7 US National Security Agency Experts from the US National Security Agency and government labs said America had to change the way it thought about protecting Department of Defense (DoD) computer networks."We've got the wrong mental model here," said Dr James Peery, head of the Information Systems Analysis Centre at the Sandia National Laboratories. "I think we have to go to a model where we assume that the adversary is in our networks.“That change would mean spending less time shoring up firewalls and gateways and more time ensuring data was safe, he said.Dr Kaigham Gabriel, current head of the Defense Advanced Research Projects Agency, likened the current cybersecurity efforts of the US DoD to treading water in the middle of the ocean.All that did was slightly delay the day when the DoD drowned under the weight of maintaining its network defences, he said. The DoD oversees 15,000 networks that connect about seven million devices.
8 Federal Bureau of Investigation Shawn Henry - “Top Cyber Cop”The Federal Bureau of Investigation's top cyber cop offered a grim appraisal of the nation's efforts to keep computer hackers from plundering corporate data networks: "We're not winning," he said.10 years worth of research and development, valued at more than $1 billion, was stolen by hackersunidentified company?Companies need to do more than just react to intrusions!Source: Mar. 28, 2012, on page B1 in The Wall Street Journal, with the headline: U.S. Outgunned in Hacker War
10 Insider ThreatPrivileged user data management is the “last mile” of data securityInsiders are trusted with IP, but it is difficult to hold them accountable for its useWhen incidents occur, investigations are costly, time-consuming, and don’t necessarily provide smoking guns to prosecuteSo far, WikiLeaks has not been a game-changer for privileged user management in banks or insurers, but APT has taken the Insider Threat to another levelSolution value dependent on potential damages caused if insider steals IP
11 Defining Insider Threat Types MaliciousMotivation = anger, dissatisfactionThreat = attack systems and networkTheftMotivation = money, economic gainIncludes corporate & state espionageThreat = data theftHacktivits (e.g. Anonymous)Motivation = anger & dissatisfaction or belief
12 What Happens When Cyber Espionage Succeeds The vicious cycle of compromiseData compromise occurs in market leaderCompetitor launches new product or serviceTime to market is equal or aheadCompetitive product is offered at a lower priceGreatly reduced R&D costsCompany or business unit financials become negative- Margins on sales & volume of sales begin to dropCompany can no longer compete and exits market where it was once a leader- Sale of business loses money for company & investorsBad guys use profits to define and enter new markets
13 Insider Threat Incident: LG Joeng (only known name)Copied 1,182 top secret plasma display design files onto his personal drive and went to Changhong-Orion PDPChanghong, reportedly paid Joeng $300,000 per year, an apartment and a car (while he still collecting his LG salary)LG was unaware Jeong had left, leaving his access to the network openStole file: plasma display panel productionStole files: plant’s power system and construction blueprintsLG was made aware of thefts by a distributor in SE AsiaJoeng was extradited, Prosecutors in Seoul indicted Joeng for spyingCost to LG - estimated at more than $1 BillionChanghong has not returned any of the stolen secrets
14 Lessons Learned How was Joeng caught? Lessons Learned Third party distributor recognized technical manuals were copied and alerted LGLessons LearnedData monitoring: location, access and movement related to sensitive data must be understoodDe-provisioning process at the network, application and data levels needs to be in place an effective.Business Managers and HR must work with SecurityUSB device usage monitoring and controls, as well as other channels need to be in place
15 Insider Threat Mitigation: Best Practices Create integrated processes Business, HR and SecurityCreate standard on-boarding and off-boarding processesIncrease data usage monitoring for incidents & departures2. Distribute trust amongst multiple parties to force collusionMost insiders act alone3. Link Policy Training w/ Risk and Compliance AnalysisReal-time education, alerting & justification promptsAllow self-compliance; create clear deterrence
16 Insider Threat Mitigation: Best Practices Assess insider risks by content and contextNot just “what”, but “who, where, when, & how”Using a sliding response scale; risk based approachCreate Data Identification & ClassificationAutomatic or manual tagging (w/ auditing)Files using previously tagged content inherit classificationUse Identity-based Data ControlsBased on user rights, file sensitivity, source & destination, etcUse encryption for data access - closes “super user” loopholes
17 Insider Threat Mitigation: Best Practices Implement integrated physical and logical (technical) security controls to cover more risks effectivelyCamera monitoring, linked with data usage and movement controlsPut Data Usage Monitoring & Control in PlaceHost based monitoring is a requirementEstablish data usage norms, watch for behavioral changesForensically Log EventsAssure all data transactions are user-attributableLogs must be evidentiary grade and tamper proof
18 EIP: The Balance of Enablement and Security Implementing both technology and process to maximize the “left” while minimizing the “right”LEFTRIGHTProductivityFlexibilityMobilityCreativitySimplicityEase of UseTransparencyValue ReturnCostInformation SecurityOperational SecurityData Loss PreventionRegulatory ComplianceUser Education & AwarenessTrust but VerifyBALANCEBuild a unified and collaborative information governance program
