Tackling the Insider Threat

Transcription

1 Tackling the Insider Threat INFORMATION SECURITY PRODUCT OVERVIEW APRIL 2016 Insider risk within the enterprise is a significant and persistent challenge for security teams. A recent Intel/Mcafee study indicates 43% of data breaches were directly caused by internal employees and contractors 1. This supports a finding from the 2015 Verizon Data Breach report which aggregates the top causes of breaches - 90% have some tie to an internal human action 2. In response, we recommend Chief Information Security Officers (CISOs) and key security leaders establish a comprehensive insider threat program rooted in security analytics to increase organizational capacity to proactively monitor, detect, and respond to malicious, compromised, and negligent insider activities. This type of approach 43% of data breaches were directly caused by internal employees and contractors delivers deep context and analytic flexibility, critical to effectively and responsibly identifying, discouraging, and stopping unwanted activities including intellectual property theft, corporate espionage, and client data loss, while also providing early warning of potentially compromised accounts. The key is to build a program integrated with a holistic, configurable, and contextual technology platform. RedOwl delivers unparalleled visibility into employee activities, behaviors, and relationships by fusing together unstructured, context-rich data streams ( metadata and content, chat, voice, web and print content) with structured data (server logs, SIEM, DLP, alerting feeds, endpoints, proxy, physical security and print logs) to provide a comprehensive view of enterprise risk. Our analytic models allow entities and events to be scored and prioritized through multiple lenses across all of these data streams - previously unavailable to security teams. Our integrations with Active Directory and corporate human resources systems play a key role as well, and our analytic visualizations and workflow are second-to-none. As a result, we offer true situational awareness of the human layer of the enterprise, and a rich, powerful forensic platform that radically enhances internal investigations and follow-ups. The alternatives, including some of the more traditional, black-box User and Entity Behavior (UEBA) tools, are built on narrow views of human activity. They are also limited to structured data sources analyzed in disparate systems, while conforming to a fixed configuration of analytics. Such an approach may allow a buyer to check the box - insider threat monitoring, but these tools fail to deliver a holistic picture of risk because they present a disjointed analysis of human behavior, and in the end, miss the entirety of why it is crucial to establish a comprehensive insider threat platform-based risk management strategy. 1 Intel-MacAfee: Grand Theft Data Verizon: 2015 Data Breach Investigations Report 1

2 RedOwl s customers include Fortune 2000 companies in financial services, energy, aerospace and defense, and hospitality. We are backed by leading investors at the Blackstone Group, Allegis Capital, and Conversion Capital. With headquarters in Baltimore, MD and offices in London, New York and San Francisco, we have built the most comprehensive platform to tackle insider risk. What Are You Trying to Accomplish With An Insider Threat Program? At the most basic level, your organization is attempting to protect against significant problems that can cripple leading companies: 1 Intellectual Property& Sensitive Data Theft Stealing data from the organization, often for monetary gain or personal benefit 2 Corporate Espionage Coerced theft for third party gain national/strategic/competitive advantage 3 4 Fraud Unauthorized access or modification of an organization s data for personal gain Information Technology Sabotage Taking advantage of corporate information technology to harm or undermine the organization 2

3 Without a clear plan and adequate technological capabilities, damage from insider activities is likely to be quite severe. Examples of recent insider events of significance include: Major Financial Institution - An employee leaked data corresponding with 10% of the Private Wealth Management clients of the firm, allegedly in order to sell information on the black market. 900 files were posted online; Stock dropped 3%. Film Studio - Executive s, films, intellectual property leaked with suspected insider involvement- led to resignation of head of the studio. Energy Producer- Disgruntled employee reset all network equipment to default, disabled security, shut down operations for 30 days. Telecommunications Provider - Employee accessed 1600 customer accounts as part of a plan to jailbreak unlocked phones. Major Financial Institution - 27,000 customer files threatened to be sold on black market allegedly by internal employee group. National Security Agency - Millions of sensitive files leaked by planted insider, Edward Snowden, fundamentally affected reputation of the U.S., its allies, and employer- top U.S. consulting firm. U.S. Army - Simple web scraping enabled the theft of hundreds of thousands of cables leaked by Chelsea Manning to an external organization. When the risk comes from the inside, it represents either malicious individuals (those intending to do the organization harm), negligent individuals (those violating policies often for convenience or perceived short-term needs), or compromised accounts (i.e. credential theft). POTENTIAL THREAT LANDSCAPE = THE EXTENDED ENTERPRISE EMPLOYEES Business IT Admin Developer Security Operational Management Administrative CONTRACTORS IT Staff Business Consultants Building Maintenance Logistical PARTNERS Shared Systems Guests Deal Collaborators Traditional Vendors Cloud Vendors 3

