3 tips for managing risky user activity in 2015
DESCRIPTION
The single biggest security risk in 2015 will be your users. Whether it’s malicious or negligent activity, 69 percent of reported security incidents involve a trusted insider. What’s more, 84 percent of insider security incidents involve everyday business users - those with no admin rights. You have not one but hundreds—perhaps thousands—of these users who need to access to critical applications and data every day. Check out these slides from a webinar with David Monahan, Research Director at Enterprise Management Associates (EMA), to learn helpful tips on how to make your organization more secure from the fastest growing security threat: User Based Risks. David is a senior Information Security Executive with nearly 20 years of experience. He has diverse experience with security, audit and compliance, and user risk in a wide range of industries.TRANSCRIPT
David Monahan
Research Director, Risk & Security
Management, EMA
Dimitri Vlachos
VP of Marketing, ObserveIT
3 Tips for Managing Risky User
Activity in 2015
November 19, 2014
Today’s EMA Presenter
Slide 2
David Monahan
Research Director, Risk & Security Management
David has over 20 years of IT security experience and has
organized and managed both physical and information security
programs, including Security and Network Operations (SOCs and
NOCs) for organizations ranging from Fortune 100 companies to
local government and small public and private companies.
He has diverse Audit and Compliance and Risk and Privacy
experience – providing strategic and tactical leadership, developing,
architecting and deploying assurance controls, delivering process
and policy documentation and training, as well as other aspects
associated with educational and technical solutions.
Agenda
The Threat Landscape is Expanding
Users are the beachhead for attacks
3 Tips for Managing User Risks in 2015
1. Identify different types of user risks
2. Adopt a user-centric security strategy
3. Simplify compliance, focus on the user
Slide 3 © 2014 Enterprise Management Associates, Inc.
Slide 4 © 2014 Enterprise Management Associates, Inc.
Relative Risk From Users
User Risks
3 Types of Users:
Business User - 84% of Insider based breaches = no admin rights
Contractor/Partner/Vendor - 1% of breaches but significantly higher data loss
per incident
Privileged User (IT Admin) – 16% of breaches
Slide 5 © 2014 Enterprise Management Associates, Inc.
Key Findings
Outsiders want to become Insiders
69% of breaches involved an insider identity in 2013
100% of breaches involved an insider identity in 2014
Identities captured in hours but detection an average of 8 months
Monitoring Traditionally Infrastructure (System) and Admin Based
62% of admin breaches involved human error
Compromise of an administrator often raised the red flag for a breach
Use of Trusted 3rd party identities to access data is growing (e.g. Target,
Home Depot)
Security Needs Better/More Context
10% of threat actors were unidentifiable using Infrastructure Monitoring
Much successful malware impersonates real users
Better Context Protects Users
Slide 6 © 2014 Enterprise Management Associates, Inc.
Tip #1: Identify different types of user risks
Ensure that you’re covered for each of these user risk scenarios:
5 Types of User Risk
• Scenario 1: Malicious Insider
• Scenario 2: Insider Accident
• Scenario 3: Duped User
• Scenario 4: Malware
• Scenario 5: Direct Hacker Attack
Ask yourself: Even if detected, how does security identify and
compare these different types of user risks with Infrastructure logging?
Slide 7 © 2014 Enterprise Management Associates, Inc.
Infrastructure vs. User-based Monitoring
Traditional logging is system/application based
Most system and application logging has gaps
Only 29% of data breaches resulted from system glitches
These gaps matriculate to centralized logging
To determine fault and scope large scale investigations are mounted
With Infrastructure logging determining intent is difficult, maybe
impossible
User focused monitoring system can reduce work
IAM solutions apply identity to a user throughout the environment but
still require forensic work post incident
Putting all of the users activity together provides the big picture
Slide 8 © 2014 Enterprise Management Associates, Inc.
Tip #2: Adopt a user-centric strategy for 2015
Adding a visual record of activities provides new user context
A picture is worth a thousand words
Quality Comparison- Telegraph vs. Skype
Shows intent
Protects users from malicious activity using their Identity
Move context from reactive to proactive
Combined with alerting it becomes highly context-based and Proactive
Reduces time and cost of breach investigation
Helps protect Employees and Company
Slide 9 © 2014 Enterprise Management Associates, Inc.
Today’s Burden and Pressures of Compliance
PCI 3.0
Requirement 10- Track and Monitor all access to resources and
cardholder data
HIPAA-HiTech
Section §164.308(a)(1)(ii)(D) mandates covered entities to implement
procedures and regularly review records of information system activity,
such as audit logs, access reports and security incidents
FFIEC
Assigning privileges to a unique user ID apart from the one used for
normal business use…
Logging and auditing the use of privileged access…
MANY Others..
Every Compliance statue or directive requires some form of user
monitoring
Slide 10 © 2014 Enterprise Management Associates, Inc.
Tip #3: Simplify compliance, focus on the user
Provide your auditor not only the list of users who have access to
systems but also ALL activities on systems, and applications – both
visual replay and one-click textual reports
Slide 11 © 2014 Enterprise Management Associates, Inc.
Summary
Attackers want to impersonate business users first
Traditional Administrator Monitoring won’t see this
Traditional Logging Is Table Stakes Only
Benefits of User Focused Monitoring
Help differentiate between the real user and impersonators
Protect the Business and Users
Provide Richer Context for Incident Response and Forensics
Identify Intent
Improve Security and Compliance
Slide 12 © 2014 Enterprise Management Associates, Inc.
SystemsApps Information Users
•••
•••
Identify and Manage User-based Risk
User Context
SIEM IAMITSM