part 2: how to detect insider...
TRANSCRIPT
![Page 1: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/1.jpg)
© 2016 Imperva, Inc. All rights reserved.
Part 2: How to Detect Insider Threats
Amichai Shulman Chief Technology Officer
Imperva
![Page 2: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/2.jpg)
© 2016 Imperva, Inc. All rights reserved.
Amichai Shulman – CTO, Imperva
• Speaker at Industry Events – RSA, Appsec, Info Security UK, Black Hat
• Lecturer on information security – Technion - Israel Institute of Technology
• Former security consultant to banks and financial services firms • Leads the Imperva Defense Center • Discovered over 20 commercial application vulnerabilities
– Credited by Oracle, MSSQL, IBM and Others
2
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
![Page 3: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/3.jpg)
© 2016 Imperva, Inc. All rights reserved. Confidential 3
Direct EXTERNAL Attacks
Persistent INTERNAL
Attacks
Attacks are inevitable
Users get compromised
Data is the target
![Page 4: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/4.jpg)
4 Crowd Research Partners, Insider Threat Spotlight Report, 2015
![Page 5: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/5.jpg)
Why Detection is Difficult: Information Overload Hiding Abuse in Plain Sight
More legitimate data access Volumes of disparate logs Security alert overload
![Page 6: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/6.jpg)
© 2016 Imperva, Inc. All rights reserved.
Layered Detection Strategy
6
![Page 7: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/7.jpg)
Data access and theft
Lateral movement
Initial compromise Endpoints and BYOD
Internal Network
Data
Attack Lifecycle – Data is the Target
7
![Page 8: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/8.jpg)
8
Crowd Research Partners, Insider Threat Spotlight Report, 2015
![Page 9: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/9.jpg)
Layered Detection Strategy
9
Assuming that a compromise is inevitable, advanced technologies should be focused on finding the
attack past the initial foothold.
1. Deception
2. Behavior Analytics
![Page 10: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/10.jpg)
© 2016 Imperva, Inc. All rights reserved.
1: Deception
10
![Page 11: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/11.jpg)
© 2016 Imperva, Inc. All rights reserved.
What is Deception Technology?
• Deception technologies are defined by the use of deceit and/or feints designed to thwart or throw off an attacker's cognitive processes, disrupt an attacker's automation tools, delay an attacker's activities or disrupt breach progression.
Source: Gartner, Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities, 16 July, 2015
11
![Page 12: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/12.jpg)
© 2016 Imperva, Inc. All rights reserved.
Why Use Deception?
12
• Compromise is inevitable – No perimeter: BYOD, cloud apps, VPN – Legitimate apps (TeamViewer, DropBox) – Zero days – Social engineering
![Page 13: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/13.jpg)
© 2016 Imperva, Inc. All rights reserved.
Why Use Deception?
13
• Compromise is inevitable – No perimeter: BYOD, cloud apps, VPN – Legitimate apps (TeamViewer, DropBox) – Zero days – Social engineering
• Find data breach within compromises – Compromises happen all the time… few of them may turn into a breach! – Response teams need to prioritize – 100 alerts << 1 alert
![Page 14: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/14.jpg)
© 2016 Imperva, Inc. All rights reserved.
Why Use Deception?
14
• Compromise is inevitable – No perimeter: BYOD, cloud apps, VPN – Legitimate apps (TeamViewer, DropBox) – Zero days – Social engineering
• Find data breach within compromises – Compromises happen all the time… few of them may turn into a breach! – Response teams need to prioritize – 100 alerts << 1 alert
• Detect a breach ASAP – Reconnaissance and lateral movement
![Page 15: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/15.jpg)
© 2016 Imperva, Inc. All rights reserved.
Deception Tokens
15
• Tokens deployed across the enterprise • Point the attacker towards a trap
– Internal web app, file server, database, etc. – Local / Domain Account – Passwords, Cookies, Authentication Tokens
![Page 16: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/16.jpg)
© 2016 Imperva, Inc. All rights reserved.
Deception Tokens
16
• Tokens deployed across the enterprise • Point the attacker towards a trap
– Internal web app, file server, database, etc. – Local / Domain Account – Passwords, Cookies, Authentication Tokens
• Detection = harvest + used token – Deliberate attempt at the data center / gain more privileges
![Page 17: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/17.jpg)
© 2016 Imperva, Inc. All rights reserved.
Deception Tokens
17
• Tokens deployed across the enterprise • Point the attacker towards a trap
– Internal web app, file server, database, etc. – Local / Domain Account – Passwords, Cookies, Authentication Tokens
• Detection = harvest + used token – Deliberate attempt at the data center / gain more privileges
Patent: Compromised Insider Honey Pots Using Reverse Honey Tokens
![Page 18: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/18.jpg)
Compromised Users: Deceiving Attackers with Deception Tokens
18
• Trojan penetrates endpoint via phishing
• Tokens used: planted Windows Vault and Internet Explorer credentials
• Determine the source and scope of the attack without tipping off the bad actor
![Page 19: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/19.jpg)
© 2016 Imperva, Inc. All rights reserved.