19 All DLP solutions are not the same!!!!!! Beware!!!!All DLP solutions are not the same!!!!!!
23 Digital Guardian System Architecture Management ServerReportingPolicyDefinitionConfigurationAlertManagementData Usage& AlertsContent &Control PoliciesVirtualizationInfrastructure(Citrix, VMware)BES or EASServerAgenteDiscoveryAgentUbiquitous, object level monitoringPervasive, enveloping controlEnsures security & confidentiality of regulated dataProve the integrity of audit & compliance controlsAssociates people with actions Traces incidents to their sourceReal-timeAutonomousDesktop/Laptop AgentsServerAgentsNetworkAgentsVDI AgentsMobileUsersRepository Remote ScanningFile sharesSharepoint23
24 Actionable Data Classification Increased Flexibility, Adoption and AccuracyThree levels of data definitionContextContentUserClassification travels with the dataMeta TagNTFS TagMulti-level & multifaceted classificationSensitivity level & data type tagsTag verification & propagationData movement audit and trackingAutomaticTamper ProofInheritancePersistenceDrives policyMeta & NTFS TagsContentContextUser
25 The Context of Data-Centric Security DISCOVERMONITORWhat & where is Sensitive Data?IDENTITYWho is using the Data?ACTIVITYWhat is the UserDoing With It?DESTINATIONWhere Is theData Going?CONTROLWhat action is appropriate?ClassificationPersistentInheritanceContextApplicationLocationTypeContentExpressionSimilarityKeywordDictionaryIT AdminDBADesktopNetworkPrivilegedExecutivesHi-ValueRightsAccessUsageContextLocationWirelessLANVPNFilesMoveCopy/PasteBurn/PrintUpload/IMAttachCompose/SendApplication DataViewDeleteModifyExportServersDevicesNetworksApplicationsPrintersIP AddressesRecipientsIncident AlertDetectionPrompt UserIntent/EducateWarn UsersAwarenessEncrypt DataProtectionAccess ControlBlock ActionPreventionMask DataNeed to knowContinuous Logging, Auditing – Summary, Inventory, Trending & Forensic Reporting
26 Digital Guardian Enforces A Virtual Information Protection Perimeter PartnerSiteDGCitrixServerPartnerSiteCorporateFileServerWebTrustVerificationAgentDigital GuardianServerOutsourcer APartnerSitePassword _ _ _ _ _ _Outsourcer B
32 Typical APT Attack Lifecycle: Example NetworkAppMemorySecure PerimeterMachineUserNetworkSpearPhishingServer(?)Final DestinationAPT Attack Lifecycle:The key to a successful APT attack is complete stealth. An attack discovered at any point before achieving its objective(s) can imperil its mission.Attacks typically begin using social engineering (i.e. “spear phishing”) to trick a user into opening an attachment or URL link that installs malicious software on the user’s machine, effectively circumventing any perimeter web or security system.Typically, the most skilled APT designers are tasked with gaining entry into the network. A common attack vector is the use of spear-phishing, a social engineering technique where an authentic-looking is sent to a specific user that appears to be from a trusted source; some spear phishing examples go so far as to reference personal information (taken from social media account profiles) to further the ruse. The will then have a legitimate-looing, but malicious attachment or web link from which malicious code is downloaded onto the user’s machine.The malware uses unknown “zero day” exploits in applications and/or the O/S to embed malware in system memory that signature-based antivirus technology can’t detect.Once the first machine is infected, the malware will hide itself by creating a “super user” account that allows it to operate on the machine without detection by normal means.Once an attack gains a privileged user status, the attack behaves like an “invisible” insider threat. It then begins spreading itself across the network, infecting new machines without detection, in search of the location and access credentials to the IP for which the mission was specifically designed to steal.Simultaneously, the APT will also set up a stealth “command and control” (“C&C”) form which to send/receive updated intelligence and instructions to facilitate search and acquisition of its target data.APT will use a variety of new and old malware techniques, including keyloggers and “sniffers” to identify words, applications, or sources that would point to its target’s location and access credentials.Using another set of privileged user credentials (most likely different than the credentials initially used gain access to the network), the APT may use a sensitive application to extract IP from a server or database. At any point, APT will use its C&C platform to update its “masters”, such as listing the files on a server, or mapping a database schema. Its masters might then send new commands for which files to copy, or SQL queries to run, to get the correct data.Once the IP is extracted, APT typically encrypts the data and transfers it to another infected machine used as a “staging” platform until its receives instructions to exfiltrate it from the network. The process from entry to final extraction may take days, weeks, or months to complete.The level of sophistication of APT attacks are beyond the scope of what most companies are prepared to address, and many companies are unable or unwilling to take even basic policy steps (e.g. stripping attachments) to help mitigate their exposure. Often, it takes a visit from the FBI to convince a company they have a serious problem, and at that point it’s probably too late to stop the attack.IPNetworkMachineIPNetworkInternet
