Proactive Intellectual Property Protection. Stay Ahead of Emerging Threats!

February 13, 2014

Bob West Intelligent ID Chief Information Security Officer

Dr. John Johnson John Deere Global Security Strategist

2

About the Speakers

Dr. John Johnson is the Global Security Strategist for John Deere where he defines information assurance, risk management and governance strategy. Dr. John Johnson has been responsible for architecting solutions that have been critical to maintaining global network security at John Deere since 1999 across 130 business units in 30 countries and 5000 dealerships operating in 160 countries. With 30 years of IT experience and 17 years of information security experience, his career includes working as a staff physicist and network security manager at Los Alamos National Laboratory, as well as working as a contractor and small business owner, prior to his work at John Deere. He is a frequent speaker, serves on various boards and committees and writes and teaches college courses on information assurance. Robert West is Chief Security Officer at Intelligent ID and has over 25 years of experience in corporate and startup environments. Bob is a frequent speaker on the subject of information security and risk, intellectual property theft, cloud computing, mobility, and on global policy issues such as payment fraud and critical infrastructure. He is on the advisory boards for Agilance, Air Patrol, CipherCloud, the Hispanic Information Technology Executive Council (HITEC) and Trusteer. He has also been on the board of management for the Jericho Forum, the University of Detroit Mercy’s College of Liberal Arts and Education advisory board, Securent’s advisory board, TriCipher’s advisory board, a member of RSA Security’s Customer Advisory Council, and the ISS Customer Advisory Council.

Proactive Intellectual Property Protection

Stay Ahead of Emerging Threats!

4

Agenda

Insider Threat §  Define ‘Insider’ §  Review the Threat §  Identify the Problem §  Ask the Right Questions §  Look at an Example §  Discuss Possible Solutions & Innovative Possibilities §  Summarize

5

What is an Insider?

§  The insider has privileged access to your organization’s network resources and intellectual property

§  The insider may be motivated to steal intellectual property or may be an unaware target with access that acts as a proxy for a criminal on the outside

§  Many things can motivate an insider to steal IP

Money

Ideology

Coercion

Ego

6

What is an Insider? Insider Threat Data

§  70% of cases involving unauthorized access of information are committed by insiders Gartner

§  60% of all security breaches are committed by internal sources IDC

§  US companies lose an estimated $652 billion to fraud annually ACFE

§  Insider attacks are happening all the time, even if companies do not realize it Cole and Ring

Nation State Issues §  1985 – Larry Wu-Tai Chin §  2009 – Joint Strikefighter plans stolen §  2010 Aurora – China can tap into more than

30 companies §  2010 ZeUS discovered, running in more

than 2400 companies §  2011 – RSA Lockheed security breaches §  2013 – Mandiant APT1 Report

Economic Data §  20% of all jobs are in IP-intensive industries §  1/3 of GDP generated by IP-intensive

industries Joint Economic Commission, U.S. Senate

7

Snowden

§  Edward Snowden was a Booz Allen contractor with low-level systems admin access at NSA Hawaii post

§  Used soc ia l eng ineer ing to ga in credentials of co-workers

§  He may have coerced as many as 25 staffers to share their usernames and passwords under false pretense

§  (According to Venafi) Snowden fabricated SSH keys and self-signed certs, leveraging his admin access and CAC card, so NSA could not detect his actions (many enterprises change passwords, but don’t manage the keys and key vault well), he also knew which systems were monitored less

§  Oversight is difficult, even with good technology and processes, if someone is smart and convincing

8

Target

§  Target suffered a major breach before Christmas 2013, exposing 40 million credit card accounts & 70 million customer records

§  Malware that targeted POS devices was implicated (written by 17 y.o. Russian)

§  Target’s network model and third-party IT services may be to blame for allowing the breach to become so widespread

§  Other major brick-and-mortar and online retailers have suffered major breaches: Neiman Marcus, ADP, Facebook, Gmail, Linked, Yahoo, JPMorgan Chase, SnapChat, YouTube, Twitter

§  Mom and Pop businesses aren’t immune §  Motivated insiders can overcome good security (Target was PCI

compliant)

9

The Problem

§  Technology is advancing §  Everything is connected §  It is hard for security controls to keep up with technology §  SMAC: Social, Mobile, Analytics/Big Data, Cloud

§  Aggressive New Threats §  Criminal Organizations §  Corporate Espionage §  Nation States

§  Employment Challenges §  Outsourcing/Off-shoring §  Economic Downturn §  Hiring Tactics §  Ethical Challenges

10

It’s Going to Happen

§  Most organizations are behind the curve §  Advanced threats (APT, Insider Threat…) are usually caught after

the fact (often months too late!) §  Can you answer the following, if it happens to you?

§  What was exposed? What did they take? §  Who had access to that data? Who did it? §  How did they get away with it? §  When did it happen? §  Where did it happen?

Most organizations stand there like a deer in the headlights! They have no answer… Attribution is difficult!

11

Example

Engineering Contractors §  High Access / High Value IP

Security Requirements

§  Keep control of the data = keep the data on the “inside” §  Prevent or quickly identify suspicious behaviors §  Restrict access on a “need to know” basis

Problems §  Contractors need anytime/anywhere access; short deadlines §  Laptops vs. VDI? §  Contractors need broad access to repository §  Existing security controls are lacking

12

Solution

Layered Security Approach Using VDI §  Each use case is unique §  Understand what data you want to protect most §  Multiple security controls = more effective and flexible solutions

§  Can be more complex to manage §  Security controls may be immature; not keep up with technology §  It may not be possible to anticipate all bad behaviors

Harden OS Network Restrictions

Endpoint Security SW

Process, Training, Contract

Monitor, Log, Audit

GPO No local admin

Patch Mgmt Log

Proxy VLAN, ACL

Access Ctrls, MFA Log

DLP/DRM HIPS/FW

EPP APT Detection

Contract Appropriate Use

Training Supervision

Local & App Logs SIEM

Anomaly Detection Behavior “FW”

13

Behavior-Based “Firewall”

Gives you the ability to look at what the user is doing (unencrypted because it is client-based) and to customize rules for different groups/use cases:

§  Look at what data they access §  Marked? Pattern? Source?

§  Look at applications they are using §  Approved/Banned?

§  Look at what they do with the data §  Upload? FTP? Email? Post to Facebook?

§  Look at how they spend their time §  Look at where they go on intranet/Internet §  Look at what they type (content, special commands (RDP?)) §  Compare their actions with a group to look for variance

A very interesting concept

14

Summary

§  Insider abuse happens

§  Be proactive; enabling business cases means addressing risk in innovative ways

§  Identify new technologies that help mitigate SMAC risk

§  Use preventative and reactive measures

§  Collect logs that identify user behavior

§  Set rules based on use cases à risk-based

§  Roles and Responsibilities: Who monitors? Who responds?

§  Define incident response processes & test

§  Collect evidence you can use in court (logs/processes)

§  Layer security; one size does not fit all; be creative

Q&A

Thank You!

John Johnson Global Security Strategist John Deere johnsonjohnd@johndeere.com Twitter: @johndjohnson

Bob West CISO Intelligent ID bob.west@onguardsystems.com

Alberto Ortiz Global Director, ISV Luxoft aortiz@luxoft.com