity.
  • 17. EMERGING TECHNIQUES Alongside threat intelligence, a number of newer approaches are being developed which can directly or indirectly assist in finding insiders. Social media channels play an ever-increasing role in both legitimate and not so legitimate communications. Having the ability to monitor these channels, particularly where enhanced by specific threat intelligence, greatly increases chances of isolating activity on these typically out-of-band channels. Sentiment analysis is another insider threat detection tool in the arsenal that is garnering more interest. It seeks to identify where an employee may be disgruntled or activist-tendencies which are contrary to the business values.
  • 18. RESPONSE One of the challenges with any form of detection technology is having adequate skills and resources to investigate and respond to alerts. For this reason, some technologies and businesses are moving to more of a reporting framework for insider threat detection as opposed to raising alerts. With reports, a broader picture is painted around a user and their activity, thus allowing investigations to be conducted based on richer context versus merely a one-off alert. Such mechanisms could include a risk-score against each user based on a number of factors such as grade, access to information, length of service, recent appraisal and so on. Whichever method is adopted, it will still require manual effort to investigate and validate any suspicions of wrongful behaviour.
  • 19. BATTLE OF ATTRITION While many new techniques have been developed and are continually being developed for insider threat detection and response – dealing with humans, particularly trusted employees, requires a different strategy and approach than dealing with malware. Whereas any suspicious email or file can be relatively easily quarantined or blocked until proven otherwise – employees cannot be suspended or fired based on a couple of indicators or mere suspicion. Also, bear in mind that a large portion of suspicious activity can take place outside the realm of IT systems. This means that companies will need to work with HR and legal departments in advance to determine the best strategy to investigate suspicious activity and how to interact with suspected employees. It becomes a matter of balancing risk – a company may be able to recover a lot easier from an ex-employee taking a copy of the customer database than from an unfair dismissal lawsuit. In the financial sector especially, the stakes are high all around.
  • 20. AlienVault Unified Security Management (USM) delivers essential Insider Threat Detection and Management capabilities: Behavioral Monitoring • Network Intrusion Detection System (NIDS) • Network flow analysis • Network protocol analysis & packet capture Privilege Escalation Detection • Host Intrusion Detection System (HIDS) • File Integrity Monitoring (FIM) • Detect unauthorized user access attempts Event Correlation • Security Information and Event Management (SIEM) • Detect communications with malicious hosts • Centralized dashboard that prioritizes threats the way you want to see them
  • 21. Next Steps: Play, share, enjoy! www.alienvault.com • Learn more about AlienVault USM • Watch our 3-minute overview video • Start detecting threats today with a free 30-day trial • Join the Open Threat Exchange