Theft of Trade Secrets – Assessing and Responding to the ...€¦ · Responding to the Internal...

Mark Mermelstein Mark Camillo Jim Jaeger Kurt Bertone Nathaniel Weiner

Theft of Trade Secrets – Assessing and Responding to the Internal and External Threat

December 4, 2013

2 2

Symantec 2013 Study

Surveyed 3,317 employees in 6 countries 1 in 3 employees move work files to file sharing apps Half of employees who left/lost their jobs kept confidential information 40% plan to use confidential information at new job Top reasons employees believe data theft acceptable:

• Does not harm the company • Company does not strictly enforce its policies • Information is not secured and generally available • Employee would not receive any economic gain

|

3 3

Cyber Risk Top Concern

|

Clients Top Concern is Cyber Risk

The Landscape is Evolving Quickly

80% of clients believe that it is difficult to keep up with cyber threats because they are evolving so quickly.

Other “Hot Button” Topics in Cyber

• IT departments cannot be the

sole source for defending against cyber risk.

• Cloud computing and mobile technology are growing areas of concern when it comes to potential sources of cyber risk.

• Clients are increasingly aware of network downtime as a potential loss from a cyber issue.

• Awareness of potential losses related to reputation are also increasing, leading to more C-suite involvement on strategic cyber initiatives.

4

Fortune 1000 SEC Risk Disclosure underweights IP risk.

Source: Willis Fortune 1000 Cyber Disclosure Report, Aug 2013.

5 5

$55 Million theft of trade secrets

6 6

7

• Beyond the loss of the data, costs from a theft can include: • Public Embarrassment, Shareholder and Public Outcry • Loss of Customers/Revenue • Damaged Reputation/Brand • Computer forensics, PR consulting, Legal Assistance + Call Center Services • If PII,

• Notification and identity monitoring • Liability from class action lawsuits, regulatory actions and fines/penalties

• Potential D&O suits:

• Allegations of Negligence By Board – Lack of Oversight • Allegations Directors Should Have Known that Information Assets Were Vulnerable • Allegations Directors Failed to Purchase Sufficient Insurance Despite Clear And

Prevalent Exposure

• .

What this may mean for a victim company

8

What to do if it happens to you?

9

• Litigation Options for Victims of Theft of Trade Secrets

10 10

Investigation

11

Investigative Approach Critical First Step: Forensically preserve evidence

• Provides the foundation for all subsequent actions -- investigation, damage assessment, and possible disciplinary/legal action • Retain forensic firm and investigators under outside counsel to retain attorney client privilege • Preserve and analyze log data to determine what the insider/hacker has accessed

Inside jobs – additional considerations •Corporate email/ smartphones a trove of potentially useful date, even if deletion attempted •Think broadly about who may be involved or if a FOIA request appropriate •Don’t assume what you are looking for is all you will find – prepare to connect the dots

12

Insurance Considerations • 57% of respondents in a Carnegie Mellon survey of Fortune 1000 executives indicated that their boards are not reviewing insurance coverage for cyber related risks* • Traditional insurance policies frequently exclude intangible exposures, such as data loss due to virus, web attacks, and lost laptops Traditional policies confined to physical perils such as fire, flood, fraud and theft • Crime/Fidelity policies cover the theft of physical assets (money and securities) and exclude intangible assets • Cyber insurance can fill some of the gaps in property and general liability policies

* Governance of Enterprise Security: CyLab 2012 Report. Jody R. Westby. Organization Controls

13

Cyber Insurance Options Security & Privacy Liability (3rd Party)

• Legal Defense/Damages • Regulatory Actions/Fines Penalties • PCI Assessments

Network Interruption, Cyber Extortion and Information Asset (1st party)

Event/Crisis Management

• Legal Assistance / Breach Coach • Forensic Investigation • Public Relations • Notification Costs • Credit Monitoring/Consumer Education • Credit Restoration • Call Center Services

14

Civil Litigation

15

Investigatory techniques

GOVERNMENT PRIVATE

Voluntary Disclosure

Via False Identity

Ability to Threaten Criminal Sanction

Subpoenas

§ 2703 Orders (For ISPs)

Search Warrants

Electronic monitoring/ Wiretaps

MLATs

Limited

16

• Collection mechanisms

17

•

Reasons not to pursue a public option

18

• Where to make the referral?

19 19

How Companies Can Prevent or Mitigate Loss?