2: Behavior Analytics
19
![Page 20: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/20.jpg)
© 2016 Imperva, Inc. All rights reserved.
How do I respond
QUICKLY if not?
Exactly
WHO Is accessing my data?
?
Truly Detecting and Containing Breaches Requires Addressing All
OK? Is the access
![Page 21: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/21.jpg)
© 2016 Imperva, Inc. All rights reserved.
BLOCK / QUARANTINE
BLOCK / QUARANTINE
Detecting and Containing Breaches
21
LEARN AND DETECT MONITOR MONITOR
![Page 22: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/22.jpg)
CounterBreach User Interface
BehaviorAnalytics
machine learning
LEARN AND DETECT BLOCK / QUARANTINE
MONITOR
Visibility
Contain and
Investigate
Deception Tokens
Monitor access to databases,
file servers and cloud apps
![Page 23: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/23.jpg)
© 2016 Imperva, Inc. All rights reserved.
Behavioral Baseline: Good Data Access vs. Bad Data Access
23
PCI Database
Who is connecting to the database?
How do they connect to the database?
Do their peers access data in the same way?
When do they usually work?
What data are they accessing?
How much data do they query?
![Page 24: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/24.jpg)
© 2016 Imperva, Inc. All rights reserved.
Learning Data Access Patterns
• Leverage machine learning to understand the environment
24
Learn
![Page 25: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/25.jpg)
© 2016 Imperva, Inc. All rights reserved.
Learning Data Access Patterns
• Leverage machine learning to understand the environment 1. Identify user and connection types
25
Learn
Service Account
Interactive User (DBA)
Individual DB Account
Application
![Page 26: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/26.jpg)
© 2016 Imperva, Inc. All rights reserved.
Learning Data Access Patterns
• Leverage machine learning to understand the environment 1. Identify user and connection types 2. Understand data
• Typical purpose of data
26
Learn
Sensitive Application Data
Metadata
Service Account
Interactive User (DBA)
Individual DB Account
Application
![Page 27: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/27.jpg)
© 2016 Imperva, Inc. All rights reserved.
Learning Data Access Patterns
• Leverage machine learning to understand the environment 1. Identify user and connection types 2. Understand data
• Typical purpose of data 3. Understand data access patterns
• Amount of data • Comparison to peer groups • Typical working hours
27
Learn
Sensitive Application Data
Metadata
Service Account
Interactive User (DBA)
Individual DB Account
Application
![Page 28: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/28.jpg)
© 2016 Imperva, Inc. All rights reserved.
1 – Suspicious Application Table Access
• Identify compromised, careless and malicious users – Application Table Access
28
Detect
Sensitive Application Data
Metadata
Service Account
Interactive User (DBA)
DB Account
Application
![Page 29: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/29.jpg)
© 2016 Imperva, Inc. All rights reserved.
1 – Suspicious Application Table Access
• Identify compromised, careless and malicious users – Application Table Access
29
Detect
Sensitive Application Data
Metadata
Service Account
Interactive User (DBA)
DB Account
Application
![Page 30: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/30.jpg)
© 2016 Imperva, Inc. All rights reserved.
2 – Service Account Abuse
• Identify compromised, careless and malicious users – Application Table Access – Service Account Abuse
30
Detect
Sensitive Application Data
Metadata
Service Account
Interactive User
![Page 31: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/31.jpg)
© 2016 Imperva, Inc. All rights reserved.
3 – Excessive Data Access
• Identify compromised, careless and malicious users – Application Table Access – Service Account Abuse – Unusual Data Retrieval
31
Detect
Sensitive Application Data
Metadata
Customer Support (Peer Group)
Typical: Maintenance on 5
records
![Page 32: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/32.jpg)
© 2016 Imperva, Inc. All rights reserved.
3 – Excessive Data Access
• Identify compromised, careless and malicious users – Application Table Access – Service Account Abuse – Unusual Data Retrieval
32
Detect
Sensitive Application Data
Metadata
DB Account
Support Analyst
Customer Support (Peer Group)
Typical: Maintenance on 5
records
Anomaly: Retrieves 1,000 records out of working hours
![Page 33: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/33.jpg)
Confidential 33
The Power of a Layered Approach
![Page 34: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/34.jpg)
© 2016 Imperva, Inc. All rights reserved.
Q & A
![Page 35: Part 2: How to Detect Insider Threatsclient.blueskybroadcast.com/ISC2/PDF/ISC2_Part_2_09202016.pdfBehavior Analytics . machine learning . LEARN AND DETECT . BLOCK / QUARANTINE . MONITOR](https://reader034.vdocuments.net/reader034/viewer/2022050511/5f9b76007f46873c8b1f22ce/html5/thumbnails/35.jpg)
© 2016 Imperva, Inc. All rights reserved.
5 Minute Break