Post on 07-Aug-2020
transcript
1
Insider Threat ProtectionDr Jamie GravesVP Security Analytics
© Fortinet Inc. All Rights Reserved. 2© Fortinet Inc. All Rights Reserved. 2
Robert Hanssen
© Fortinet Inc. All Rights Reserved. 3© Fortinet Inc. All Rights Reserved. 3
• Psychology• Entitled Independent Model• Ambitious Leader Model
• Motivation• Ego• Monetary Problems• Alienation• Groomed• Anger/revenge• Ideology/Identification• Adventure/Thrill• Vulnerability to Blackmail• Compulsive/Addictive Behaviour• Family Problems
Psychology & Motivation
© Fortinet Inc. All Rights Reserved. 4© Fortinet Inc. All Rights Reserved. 4
• Behaviour• Technical
• Attempts to circumvent auditing and logging functions• Copying, deleting, moving and printing sensitive files• Network interface or system hardware manipulation
• Non-Technical• Without need or authorisation, takes proprietary material or other
materials home • Interest in matter outside the scope of their duties• Unnecessarily copies material
Behaviour – Some Examples
© Fortinet Inc. All Rights Reserved. 5© Fortinet Inc. All Rights Reserved. 5
Email25%
Removable Media25%
Network Access
23%
Laptops16%
Printed Docs6%
File Xfer5%
How Data Is Stolen
© Fortinet Inc. All Rights Reserved. 6© Fortinet Inc. All Rights Reserved. 6
• The Insider Threat is not related to ‘Hackers’• The insider threat is not just a technical or cyber security issue• A good insider threat program should focus on deterrence, not
detection• Detection of insider threats should involve behavioural based
techniques
Insider Lessons
© Fortinet Inc. All Rights Reserved. 7© Fortinet Inc. All Rights Reserved. 7
A Blind Spot in Security AnalyticsInsider Risk
• Malware analytics is taken care of through the following:• A ‘hard-shell’ and network monitoring provides
some perimeter visibility • EPP solutions mostly focus on malware
• A blind spot exists within the perimeter
• 30% of breaches were due to those within the organization acting negligently or maliciously
Network Security
© Fortinet Inc. All Rights Reserved. 8© Fortinet Inc. All Rights Reserved. 8
Achieving UEBAMarket Landscape
Network-Based
• Unable to monitor off-network
• Unable to unencrypt if no key present
Log-Based
• Incomplete picture
• Log files are not designed to give necessary user insights
Endpoint-Based
• Visibility of user and data behavior on and off the network
• Provides the best granularity of telemetry to detect insiders
© Fortinet Inc. All Rights Reserved. 9© Fortinet Inc. All Rights Reserved. 9
System ArchitectureAgent/Server
Windows Endpoint Agent• Lightweight, zero-configuration agent
• Encrypted connection (TLS 1.2)
• Push deployment
AWS Hosted
Storage, Presentation and Analytics• Rule Matching
• Machine Learning
• Threat Hunting
© Fortinet Inc. All Rights Reserved. 10© Fortinet Inc. All Rights Reserved. 10
3
Unique 5-Factor Telemetry ModelEngineered to detect insider threats
FortiInsightWherever a machine is located and whatever network the machine is connected to, FortiInsight captures the key information from 5 anchors to deliver insights built upon, the key metadata and behavior analysis around:
1 2 54Users Processes Devices BehavioursResources
Data Analysis
© Fortinet Inc. All Rights Reserved. 11© Fortinet Inc. All Rights Reserved. 11
Policies Detecting Predictable Threats
• Real-time inspection of incoming events against defined criteria• Encode compliance
• Generate Alerts on violation
• Create New Policy• Search based• Raw EPL
• Policy attributes• Enable\Disable• Severity• Frameworks• Labels• Email notifications
© Fortinet Inc. All Rights Reserved. 12© Fortinet Inc. All Rights Reserved. 12
AI Scoring
• Using Naïve Bayes
• Severity Score = Risk as Anomaly
• Goal: determine risky activity
• Deviation from normal behavior
• Risk = static score (low 0-29, med 30-59, high 6 -100)
• E.g. cloud backup program = medium risk
• Two weeks to learn normal behavior, switch on alert mode
FortiInsight UEBA ML
© Fortinet Inc. All Rights Reserved. 13© Fortinet Inc. All Rights Reserved. 13
VisualisationAlerts
• Use Visualization and summary table to find what’s important to you
• Users, Entities, Tags for scoping
• Feedback mechanism
• Pivot on Threat Hunting for context
© Fortinet Inc. All Rights Reserved. 14© Fortinet Inc. All Rights Reserved. 14
Feedback Mechanism
• User input to system:• Thumbs up = positive feedback• Thumbs down = negative feedback
• System output:• Searchable Tags e.g. “potential leaver” =
user writing a CV file. “Sensitive data” etc
• Settings – allow define file types, folders, and users that are high risk
FortiInsight UEBA ML - Feedback
© Fortinet Inc. All Rights Reserved. 15© Fortinet Inc. All Rights Reserved. 15
FeedbackTags
© Fortinet Inc. All Rights Reserved. 16© Fortinet Inc. All Rights Reserved. 16
FeedbackTags
© Fortinet Inc. All Rights Reserved. 17© Fortinet Inc. All Rights Reserved. 17
• FBI Insider Threat Lessons• CERT: Spotlight On: Insider Theft of Intellectual Property inside
the United States Involving Foreign Governments or Organisations
• CERT Insider theft of intellectual property for business advantage: a preliminary model
• CERT common sense guide to mitigating insider threats; 4th edition
Sources