Evolution of Technical Insider Threat at the FBI and Lessons Learned

Evolution of Technical Insider Threat at the FBI and Lessons Learned Kevin NesbittFederal Bureau of Investigation

DisclaimerThe views expressed in this presentation are those of the presenter and do not reflect the official policy or position of the Department of Justice, the Federal Bureau of Investigation, or the U.S. Government, nor does it represent an endorsement of any kind.

AgendaThe nature of Insider ThreatWhere we came from . . .Where we are . . .Where we are going . . .Lessons learned . . . About Insider ThreatProgramaticsThe nature of Insider Threat . . .Its hard. Its very, very hard . . . The problem set . . .Nothing is really newThere has always been data . . .There have always been security requirements

(Its just everything else it is constantly changing)Where we came from . . .In the beginningThere was audit data . . . but no one looked at itThen there was Robert Hanssen and the Webster CommissionThen we started trying to look at audit dataWhere we came from . . .The flight recorderThis is the minimum expectationDamage assessmentThen came Leandro AragoncilloThen we started looking at predictive analyticsWhere we are . . .An interesting time . . .Insider threat is reaching a level of maturityTechnology/Solutions are evolvingPredictiveProactivePsycho/SocialDiagnosticSociety/Social Media is evolvingThreat is evolvingWhere we are going . . .Ubiquitous SurveillanceBig data solutionsThe Cloud (a whole buncha servers)MobileInternet of ThingsInsider ThreatLessons Learned . . . Insider ThreatInsider threats are not hackersInsider threat is not solely a technical or "cyber security issue"A good insider threat program should focus on deterrence, not detectionAvoid the data overload problem9Insider threats are not hackersIndividuals who joined the organization with no malicious intentNot the knucklehead problemNot the most common problem

Just the most costly and the most damaging problem10Insider threat is not solely a technical or "cyber security issue"Multi-disciplinary problem requires a multi-disciplinary solutionDo you know your people?Do you know your enemy?Do you know your processes/data?11A good insider threat program should focus on deterrence, not detectionMake it difficult to be an "insider threat"Data-centric, not security-centric solutionsCrowd-source securityPositive social-engineering12Avoid the data overload problemYou don't need everythingYou don't want everythingYou need HR dataYou need system logs tracking data egress and ingress13Lessons Learned . . . ProgramaticThe basicsStart where you areGovernance, people, tools and processDont waste a good crisisBasic hygienePositive social re-engineeringEnterprise perspectiveThe Basics (Risk)Whats really important?Where is it?Who can get at it?How bad is it gonna hurt?A word about FUDStart where you areEven if you are in good shapeSecurity compromises come from exceptionsBe able to recoverTrust but verifyYour peopleYour dataYour assetsGovernance, people, tools and processSponsorshipAnalysts and . . .Push Button A for Spy, push Button B for Malicious UserKill chainBasic hygieneDont be in a big hurry to go out and buy somethingComputer/Networking/Storage 101Authorized/unauthorized software listSecure configurationsContinuous vulnerability assessments and . . .Administrative privileges under control/separation of dutiesKnow your connections Be a hard targetDont waste a good crisisHave a wish list . . .Reasonable capabilities expansionReqs in handIdeally . . .Positive social re-engineeringMake it easy to do goodMake it hard to do badMake it easy to tell if something has changedLet people know what you are doing . . .within reasonEnterprise perspectiveData protection and awarenessApplication securityFederation of responseQuestions You can ask questions or we can maintain an uncomfortable silence.Your call . . .