20 20

• Identify sensitive corporate data and critical processes. Using risk based approach, enhance protection through defense in depth

• If possible tag/label sensitive data and segregate it on the network

• Use file integrity monitoring system • Use network and terminal data loss prevention (DLP)

systems • Consider encryption of sensitive data • Consider breach indicator assessment (BIA)

Trade Secret Confidentiality – Best Practice

21

Life Cycle of a Threat

External Threat

External Cmd & Ctrl System

External Site

Insider Threat

Network A Infiltration Data Exfiltration

Cmd & Ctrl Communication

Lateral Propagation

Network B

22

External Threat

External Threat


External Site

Insider Threat

Network A

Network B

Infiltration Data Exfiltration


Lateral Propagation

23

External Threat


Infiltration Cmd & Ctrl Communication

Insider Threat

External Site

Insider Threat

Network A

Network B

Data Exfiltration

Lateral Propagation

24

“Broad Spectrum” Approach to the Problem

External Threat


External Site

Insider Threat

Infiltration Data Exfiltration


Lateral Propagation

• Phishing threat intelligence and rules

• Malware detection stack • Exploit kit rules

• C2 threat intelligence and rules

• Protocol, application and content decoders and analyzers

• Data exfiltration policies and rules

• Fidelis XPS Internal • SMB/CIFS decoder • Propagation rules

25

The Threat Timeline Initial

Compromise Initial Attack Discovery

Containment / Remediation

Initial Data Exfiltration

26





Milliseconds to Minutes

Time-to-Compromise

Minutes to Days

Time-to-Exfiltration Data Exfiltration Window

Months to Years Attacker Timeline

27






Time-to-Compromise

Minutes to Days



Months to Years Days to Weeks

Time-to-Discovery Time-to-Containment


Time-to-Prevention Defender

Timeline

28






Time-to-Compromise

Minutes to Days







Timeline

Defense Options:

1. Prevent the Initial

Compromise

29






Time-to-Compromise

Minutes to Days







Timeline

2. Compress or Eliminate the Data Exfiltration Window by reducing the Time-to-Discovery and Time-to-Containment

Defense Options:


Compromise

30






Time-to-Compromise

Minutes to Days







Timeline

2. Compress or Eliminate the Data Exfiltration Window by reducing the Time-to-Discovery and Time-to-Containment

Speed Matters – you are in a race with the attacker!

Defense Options:


Compromise

31 31

• Take a broad spectrum approach to the problem

• Make sure your nework security infrastructure gives you visibility over all phases of the Threat Life Cycle

• Don’t get fixated on any one particular phase of the Threat Life Cycle or any one particular threat vector

• Speed matters – you are in a race with the attacker – if you can react quickly you can minimize the damage

Recommendations

32

Suspicious Indicators •Undue curiosity for information

beyond job scope

•Unusual use of company equipment

•Taking information home or on trips without authorization

•Keeping odd hours

•Bringing cameras or recording devices into areas storing protected material

•Notice company’s ideas/information in the marketplace

•One or more employees rumored to be leaving to competitor

33 33

• - Exit interview • --Return all company property and disable employee’s access • - Remind the employee of any continuing obligations to the company • - Certification • - If suspicious indicators: • Interview co-workers • inspect office • review recent activity: email, cell phone records . . • follow-up with customers • preserve employee’s computer for forensic analysis

Off-Boarding Employees – Best Practice

34 34

• - The interview • - New hire training • - New hire agreements • - Check if the employee has any existing agreements with former employers before making offer

• -Consider placing the employee in a different position or territory (even consider a garden leave) if you expect a fight -Follow up with key employees

On-Boarding New Employees – Best Practice

35

Underwriting Considerations

• Revenue / # of Records • Industry • Security & Privacy Culture • Network Operations • Organization Controls • Administrative Controls • Electronic Controls • Physical Controls • Regulatory Compliance • Vendor Management • Loss Experience • Crisis Management Preparedness

36 36

• Segregate and identify trade secret information – limit access • Consistently use enforceable confidentiality and trade secret

agreements • Communicate & secure annual acknowledgement of HR policies • Information security • Communicate ownership of trade secrets on company IT • Keep facilities secure • Act immediately if you suspect an employee is utilizing/disclosing

trade secrets without authorization or leaving to join a competitor • Conduct exit interviews to ensure the return of all company property,

ask about any suspicious activities and document responses

Trade Secret Confidentiality - Summary

37 37

• For More Information

• Mark Camillo Mark Mermelstein

• AIG Orrick Herrington & Sutcliffe 212-458-1355 (213) 612-2204 •

Kurt Bertone General Dynamics Fidelis Cybersecurity (617) 391-5510

Jim Jaeger General Dynamics Fidelis Cybersecurity (443) 926-1159

Nathaniel/ Tani Weiner CRC Health Group 408-216-1198

Date post:	27-Jul-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times

Theft of Trade Secrets – Assessing and Responding to the ...€¦ · Responding to the Internal...

Documents