US National Security Agency Experts from the US National Security Agency and government labs said America had to change the way it thought about protecting Department of Defense (DoD) computer networks. "We've got the wrong mental model here," said Dr James Peery, head of the Information Systems Analysis Centre at the Sandia National Laboratories. "I think we have to go to a model where we assume that the adversary is in our networks. That change would mean spending less time shoring up firewalls and gateways and more time ensuring data was safe, he said. Dr Kaigham Gabriel, current head of the Defense Advanced Research Projects Agency, likened the current cybersecurity efforts of the US DoD to treading water in the middle of the ocean. All that did was slightly delay the day when the DoD drowned under the weight of maintaining its network defences, he said. The DoD oversees 15,000 networks that connect about seven million devices.
Federal Bureau of Investigation 10 years worth of research and development, valued at more than $1 billion, was stolen by hackers unidentified company? The Federal Bureau of Investigation's top cyber cop offered a grim appraisal of the nation's efforts to keep computer hackers from plundering corporate data networks: "We're not winning," he said. Companies need to do more than just react to intrusions! Source: Mar. 28, 2012, on page B1 in The Wall Street Journal, with the headline: U.S. Outgunned in Hacker War Shawn Henry - Top Cyber Cop
Insider Threat Privileged user data management is the last mile of data security Insiders are trusted with IP, but it is difficult to hold them accountable for its use When incidents occur, investigations are costly, time- consuming, and dont necessarily provide smoking guns to prosecute So far, WikiLeaks has not been a game-changer for privileged user management in banks or insurers, but APT has taken the Insider Threat to another level Solution value dependent on potential damages caused if insider steals IP
Defining Insider Threat Types Malicious –Motivation = anger, dissatisfaction –Threat = attack systems and network Theft –Motivation = money, economic gain –Includes corporate & state espionage –Threat = data theft Hacktivits (e.g. Anonymous) –Motivation = anger & dissatisfaction or belief –Threat = data theft
What Happens When Cyber Espionage Succeeds The vicious cycle of compromise Data compromise occurs in market leader Competitor launches new product or service - Time to market is equal or ahead - Competitive product is offered at a lower price - Greatly reduced R&D costs Company or business unit financials become negative - Margins on sales & volume of sales begin to drop Company can no longer compete and exits market where it was once a leader - Sale of business loses money for company & investors Bad guys use profits to define and enter new markets
Insider Threat Incident: LG Joeng (only known name) Copied 1,182 top secret plasma display design files onto his personal drive and went to Changhong-Orion PDP –Changhong, reportedly paid Joeng $300,000 per year, an apartment and a car (while he still collecting his LG salary) LG was unaware Jeong had left, leaving his access to the network open –Stole file: plasma display panel production –Stole files: plants power system and construction blueprints LG was made aware of thefts by a distributor in SE Asia Joeng was extradited, Prosecutors in Seoul indicted Joeng for spying Cost to LG - estimated at more than $1 Billion –Changhong has not returned any of the stolen secrets
Lessons Learned How was Joeng caught? –Third party distributor recognized technical manuals were copied and alerted LG Lessons Learned –Data monitoring: location, access and movement related to sensitive data must be understood –De-provisioning process at the network, application and data levels needs to be in place an effective. –Business Managers and HR must work with Security –USB device usage monitoring and controls, as well as other channels need to be in place
Insider Threat Mitigation: Best Practices 1.Create integrated processes Business, HR and Security –Create standard on-boarding and off-boarding processes –Increase data usage monitoring for incidents & departures 2. Distribute trust amongst multiple parties to force collusion –Most insiders act alone 3. Link Policy Training w/ Risk and Compliance Analysis –Real-time education, alerting & justification prompts –Allow self-compliance; create clear deterrence
Insider Threat Mitigation: Best Practices Assess insider risks by content and context –Not just what, but who, where, when, & how –Using a sliding response scale; risk based approach Create Data Identification & Classification –Automatic or manual tagging (w/ auditing) –Files using previously tagged content inherit classification Use Identity-based Data Controls –Based on user rights, file sensitivity, source & destination, etc –Use encryption for data access - closes super user loopholes
Insider Threat Mitigation: Best Practices Implement integrated physical and logical (technical) security controls to cover more risks effectively –Camera monitoring, linked with data usage and movement controls Put Data Usage Monitoring & Control in Place –Host based monitoring is a requirement –Establish data usage norms, watch for behavioral changes Forensically Log Events –Assure all data transactions are user-attributable –Logs must be evidentiary grade and tamper proof
EIP: The Balance of Enablement and Security Implementing both technology and process to maximize the left while minimizing the right Productivity Flexibility Mobility Creativity Simplicity Ease of Use Transparency Value Return Cost Information Security Operational Security Data Loss Prevention Regulatory Compliance User Education & Awareness Trust but Verify LEFT RIGHT BALANCE Build a unified and collaborative information governance program
All DLP solutions are not the same!!!!!! Beware!!!!
