insider threats: out of sight, out of mind?
TRANSCRIPT
Prevent Insider Threats With User Activity Monitoring
Presented by Matt Zanderigo
Product Marketing Manager, ObserveIT
INSIDER THREATS: OUT OF SIGHT, OUT OF MIND?
WHO IS OBSERVEIT?
HQ Boston, MA / R&D Tel Aviv, Israel Founded 2006 1,200+ Customers Worldwide $20M Invested by Bain Capital
The Leading Provider Of User Activity Monitoring To Prevent Insider Threats
Employee exposes rich clients' information
online
Call-center workers sold customer data fined
$25M
Employee charged with stealing customer data
DBA account compromised
leaves 78.8M affected
Third-party credentials
stolen leaves 56M affected
Admin account compromised exposed 11M Medical records
RECENT BREACHES INVOLVING INSIDERS
CHALLENGE WITH ADDRESSING INSIDER THREATS
“It’s Hard to Distinguish Abuse from Legitimate Use”
3 out of 4 InfoSec professionals say
260,000+ members
IT’S NOT A INFRASTRUCTURE PROBLEM
“We realized that infrastructure monitoring alone was only giving
us half the picture.”
Snir Hoffman, InfoSec Architect
Audit and Compliance
Employees__________________________________________
Data Extraction and Fraud
Application Access, Call Centers, and Watchlists
Third-parties__________________________________________
IP Theft and Service
Availability
Contractors, Remote Vendors, Outsourced IT
Privileged Users
__________________________________________
Access Abuse and Data leaks
Help Desk, DBAs, HPAs, SoD and Sys Admins
SCOPE OF INSIDER THREATS
Audit Controls for PCI / PII / PHI Data, Monitoring Privileged and 3rd Party Access, Alerting for Access to
Sensitive systems
Call Centers
_____________________________________________________
Remote Users
_____________________________________________________
HR Platforms
_____________________________________________________
Data Extraction
_____________________________________________________
Snooping ______________________________________________
_______
Shadow IT_____________________________________________________
EMPLOYEE MONITORINGViewing Information They Shouldn’t Be, User Error, Unauthorized Apps
PRIVILEGED USER MONITORING
UNIX / LINUX
_____________________________________________________
Windows ______________________________________________
_______
DBAs __________________________________________
___________
Network ______________________________________________
_______
Help Desk ______________________________________________
_______
Programmers
_____________________________________________________
WireShark PuTTY
Toad
RDPWinSCP
Reg EditorCMD PowerShell
DR JavaSSH
Unauthorized Changes / Access, Abusing Privileges, Local / Service Accounts
ADSQL PLUS
3RD PARTY MONITORING
Contractors ______________________________________________
_______
Consultants ______________________________________________
_______
Vendors __________________________________________
___________
Outsourced IT
_____________________________________________________
Offshore Dev
_____________________________________________________
MSPs_____________________________________________________
Unauthorized Changes, Abnormal Remote Access, Unscheduled Tasks
Findings related to Audit Controls for PCI / PII / PHI Data, Monitoring Privileged and 3rd Party Access, Alerting for Access
to Sensitive systems
AUDIT AND COMPLIANCE
Internal Audits / Security Controls
__________________________________________
Annual, Quarterly or
Monthly
Regulatory Compliance
__________________________________________
Security Frameworks
__________________________________________
PREVENTING INSIDER THREATS WITH OBSERVEIT
Collect
DetectRespond
• User Behavior Analytics
• Activity Alerting
• Visual Recording• User Activity
Logs
• Live Session Replay
• Shutdown Sessions
CLEAR PICTURE OF THE RISK USERS PRESENT
DETECT INSIDER RISK BEFORE IT BECOMES A THREAT
STOP USERS FROM PUTTING YOUR BUSINESS AT RISK
USERS
Alert indication per screenshot on the timeline
Alert indication per activity
Collect Contextual Insider Threat Information
Live Response | User Interaction | Session Shutdown
Message suspicious users, and terminate sessions
CUSTOMER EXAMPLES
Monitoring Privileged Users for PCI/SOX
Monitoring privileged users with access to over 60 PCI/SOX applications
Real-time monitoring of unauthorized account creation and firewall changes
Integrated with Lieberman Password Vault
Remove Vendor Access to ERP
Audit third-party ERP solution provider Monitor internal IT administrators
activities Deter negligent third-party activities
EHR System (EPIC) & PHI Servers
If an employee views the patient record of another hospital employee
If a doctor, nurse, pharmacist, etc. views the record of a patient not under their care
If a doctor, nurse, pharmacist, etc. views the record of a high profile patient (VIP)
Policy Quoting & Claims Handling
App data extraction (exporting reports, large copy operations)
Unnecessarily accessing sensitive files (view/open/save/export)
Business claims employees viewing personal claims information
CUSTOMER EXAMPLES