theft of trade secrets – assessing and responding to the ...€¦ · responding to the internal...
TRANSCRIPT
Mark Mermelstein Mark Camillo Jim Jaeger Kurt Bertone Nathaniel Weiner
Theft of Trade Secrets – Assessing and Responding to the Internal and External Threat
December 4, 2013
2 2
Symantec 2013 Study
Surveyed 3,317 employees in 6 countries 1 in 3 employees move work files to file sharing apps Half of employees who left/lost their jobs kept confidential information 40% plan to use confidential information at new job Top reasons employees believe data theft acceptable:
• Does not harm the company • Company does not strictly enforce its policies • Information is not secured and generally available • Employee would not receive any economic gain
|
3 3
Cyber Risk Top Concern
|
Clients Top Concern is Cyber Risk
The Landscape is Evolving Quickly
80% of clients believe that it is difficult to keep up with cyber threats because they are evolving so quickly.
Other “Hot Button” Topics in Cyber
• IT departments cannot be the
sole source for defending against cyber risk.
• Cloud computing and mobile technology are growing areas of concern when it comes to potential sources of cyber risk.
• Clients are increasingly aware of network downtime as a potential loss from a cyber issue.
• Awareness of potential losses related to reputation are also increasing, leading to more C-suite involvement on strategic cyber initiatives.
4
Fortune 1000 SEC Risk Disclosure underweights IP risk.
Source: Willis Fortune 1000 Cyber Disclosure Report, Aug 2013.
5 5
$55 Million theft of trade secrets
6 6
7
• Beyond the loss of the data, costs from a theft can include: • Public Embarrassment, Shareholder and Public Outcry • Loss of Customers/Revenue • Damaged Reputation/Brand • Computer forensics, PR consulting, Legal Assistance + Call Center Services • If PII,
• Notification and identity monitoring • Liability from class action lawsuits, regulatory actions and fines/penalties
• Potential D&O suits:
• Allegations of Negligence By Board – Lack of Oversight • Allegations Directors Should Have Known that Information Assets Were Vulnerable • Allegations Directors Failed to Purchase Sufficient Insurance Despite Clear And
Prevalent Exposure
• .
What this may mean for a victim company
8
What to do if it happens to you?
9
• Litigation Options for Victims of Theft of Trade Secrets
10 10
Investigation
11
Investigative Approach Critical First Step: Forensically preserve evidence
• Provides the foundation for all subsequent actions -- investigation, damage assessment, and possible disciplinary/legal action • Retain forensic firm and investigators under outside counsel to retain attorney client privilege • Preserve and analyze log data to determine what the insider/hacker has accessed
Inside jobs – additional considerations •Corporate email/ smartphones a trove of potentially useful date, even if deletion attempted •Think broadly about who may be involved or if a FOIA request appropriate •Don’t assume what you are looking for is all you will find – prepare to connect the dots
12
Insurance Considerations • 57% of respondents in a Carnegie Mellon survey of Fortune 1000 executives indicated that their boards are not reviewing insurance coverage for cyber related risks* • Traditional insurance policies frequently exclude intangible exposures, such as data loss due to virus, web attacks, and lost laptops Traditional policies confined to physical perils such as fire, flood, fraud and theft • Crime/Fidelity policies cover the theft of physical assets (money and securities) and exclude intangible assets • Cyber insurance can fill some of the gaps in property and general liability policies
* Governance of Enterprise Security: CyLab 2012 Report. Jody R. Westby. Organization Controls
13
Cyber Insurance Options Security & Privacy Liability (3rd Party)
• Legal Defense/Damages • Regulatory Actions/Fines Penalties • PCI Assessments
Network Interruption, Cyber Extortion and Information Asset (1st party)
Event/Crisis Management
• Legal Assistance / Breach Coach • Forensic Investigation • Public Relations • Notification Costs • Credit Monitoring/Consumer Education • Credit Restoration • Call Center Services
14
Civil Litigation
15
Investigatory techniques
GOVERNMENT PRIVATE
Voluntary Disclosure
Via False Identity
Ability to Threaten Criminal Sanction
Subpoenas
§ 2703 Orders (For ISPs)
Search Warrants
Electronic monitoring/ Wiretaps
MLATs
Limited
16
• Collection mechanisms
17
•
Reasons not to pursue a public option
18
• Where to make the referral?
19 19
How Companies Can Prevent or Mitigate Loss?