Reporting Policy Definition Configuration Alert Management Digital Guardian Management Server Content & Control Policies Data Usage & Alerts Virtualization Infrastructure (Citrix, VMware) BES or EAS Server Agent eDiscovery Agent Repository Remote Scanning - File shares - Sharepoint Mobile Users Server Agents Desktop/Laptop Agents Network Agents Digital Guardian System Architecture VDI Agents
Actionable Data Classification Increased Flexibility, Adoption and Accuracy Automatic Tamper Proof Inheritance Persistence Drives policy Meta & NTFS Tags Automatic Tamper Proof Inheritance Persistence Drives policy Meta & NTFS Tags Content Context User Three levels of data definition –Context –Content –User Classification travels with the data –Meta Tag –NTFS Tag Multi-level & multifaceted classification –Sensitivity level & data type tags –Tag verification & propagation –Data movement audit and tracking
Incident Alert Detection Prompt User Intent/Educate Warn Users Awareness Encrypt Data Protection Access Control Block Action Prevention Mask Data Need to know Incident Alert Detection Prompt User Intent/Educate Warn Users Awareness Encrypt Data Protection Access Control Block Action Prevention Mask Data Need to know Servers Devices Networks Applications Printers IP Addresses Recipients Servers Devices Networks Applications Printers IP Addresses Recipients Files Move Copy/Paste Burn/Print Upload/IM Attach Copy/Paste Compose/Send Application Data View Delete Modify Export Files Move Copy/Paste Burn/Print Upload/IM Attach Copy/Paste Compose/Send Application Data View Delete Modify Export IT Admin DBA Desktop Network Privileged Executives Hi-Value Rights Access Usage Context Location Wireless LAN VPN IT Admin DBA Desktop Network Privileged Executives Hi-Value Rights Access Usage Context Location Wireless LAN VPN Classification Persistent Inheritance Context Application Location Type Content Expression Similarity Keyword Dictionary Classification Persistent Inheritance Context Application Location Type Content Expression Similarity Keyword Dictionary ACTIVITY What is the User Doing With It? DISCOVER MONITOR What & where is Sensitive Data? DESTINATION Where Is the Data Going? CONTROL What action is appropriate? IDENTITY Who is using the Data? Continuous Logging, Auditing – Summary, Inventory, Trending & Forensic Reporting The Context of Data-Centric Security
Digital Guardian Enforces A Virtual Information Protection Perimeter Partner Site Partner Site Corporate Web File Server Outsourcer B Outsourcer A Citrix Server Password _ _ _ _ _ _ DG Digital Guardian Server Trust Verification Agent Partner Site
Data-Centric Questions? How do you know where your sensitive data is right now? How do you know how data moves within your business processes and what your employees are actually doing with the data they access to do their jobs? What are your employees doing with your data when they are off or outside the network? How do you manage data on mobile devices and BYOPC?
More Data-Centric Questions? What is the 3 rd line of your corporate security policy? How many of your employees actually know it? How do you effectively train your employees on data security polices and ensure they are in compliance - in real-time? What would the benefit be to the organization if security enabled the business instead of security controls or policies hindering business processes?
The Four Seminal Ideas of Data Security 1. Data is the correct unit of measurement Requirement is data-centric not Network or Device centric Visibility, monitoring, control 2. Operate close to the user The desktop is todays data router Understand full-context of data type, content & user action 3. Take a risk based approach to protection Automated, persistent discovery & classification of data Classification-driven information monitoring and policy enforcement 4. Flexibility to support and enhance business processes No one response/control is appropriate to all risks Shaping user behavior through warnings/prompts of greatest value Encryption as an integrated control safeguards data; establishes trust