insider threats: out of sight, out of mind?
TRANSCRIPT
Prevent Insider Threats With User Activity Monitoring
Presented by Matt Zanderigo
Product Marketing Manager, ObserveIT
INSIDER THREATS: OUT OF SIGHT, OUT OF MIND?
WHO IS OBSERVEIT?
HQ Boston, MA / R&D Tel Aviv, Israel Founded 2006 1,200+ Customers Worldwide $20M Invested by Bain Capital
The Leading Provider Of User Activity Monitoring To Prevent Insider Threats
Employee exposes rich clients' information
online
Call-center workers sold customer data fined
$25M
Employee charged with stealing customer data
DBA account compromised
leaves 78.8M affected
Third-party credentials
stolen leaves 56M affected
Admin account compromised exposed 11M Medical records
RECENT BREACHES INVOLVING INSIDERS
CHALLENGE WITH ADDRESSING INSIDER THREATS
“It’s Hard to Distinguish Abuse from Legitimate Use”
3 out of 4 InfoSec professionals say
260,000+ members
IT’S NOT A INFRASTRUCTURE PROBLEM
“We realized that infrastructure monitoring alone was only giving
us half the picture.”
Snir Hoffman, InfoSec Architect
Audit and Compliance
Employees__________________________________________
Data Extraction and Fraud
Application Access, Call Centers, and Watchlists
Third-parties__________________________________________
IP Theft and Service
Availability
Contractors, Remote Vendors, Outsourced IT
Privileged Users
__________________________________________
Access Abuse and Data leaks
Help Desk, DBAs, HPAs, SoD and Sys Admins
SCOPE OF INSIDER THREATS
Audit Controls for PCI / PII / PHI Data, Monitoring Privileged and 3rd Party Access, Alerting for Access to
Sensitive systems
Call Centers
_____________________________________________________
Remote Users
_____________________________________________________
HR Platforms
_____________________________________________________
Data Extraction
_____________________________________________________
Snooping ______________________________________________
_______
Shadow IT_____________________________________________________
EMPLOYEE MONITORINGViewing Information They Shouldn’t Be, User Error, Unauthorized Apps
PRIVILEGED USER MONITORING
UNIX / LINUX
_____________________________________________________
Windows ______________________________________________
_______
DBAs __________________________________________
___________
Network ______________________________________________
_______
Help Desk ______________________________________________
_______
Programmers
_____________________________________________________
WireShark PuTTY
Toad
RDPWinSCP
Reg EditorCMD PowerShell
DR JavaSSH
Unauthorized Changes / Access, Abusing Privileges, Local / Service Accounts
ADSQL PLUS
3RD PARTY MONITORING
Contractors ______________________________________________
_______
Consultants ______________________________________________
_______
Vendors __________________________________________
___________
Outsourced IT
_____________________________________________________
Offshore Dev
_____________________________________________________
MSPs_____________________________________________________
Unauthorized Changes, Abnormal Remote Access, Unscheduled Tasks
Findings related to Audit Controls for PCI / PII / PHI Data, Monitoring Privileged and 3rd Party Access, Alerting for Access
to Sensitive systems
AUDIT AND COMPLIANCE
Internal Audits / Security Controls
__________________________________________
Annual, Quarterly or
Monthly
Regulatory Compliance
__________________________________________
Security Frameworks
__________________________________________
PREVENTING INSIDER THREATS WITH OBSERVEIT
Collect
DetectRespond
• User Behavior Analytics
• Activity Alerting
• Visual Recording• User Activity
Logs
• Live Session Replay
• Shutdown Sessions
CLEAR PICTURE OF THE RISK USERS PRESENT
DETECT INSIDER RISK BEFORE IT BECOMES A THREAT
STOP USERS FROM PUTTING YOUR BUSINESS AT RISK
USERS
Insider Threat Intelligence Dashboard USERS
Alert indication per screenshot on the timeline
Alert indication per activity
Collect Contextual Insider Threat Information
Real-time Alerts: Who Did What? When? And Why?
Live Response | User Interaction | Session Shutdown
Message suspicious users, and terminate sessions
ADD INSIDER THREAT INTELLIGENCE TO SECURITY POSTURE
SIEM IAMITSM
USERS
INSIDER THREAT INTELLIGENCE
CUSTOMER EXAMPLES
Monitoring Privileged Users for PCI/SOX
Monitoring privileged users with access to over 60 PCI/SOX applications
Real-time monitoring of unauthorized account creation and firewall changes
Integrated with Lieberman Password Vault
Remove Vendor Access to ERP
Audit third-party ERP solution provider Monitor internal IT administrators
activities Deter negligent third-party activities
EHR System (EPIC) & PHI Servers
If an employee views the patient record of another hospital employee
If a doctor, nurse, pharmacist, etc. views the record of a patient not under their care
If a doctor, nurse, pharmacist, etc. views the record of a high profile patient (VIP)
Policy Quoting & Claims Handling
App data extraction (exporting reports, large copy operations)
Unnecessarily accessing sensitive files (view/open/save/export)
Business claims employees viewing personal claims information
CUSTOMER EXAMPLES
1,200+ CUSTOMERS
THANK YOU