4 For all of these use cases and for all user persona types, the consistent analytic requirement is to effectively aggregate, analyze, and monitor all the data sources that expose evolving human activity, relationships, intent, behaviors, and context with respect to their interactions with other individuals, content, devices, applications, and even locations. Properly doing so allows the organization to be aware of when unwanted scenarios and unexplainable anomalies develop and occur, ideally at the indicator stage. Do You Have Visibility Into All Your Data? Most security teams are experienced in assessing log data - network flow, endpoint logs, firewall logs, identity access management logs - all feeding into a SIEM platform. Accessing and integrating such information feeds in support of insider threat programs is important, but this approach to data management creates a significant vulnerability for complex organizations. Looking at SIEM-friendly machine metadata alone expose two fundamental gaps - content and context. By expanding your focus through the use of a comprehensive platform, your team will be able to utilize human metadata and human content and context to better assess risk across the organization. Both of these categories of data sources are critical in making inferences, judgments, and decisions about the most sensitive entities within the organization - employees and contractors. 4

5 In our experience, the most critical observable data points relevant to most insider incidents - whether they are the actual events pertinent to a policy violation, breach, or even indicator events that ought to have provided early warning - tie back to streams of data that most security teams today have no visibility into: 1 Communications data 4 Physical security data 2 Enhanced endpoint/proxy data (e.g. content) 5 Alert feeds 3 Enrichment data (e.g. human resources, Active Directory, public records) In its recent market overview of security analytics, Gartner noted that security teams require:...semistructured and contextual unstructured information that informs organizations on employee behavior and potential insider threats. For example, this behavioral information may be found in various user communication channels, such as and messaging. 3 Ensuring these types of data streams are fully aggregated, indexed, and analyzed as part of an insider program is key. Content must be preservable (to the extent permitted by law) with appropriate back-end and front-end capabilities within a security platform to make analysis and exploration feasible, effective, and efficient. Can You Assess Behaviors, Not Just Anomalies? Traditional black box User and Entity Behavioral Analytics (UEBA) vendors detect anomalies while exposing organizations to three major security vulnerabilities: 1 Anomalies without context are highly noisy 2 Investigation (often through external tools) is costly and frustrating 3 Not every relevant scenario involves anomalies - statistical patterns still matter RedOwl s unique approach leverages anomaly detection along with robust pattern analysis and a built-in forensic platform. Beyond just anomaly detection, RedOwl s software was created to deliver three critical benefits to security teams: 1 Holistic visibility into internal employee activity, behaviors, and relationships across all forms of critical data in a rapidly evolving data environment 2 Proactive, not reactive, risk posture to detect and mitigate high-risk individuals, relationships, and events 3 Enhanced investigative response to alerts and reports through improved context, reduction of false positives, quicker decision making, and greater exposure to previously unknown risk scenarios scenarios By ingesting a comprehensive set of data sources and layering analytic techniques in order to fully understand nuanced interactions that indicate changes in sentiment and behavior, RedOwl s platform delivers detailed risk narratives enabling analysts to assess high-risk user activity holistically. 3 Gartner: Market Guide for User and Entity Behavior Analytics, 22 September

6 Furthermore, analysts can quickly pivot from alert to investigation within a single application, instead of having to move from one user interface to another. Built-in workflow is designed for both large and small enterprises. Analysts and platform users are able to track their actions, form and collaborate on cases, enrich events and individuals with notes and attributes, build dashboards, which improves the overall process. Is Your Analytic Approach Configurable and Extensible? RedOwl provides insight into high-risk behaviors and individuals, not just high-risk events. By evaluating nuanced interactions between people, data, devices, and applications over time, RedOwl prioritizes context-rich timelines for security teams. Our software approach is built upon four key technical pillars: Fusing disparate Applying multiple types Exposing powerful Delivering proactive employee data of rigorous behavior- forensic search and reporting that fully sources into one based analytics focused discovery tools through integrates with human platform, including on change, pattern, and a powerful user interface workflow and existing content anomaly detection client information architecture 6