20 20
• Identify sensitive corporate data and critical processes. Using risk based approach, enhance protection through defense in depth
• If possible tag/label sensitive data and segregate it on the network
• Use file integrity monitoring system • Use network and terminal data loss prevention (DLP)
systems • Consider encryption of sensitive data • Consider breach indicator assessment (BIA)
Trade Secret Confidentiality – Best Practice
21
Life Cycle of a Threat
External Threat
External Cmd & Ctrl System
External Site
Insider Threat
Network A Infiltration Data Exfiltration
Cmd & Ctrl Communication
Lateral Propagation
Network B
22
External Threat
External Threat
External Cmd & Ctrl System
External Site
Insider Threat
Network A
Network B
Infiltration Data Exfiltration
Cmd & Ctrl Communication
Lateral Propagation
23
External Threat
External Cmd & Ctrl System
Infiltration Cmd & Ctrl Communication
Insider Threat
External Site
Insider Threat
Network A
Network B
Data Exfiltration
Lateral Propagation
24
“Broad Spectrum” Approach to the Problem
External Threat
External Cmd & Ctrl System
External Site
Insider Threat
Infiltration Data Exfiltration
Cmd & Ctrl Communication
Lateral Propagation
• Phishing threat intelligence and rules
• Malware detection stack • Exploit kit rules
• C2 threat intelligence and rules
• Protocol, application and content decoders and analyzers
• Data exfiltration policies and rules
• Fidelis XPS Internal • SMB/CIFS decoder • Propagation rules
25
The Threat Timeline Initial
Compromise Initial Attack Discovery
Containment / Remediation
Initial Data Exfiltration
26
The Threat Timeline Initial
Compromise Initial Attack Discovery
Containment / Remediation
Initial Data Exfiltration
Milliseconds to Minutes
Time-to-Compromise
Minutes to Days
Time-to-Exfiltration Data Exfiltration Window
Months to Years Attacker Timeline
27
The Threat Timeline Initial
Compromise Initial Attack Discovery
Containment / Remediation
Initial Data Exfiltration
Milliseconds to Minutes
Time-to-Compromise
Minutes to Days
Time-to-Exfiltration Data Exfiltration Window
Months to Years Attacker Timeline
Months to Years Days to Weeks
Time-to-Discovery Time-to-Containment
Milliseconds to Minutes
Time-to-Prevention Defender
Timeline
28
The Threat Timeline Initial
Compromise Initial Attack Discovery
Containment / Remediation
Initial Data Exfiltration
Milliseconds to Minutes
Time-to-Compromise
Minutes to Days
Time-to-Exfiltration Data Exfiltration Window
Months to Years Attacker Timeline
Months to Years Days to Weeks
Time-to-Discovery Time-to-Containment
Milliseconds to Minutes
Time-to-Prevention Defender
Timeline
Defense Options:
1. Prevent the Initial
Compromise
29
The Threat Timeline Initial
Compromise Initial Attack Discovery
Containment / Remediation
Initial Data Exfiltration
Milliseconds to Minutes
Time-to-Compromise
Minutes to Days
Time-to-Exfiltration Data Exfiltration Window
Months to Years Attacker Timeline
Months to Years Days to Weeks
Time-to-Discovery Time-to-Containment
Milliseconds to Minutes
Time-to-Prevention Defender
Timeline
2. Compress or Eliminate the Data Exfiltration Window by reducing the Time-to-Discovery and Time-to-Containment
Defense Options:
1. Prevent the Initial
Compromise
30
The Threat Timeline Initial
Compromise Initial Attack Discovery
Containment / Remediation
Initial Data Exfiltration
Milliseconds to Minutes
Time-to-Compromise
Minutes to Days
Time-to-Exfiltration Data Exfiltration Window
Months to Years Attacker Timeline
Months to Years Days to Weeks
Time-to-Discovery Time-to-Containment
Milliseconds to Minutes
Time-to-Prevention Defender
Timeline
2. Compress or Eliminate the Data Exfiltration Window by reducing the Time-to-Discovery and Time-to-Containment
Speed Matters – you are in a race with the attacker!
Defense Options:
1. Prevent the Initial
Compromise
31 31
• Take a broad spectrum approach to the problem
• Make sure your nework security infrastructure gives you visibility over all phases of the Threat Life Cycle
• Don’t get fixated on any one particular phase of the Threat Life Cycle or any one particular threat vector
• Speed matters – you are in a race with the attacker – if you can react quickly you can minimize the damage
Recommendations
32
Suspicious Indicators •Undue curiosity for information
beyond job scope
•Unusual use of company equipment
•Taking information home or on trips without authorization
•Keeping odd hours
•Bringing cameras or recording devices into areas storing protected material
•Notice company’s ideas/information in the marketplace
•One or more employees rumored to be leaving to competitor
33 33
• - Exit interview • --Return all company property and disable employee’s access • - Remind the employee of any continuing obligations to the company • - Certification • - If suspicious indicators: • Interview co-workers • inspect office • review recent activity: email, cell phone records . . • follow-up with customers • preserve employee’s computer for forensic analysis
Off-Boarding Employees – Best Practice
34 34
• - The interview • - New hire training • - New hire agreements • - Check if the employee has any existing agreements with former employers before making offer
• -Consider placing the employee in a different position or territory (even consider a garden leave) if you expect a fight -Follow up with key employees
On-Boarding New Employees – Best Practice
35
Underwriting Considerations
• Revenue / # of Records • Industry • Security & Privacy Culture • Network Operations • Organization Controls • Administrative Controls • Electronic Controls • Physical Controls • Regulatory Compliance • Vendor Management • Loss Experience • Crisis Management Preparedness
36 36
• Segregate and identify trade secret information – limit access • Consistently use enforceable confidentiality and trade secret
agreements • Communicate & secure annual acknowledgement of HR policies • Information security • Communicate ownership of trade secrets on company IT • Keep facilities secure • Act immediately if you suspect an employee is utilizing/disclosing
trade secrets without authorization or leaving to join a competitor • Conduct exit interviews to ensure the return of all company property,
ask about any suspicious activities and document responses
Trade Secret Confidentiality - Summary
37 37
• For More Information
• Mark Camillo Mark Mermelstein
• AIG Orrick Herrington & Sutcliffe 212-458-1355 (213) 612-2204 •
Kurt Bertone General Dynamics Fidelis Cybersecurity (617) 391-5510
Jim Jaeger General Dynamics Fidelis Cybersecurity (443) 926-1159
Nathaniel/ Tani Weiner CRC Health Group 408-216-1198