combating insider threats – protecting your agency from the inside out
TRANSCRIPT
![Page 1: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/1.jpg)
Charles HerringCyber Security Specialist@charlesherring
Introduction
![Page 2: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/2.jpg)
© 2014 Lancope, Inc. All rights reserved.
Crown Jewels
Card holder data (PCI)Patient records (HIPAA)Trade secretsCompetitive information (M&A)Employee data (PII)State SecretsCustomer Data
Data that is valuable to attackers
2
![Page 3: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/3.jpg)
© 2014 Lancope, Inc. All rights reserved.
Why do attackers care?Attacker Jewel MotivationCriminals PCI Data $4-$12/cardCriminals Patient Records $30-$50/recordActivists Anything ShamingState Sponsored Trade Secrets GeopoliticalState Sponsored Patient Records ?!?!!!!Insiders IP and Customer Data Professional Advantage
![Page 4: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/4.jpg)
© 2014 Lancope, Inc. All rights reserved.
WAN DATACENTER
ACCESS
CORE3560-X
Atlanta
New York
San Jose
3850 Stack(s)
Cat4k
ASA Internet
Cat6k
VPC Servers
3925 ISR
ASR-1000
Nexus 7000 UCS with Nexus 1000v
© 2014 Lancope, Inc. All rights reserved.
Where to Look?North, South, EAST AND WEST = Every Communication
![Page 5: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/5.jpg)
Signature
Anomaly Behavior
How to LookSignature = Object against blacklist
• IPS, Antivirus, Content Filter
Behavior = Inspect Victim behavior against blacklist
• Malware Sandbox, NBAD, HIPS, SEIM
Anomaly = Inspect Victim behavior against whitelist
• NBAD, Quantity/Metric based—not Signature based
Signature Behavior Anomaly Known Exploits BEST Good Limited0-day Exploits LimIted BEST GoodCredential Abuse Limited Limited BEST
![Page 6: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/6.jpg)
© 2014 Lancope, Inc. All rights reserved.
By Data Grouping – Data Inventory
Find your data“Pull the thread” with Top Peers/Flow TablesHost Group Policies with lower tolerance
Find your jewels
6
![Page 7: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/7.jpg)
© 2014 Lancope, Inc. All rights reserved.
Data Anomaly Alarms
Suspect Data HoardingTarget Data HoardingTotal TrafficSuspect Data Loss
Counting Access
7
![Page 8: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/8.jpg)
© 2014 Lancope, Inc. All rights reserved.
Data Hoarding
![Page 9: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/9.jpg)
© 2014 Lancope, Inc. All rights reserved.
Data Loss
![Page 10: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/10.jpg)
© 2014 Lancope, Inc. All rights reserved.
Map the Segmentation
Logical vs. PhysicalMap Segmentation
Watch the logical roadways
10
![Page 11: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/11.jpg)
© 2014 Lancope, Inc. All rights reserved.
Custom Events
Evolution of HLVAlert when Segmentation failsAllows for NOR logic
Alert on Zero Tolerance
11
![Page 12: Combating Insider Threats – Protecting Your Agency from the Inside Out](https://reader035.vdocument.in/reader035/viewer/2022070516/5870beb81a28ab0b4a8b69b1/html5/thumbnails/12.jpg)
© 2014 Lancope, Inc. All rights reserved.
Logical vs. Physical Map Segmentation
Watch the logical roadways
12
Segmentation Violations