7 This is further enhanced by our key analytic building blocks: Feature Extraction: Enrich events of interest based on analysis of both content and metadata patterns incorporating domain expertise and advanced probabilistic models. Behavioral Models: Apply advanced statistical methods to analyze entities over time and proactively detect deviations from normal baselines (individual and global) Content Analytics: Incorporate a variety of natural language processing and sentiment analysis techniques to feature tag events and score sentiment Powerful Visualizations: Use visualization techniques to enhance the human role within the analytic process - make analysts smarter, and include their brains in the platform Extensible Data Model: Flexible to handle all structured and unstructured data sources within an extensible core - an opinionated data model. Machine Learning: Classify, group, and isolate statistically relevant features in order to discover similar events or behaviors related to other individuals within the organization. Our user interface is built to enable analysts - not just data scientists - to easily implement and refine the analytics to meet unique use cases and evolving security needs without custom software development. RedOwl layers analytic techniques because each available analytical strategy - such as descriptive statistics and sentiment analysis - answers a unique question pattern. Depending on the use cases you are tackling, you may want to use each analytic capability individually or in combination. We fundamentally believe that a one-size-fits-all approach to analytics is not appropriate for large organizations. A lack of configurability leads to major long -term weakness. Black box analytic platforms do not provide enough flexibility for organizations which face different types of threats and uses cases that evolve over time. Instead, configurable analytics allow the platform to adapt to your use cases, learn as you learn, and even enable you to tackle new problems and use cases within one application. Sample Question 1: Which of my employees are exhibiting negative sentiment that may be a precursor to malicious behavior? Analytic Technique(s): Content analytics plays a key role. Sample Question 2: Which of my employees are exhibiting behavior indicative of reconnaissance activities on the network, and is completely strange to their own history? Analytic Technique(s): Requires a combination of feature-based extraction, behavioral modeling, and machine learning. 7

8 How We Do It: Data, Features, and Models Lead to Narratives The combining of enriched, tagged, and modeled unstructured and structured data sources is precisely what enables security teams and management to detect early signs of high-risk behavior within the company. At scale, these interactions also indicate the relative and evolving risk of human activity across the firm. RedOwl understands a wide range of structured and unstructured data sources, including: Communications: , chat, voice, SMS, phone logs Network and endpoint activity: SIEM and EDR Physical activity: Badge access, print logs Employee transactions: Trades, changes in benefits Enrichment data: Human resource records, expense reports At the core of everything we do is the exposure of extensible event-level features. Features enable analysts to track events - micro-policies or indicators that warrant further attention - but they do not necessarily trigger unwanted and noisy alerts throughout your Security Operations Center. This approach allows the RedOwl platform to make early judgments about which groups of events matter initially. Over time, the platform ties in deeper entity-level temporal aggregations and flags events in the user interface for the analyst. 8

9 Note that there are a variety of examples of features: Direct/Self-Contained Features Lexicon-based: Metadata-based: Directional: Time grouping: Racial slurs, profanity, restricted stocks, competitors, deal terms Number of attachments, size of event, number of recipients Output to a particular/set of domains, or input from such s that are sent late at night, badging into a building outside of business hours Contextual Features Sequential: Global Statistical: Actor Statistical: Contextual: Does a particular event follow another event within a given time frame? Does a recent aggregation of similar events represent a statistical spike compared to the organizational normal? Does a recent aggregation of similar events represent a statistical spike compared to the individual s own normal? Does any field within the metadata represent an abnormal quantity for the individual s own history? The platform also takes advantage of attributes ingested from existing knowledge stores such as Active Directory or Workday, which plays a key role in our entitlements capabilities. This allows us to apply features to only events by certain types of actors, or weight the events differently depending on the attributes of the individuals involved. 9

10 Next, our platform is based on the important concept of a model. A model is a weighted collection of features that allows us to aggregate individual events over time and drives us towards a very flexible, extensible way of deriving risk scores for individuals tied to configurable use cases within the application. Data Gathering Recon Model: This sample model looks at abnormal user activity around file access, SSH server access, IT policy violations, and even internal communication wall crossings. Negative Behavior Model: This example, focused on general negative behavior, examines granular elements of sentiment-related content features. 10

