#RSAC SESSION ID: HUM-R02 A FRAMEWORK TO EFFECTIVELY DEVELOP INSIDER THREAT CONTROLS Randy Trzeciak Dan Costa Director Technical Solutions Team Lead CERT National Insider Threat Center CERT National Insider Threat Center Software Engineering Institute Software Engineering Institute Carnegie Mellon University Carnegie Mellon University
Can This Happen to Your Organization? #RSAC Former Information Security Recently Demoted Software Director at Lottery Association Engineer Steals Over $1B Worth Uses Rootkit To Alter Random Of Technology, Goes to Work for Number Generator, Allowing Foreign Competitor Accomplices to Win $14M Disgruntled Contract Employee At Wastewater Facility Accesses SCADA Systems After Termination, Releases 800,000 Litres of Sewage
How Pervasive is the Issue? #RSAC Source: U.S. State of Cybercrime Surveys, 2005-2017, CSO Magazine, USSS, Carnegie Mellon Software Engineering Institute, Price Waterhouse Cooper, ForcePoint
What Can You Do? #RSAC
Presentation Objectives #RSAC Help you: identify, select, develop, and implement insider threat controls navigate the insider threat control landscape measure the effectiveness of your insider threat controls
A Process for Insider Threat Control Implementation and Operation #RSAC Identify insider threats to critical Assets Refine and Establish an refresh insider threat insider threat control controls baseline Measure Fill critical effectiveness gaps in of insider control threat baseline controls
#RSAC IDENTIFYING INSIDER THREATS TO CRITICAL ASSETS 7
Insider Threats to Critical Assets #RSAC Organization’s Intentionally or Negatively Affect Individuals Assets Unintentionally the Organization who have or had to act in a way that use that access authorized access to could Fraud Harm to Organization’s Current or Former People Employees Theft of Intellectual Property Degradation to CIA of Full-Time Employees Information or Information Cyber Sabotage Systems Information Part-Time Employees Espionage Disruption of Organization’s Ability to Meet its Mission Workplace Violence Temporary Employees Technology Damage to Organization’s Social Engineering Reputation Contractors Accidental Disclosure Harm to Organization’s Facilities Accidental Loss or Disposal of Trusted Business Partners Customers Equipment or Documents
Identifying Insider Threats Within Your Organization - 1 #RSAC
Identifying Insider Threats Within Your Organization - 2 #RSAC Don’t guess! Get the right people involved Enterprise risk management Business process owners Executive leadership team Board of directors Prioritize threats relative to potential impacts / priorities of your organization What’s more important: your organization’s reputation, or its intellectual property? — Who makes this call?
#RSAC ESTABLISHING AN INSIDER THREAT CONTROL BASELINE
Insider Threat Controls #RSAC Steps to Success Control Areas by Stakeholder Data Owners Human Information Legal Physical Software Figure out what you need Resources Technology Security Engineering Access Recruitment Access Agreements Facility Technical Standards can help Control Control to Protect Security Policies and Sensitive Agreements Information Figure out what you already have Modification Policies and Modification Restrictions Physical Modification of Data, Practices of Data or on Outside Asset of Data or Traditional cybersecurity controls Systems, Logs Disruption of Employment Security Systems Services / provide a solid foundation of Systems Unauthorized Training, Unauthorized Employee Asset capability Access, Education, Access, Behaviors in Management Download, or and Download, or the Consider technical, physical, and Transfer of Evaluation Transfer of Workplace administrative controls Assets Assets Incident Policy and Incident Contractor / Response Practice Response Trusted Engage other key parts of your Monitoring Business organization! and Partner Enforcement Agreements Termination Termination Termination
Different Control Functions #RSAC • prevent intentional or unintentional harm • examples: prohibit unauthorized network connections via policy, technical (firewall), and physical (locks) controls Prevent • identify and report unauthorized or suspicious activity • examples: log monitoring, system audits, file integrity checkers, motion detection Detect • respond to and fix a security concern, and limit or reduce further damage • examples: virus removal procedures, updating firewall rules to block attacking IP addresses Correct • restore operations after an incident • examples: stolen data recovery procedures, restoring data from backup after disk failure Recover • discourage security violations • examples: security cameras, “unauthorized access prohibited” signs, monitoring policies Deter • alternatives to recommended or normal controls that cannot be used Compen • examples: enhanced monitoring on a server that cannot have antivirus software installed due to interference with a critical application sate 13