33 DG APT Defense in Depth: Many opportunities to Detect, Alert and Stop !!!!NetworkAgent!STOPNetworkAgentCore(App Control)APTModuleCoreDGServerCoreStopping APT requires several layers of detection/prevention in a “defense in breadth” where each security layer is focused on a different APT mission stage (i.e. , application, memory, user, network, etc.). The security model is predicated on three assumptions:All APT must follow a similar mission path: entry; initial infection; secondary infections; command & control communication; privileged user spoofing; data extraction; staging; and exfiltrationAny given APT defensive layer will have some rate of assumed failure; the model succeeds so long as EVERY layer doesn’t fail at once.Stopping APT at any mission stage will stop the mission; you do NOT need to stop the initial infection to necessarily stop an attackDG’s APT defense in breadth differs from the “defense in depth” strategy used for signature-based antivirus whereby each “layer” (i.e. , desktop, web, server, etc.) uses a different AV engine to look for the same threat characteristics, with the hope a different vendor will be the fastest to create a signature for any given threat.Many network-based APT solutions take an “all or nothing” approach using virtual machines – i.e. if they don’t detect the initial infection, there’s no plan B.Other APT solutions require an external source to provide a “clue” (e.g. malicious IP address) from which to begin investigating an attackMost next-gen anti-malware solutions are extremely powerful, but have not been proven at enterprise scaleDG can provide several APT defensive layers from a single policy framework:application control;anomaly detection (memory, system, user, and network);privileged user management;file-level access controls; andcontinuous forensic auditing across multiple attack vectors (kernel, application, user, network, data)DG policies can be used to alert, prompt, and block common APT tacticsDG core can prevent users from opening attachments from unknown sources, or prevent malware code from executing from an applicationThe APT Module (HBGary) forensically scans a computer’s memory to detect suspicious activities in memory, and can be used to trigger other DG policiesDG core can track suspicious system events, such as increased activities from a privileged account not associated with a normal user (if the user/machine combination is consistent).DG network agent can deconstruct the entire network session to detect suspicious applications, payloads, or network activity that may identify an APT attack. If correlated in a SIEM tool, the combination of network and core agent telemetry may be able to pick up larger traffic patterns across an enterprise.The User Classification module (TITUS) is part of the larger classification suite which DG can use to identify and apply controls to IP at the point of creation or discovery.DG server agents can enact identity-based policies for both controlling privileged user access to the system, as well as to the data within. This includes blocking non-approved user and applications from extracting data and policy-based file encryption.DG network agent can identify suspicious traffic to/from sensitive servers, and detect unauthorized payloads (i.e. encrypted or embedded). The network agent can also identify and apply policies to IP with user-generated classification tags.DG core can also ensure no data can leave a machine through an unauthorized port/protocol, require justification (which an APT attacker couldn’t respond to), or dynamically encrypt as it leaves the system.DG network can use intelligence gathered from multiple internal or external sources to detect comm or data traffic to suspicious or malicious IP addresses across all 65k portsWith the use of rule variables, it is possible to create relational policies that associate suspicious APT-like events across all layers of detection in context.This could potentially detect attacks with greater accuracy by detecting a string of likely APT tactics as a single “event”, and without generating too many false positives when analyzing single suspicious events (e.g. elevated HGBary risk score; abnormal privileged account activity, etc.) in isolation.For instance, you could create policy alerts (but no blocking) to detect a series of suspicious activities which, if analyzed individually, may or may not be obviously suspicious; however, it may be very suspicious if ALL alerts are triggered in a specific sequence over time. At that point, the last policy in a master “APT policy” may block the action.This is a very advanced use of DG, but it’s possible to doAttackerCore + AFENetwork AgentCoreCore+ Network Agent
37 Data-Centric Questions? How do you know where your sensitive data is right now?How do you know how data moves within your business processes and what your employees are actually doing with the data they access to do their jobs?What are your employees doing with your data when they are off or outside the network?How do you manage data on mobile devices and BYOPC?
38 More Data-Centric Questions? What is the 3rd line of your corporate security policy?How many of your employees actually know it?How do you effectively train your employees on data security polices and ensure they are in compliance - in real-time?What would the benefit be to the organization if security enabled the business instead of security controls or policies hindering business processes?
41 The Four Seminal Ideas of Data Security 1. Data is the correct unit of measurementRequirement is data-centric not Network or Device centricVisibility, monitoring, control2. Operate close to the userThe desktop is today’s data routerUnderstand full-context of data type, content & user action3. Take a risk based approach to protectionAutomated, persistent discovery & classification of dataClassification-driven information monitoring and policy enforcement4. Flexibility to support and enhance business processesNo one response/control is appropriate to all risksShaping user behavior through warnings/prompts of greatest valueEncryption as an integrated control safeguards data; establishes trust