11 Over time, the aggregation of data models tied to individuals enables us to do several key things: 1 Develop a sense of what is normal for a given individual 2 Expose which individuals are displaying characteristics of a given model at a higher level than others in the organization for a given time period 3 Expose which individuals users are displaying characteristics of a given model at a higher level than normal The platform gives you the ability to build collections around multiple models. In this particular case, risk narratives are tracked within the platform within our insider risk chain so you can leverage previously unknown insights and quickly take action. The risk chain report depicted below is comprised of five analytic models. Each model consists of several different behaviors, queries, and analytics. Together, they provide a holistic and contextual view of the profiled individual s behavior over time. Analysts can move from the high level risk chain visualization directly into significant events and the underlying data sets in order to fully understand risk narratives. 11

12 The final piece of the analytic puzzle is tying this into a configurable dashboard to build multiple real-time lenses with which to view the organization. 12

13 Deployment Options Our platform is a distributed, fault-tolerant, full-stack application that gives you unprecedented visibility into your critical data steams. The only software required to use RedOwl is a current web browser. RedOwl is designed to be horizontally scalable, allowing us to add capacity as data needs grow, and to provide redundancy. RedOwl designed our security analytics platform with multiple deployment models in mind it can be deployed either in a customer s preferred cloud environment as a virtual private cloud or directly within the data center. The platform can be also deployed in a fully redundant fashion - it does not have any runtime dependencies on client data stores, or any external resources. What You Get: Risk Use Cases Build an integrated program designed to deter, prevent, detect, and respond to insider threats: DEPLOY A TRULY COMPREHENSIVE INSIDER THREAT PROGRAM Build an integrated program designed to deter, prevent, detect, and respond to insider threats and data sources include SIEM, identity, Active Directory, endpoint agents, and unstructured data including /chat, and telemetry data including badge or shift information. DETECT INTELLECTUAL PROPERTY LOSS Pinpoint the theft or premature disclosure of sensitive corporate information including ideas, plans, methods, or technologies. This could include SaaS usage for transferring content or evidence of corporate espionage. PERFORM FASTER, CONTEXT- RICH INCIDENT RESPONSE & DISCOVERY Better gauge the size, scope and business impact of a security incident with additional context, helping responders to quickly and accurately assemble a narrative. In cases where attacks are successful and data is stolen or systems compromised, an enterprise may be able to learn how to block future attacks through forensics. For example, forensic analysis may reveal behavioral and technical clues that security teams can monitor in the future. SITUATIONAL AWARENESS ABOUT EMPLOYEE, DEPARTMENT OR ORGANIZATION RISK Leverage advanced analytic techniques to fully understand the inner workings of your organization and to manage risk comprehensively. 13

14 DETECT ROGUE, NEGLIGENT OR COMPROMISED EMPLOYEES Spot potentially damaging aberrant and unwanted behavior to identify and distinguish rogue, negligent or compromised employees, including monitoring privileged users. Conclusion: Secure the Human Layer to Reduce Risk In 2015, Gartner named RedOwl a Vendor to Watch, explaining that RedOwl:... positions its platform as a means to help with issues ranging from risk and compliance to legal, investigative and organizational. Through the use of additional contextual information and analysis, it is able to show issues that may have otherwise gone overlooked, such as noncompliance, rogue insiders or employees showing behavioral patterns that indicate they are about to leave an organization. 4 Today s technology-enabled employees pose an asymmetric risk to enterprises unprepared to identify and disrupt unwanted behavior. The cost of being unprepared is high. The FBI recently warned, Victim businesses incur significant costs ranging from $5,000 to $3 million due to cyber incidents involving disgruntled or former employees. 5 A holistic platform that understands human activity is the cornerstone of a comprehensive insider threat program, providing insights into high-risk behavior and evolving threats within your company. Information security teams have limited visibility into network traffic patterns and perimeter threats - but little visibility into the human layer. With RedOwl, security teams can incorporate important signals buried within unstructured data, gaining real visibility into the human behaviors, activities, and relationships of the employees, contractors, and partners with routine access to internal networks. RedOwl s platform enables unparalleled situational awareness of people within the extended enterprise, continuous monitoring for threats such as fraud, intellectual property loss, reputational risk, and effective incident response. Security teams have two choices: look at log data and add a traditional black box UBA solution to a SIEM, or use a holistic platform built on configurable analytics to comprehensively tackle insider risk. 4 Gartner: Market Trends: Security Analytics A New Hope for Security, or Just Hype?, March