NIST SP 800-53 Revision 4 Insider Threat Controls - 1 #RSAC IR-4 (7) INCIDENT IR-4 (6) INCIDENT HANDLING | INSIDER HANDLING | INSIDER PE-2 PHYSICAL ACCESS PS-3 PERSONNEL MP-7 MEDIA USE THREATS – INTRA- THREATS – SPECIFIC AUTHORIZATIONS SCREENING ORGANIZATION CAPABILITIES COORDINATION SC-5 (1) DENIAL OF PS-4 PERSONNEL PS-5 PERSONNEL PS-8 PERSONNEL SERVICE PROTECTION | SC-7 BOUNDARY TERMINATION TRANSFER SANCTIONS RESTRICT INTERNAL PROTECTION USERS SC-7 (9) BOUNDARY PROTECTION | RESTRICT SC-7 (10) BOUNDARY SI-4 (12) INFORMATION THREATENING PROTECTION | PREVENT SC-38 OPERATIONS SYSTEM MONITORING | OUTGOING UNAUTHORIZED SECURITY AUTOMATED ALERTS COMMUNICATIONS EXFILTRATION TRAFFIC
NIST SP 800-53 Revision 4 Insider Threat Controls - 2 #RSAC PM-1 INFORMATION PM-14 TESTING, AC-6 (9) LEAST PRIVILEGE AT-2 (2) SECURITY PM-12 (0) INSIDER SECURITY PROGRAM TRAINING, AND | AUDITING USE OF AWARENESS | INSIDER THREAT PROGRAM PLAN MONITORING PRIVILEGED FUNCTIONS THREAT AU-6 (9) AUDIT REVIEW, ANALYSIS, AND AU-7 AUDIT REDUCTION AU-13 MONITORING FOR REPORTING | AU-10 NON- AU-12 AUDIT AND REPORT INFORMATION CORRELATION WITH REPUDIATION GENERATION GENERATION DISCLOSURE INPUT FROM NON- TECHNICAL SOURCES CA-2 (2) SECURITY CP-2 (1) CONTINGENCY CA-7 CONTINUOUS IA-4 IDENTIFIER ASSESSMENTS | TYPES OF PLAN | COORDINATE MONITORING MANAGEMENT ASSESSMENTS WITH RELATED PLANS
Tools for Detecting, Preventing, and Responding to Insider Incidents #RSAC User Activity Monitoring (UAM) • Provide host-based audit, monitoring, and preventative controls Observe and record host-based activities of (applications executed, file access and modification, clipboard activity) • Key capabilities: rule-based alerting, screen capture / video recording, analyst interface Data Loss Prevention (DLP) • Detect and prevent sensitive information from leaving authorized locations • Key capabilities: data tagging, content inspection, active monitoring of print jobs, removable media, file systems, and networks Security Information Event Management (SIEM) • Log aggregation and analysis capability typically found in security operations centers (SOC’s) • Key capabilities: data visualization, rule-based alerting, reporting, data normalization Analytics • Broad range of tools that perform advanced analytics for insider threat prevention and detection • Key capabilities: anomaly detection, risk scoring, predictive analytics, text analytics, analyst interface Forensics • Tools that provide incident responders with detailed low-level views of user activity • Key capabilities: storage medium acquisition, forensic artifact extraction, forensic artifact management and analysis
Policies and Procedures for Insider Threat Mitigation #RSAC Reminder Exemplars IT Acceptable Use Policy Don’t forget your administrative Intellectual Property Policy controls! Data Handling and Classification Policy Policies, procedures, documentation Change Control and Configuration Management Policy codify “normal” behavior - important for anomaly detection Employee Onboarding Procedures Incident Response Plan Disciplinary Action Procedures Employee Separation Handling Trusted Business Partner Agreements
#RSAC SELECTING AND IMPLEMENTING ADDITIONAL INSIDER THREAT CONTROLS
Selecting Security Controls #RSAC Consider your possible threat scenarios (fraud, theft of IP, sabotage, etc.) Decompose the threat scenarios into their component parts Models can help here Map threat scenario components to observables Map observables to controls Select controls of varying functions (preventative, detective, corrective, deterrent, etc.) for a defense-in-depth strategy
Example – IT Systems Sabotage Model #RSAC Actual Risk of Insider Attack Technical Behavioral Precursor Precursor Discovery of Disgruntlement Precursors Ability to Conceal Unknown Activity Access Paths Technical Sanctions Monitoring Behavioral Insider‘s Unmet Expectation Monitoring Perceived Risk of Insider Attack Insider‘s Expectation Expectation Fulfillment Organization‘s Personal Precipitating Trust of Insider Predisposition Event
Recommend
More recommend
