Insider ThreatAre you looking at the right attack

vector?

Presentation for

Cyber Workshop 2014(ISC)2 Norfolk and Peninsula Chapters

Bob Turner, CISSP and CBCP

This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient

The focus on external threats allows trusted insiders to conduct data breaches with relative impunity…creating greater liability for an enterprise…

Se-ries1

0 5 10 15 20 25 30 35 40 45

39

35

28

14

11

7

7

4

No. of Financial Institutions Reporting Repeated Occurrences of Internal Data Breaches in Last 12 Months1

Type

s of

Inte

rnal

Bre

ache

s

Accidental breach of data originating from inside of Org

Malicious software originating from inside the Org

Breach of data originating from inside org by an Employee

Internal financial fraud involving corporate systems

Breach of data originating from inside org by a Non-Employee

Breach of data originating from a third-party vendor

Mobile network breach originating from inside the Org

Other forms of internal breaches

1. Financial Services Global Security Study: The Faceless Threat, 2010

Only 34% of survey respondents said they were “very confident” about being

protected against internal attacks1

The Insider Threat

Case Study: Julian Assange’s WikiLeaks is an enabler for insiders to anonymously expose your firm’s most sensitive intellectual capital, trade secrets, and proprietary & confidential data– Ex: Bank of America, US State Dept. (Diplomatic

Cables)– 33% of 900 data breaches in a six-year study

were in the financial services industry; the industry also accounted for a staggering 94% of compromised records2

2. Data Breach Investigations Report by Verizon Business and US Secret Service, 2010

Presentation to (ISC)2 Cyber Workshop 2014 2

This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient

Privilege abuse — taking advantage of the system access privileges granted by an employer and using them to commit nefarious acts

Unapproved hardware and email misuse/data mishandling — a function of how the data is exfiltrated rather than how it’s acquired

Presentation to (ISC)2 Cyber Workshop 2014

Insider Misuse - any unapproved or malicious use of

organizational resources

Verizon – 2014 Data Breach Investigations Report

3

This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient

The Challenge…

Current audit tools are focused on protecting networks from malicious outsiders, rather than detecting insider behaviors as indicators of intent to do harm

Sufficient Data – Audit tools are integrated across the enterprise allowing for comprehensive data collection, aggregation, and meaningful analysis. Trigger development is based on a solid understanding of daily operations, organization and corporate policies.

Behavioral Context – Alerts are handled using an automated workflow process that provides clear audit trails and chain of custody. Alerts are analyzed against expected role behaviors and other disparate data sources (e.g., HR records, social media profiles, financial background, etc.) to determine disposition of the alert. Analysts use analytic tools and techniques to put the alert in context and to evaluate an insider’s motivation and intent. The analyst follows established policy and process to mitigate or escalate the alert.

Dat

a S

uffic

ienc

y

HighRole-Driven Detection

Highly targeted data filtering in the context of expected human

behaviors in a given role produces highly actionable alerts

Needles in the HaystackWell understood role behaviors

that cannot be detected in a sea of irrelevant data

Behavioral Context

Low

Low High

Information OverloadDrowning in data with thousands

of false positive alerts and no way to link the alerts to human

behaviors in a given role

Post Mortem ResponseLots of data but not the right type or quality and no way to link the

data to expected human behaviors

Current Audit Tools – Protecting from

Malicious Outsiders

Insider Threat Detection – Indicators of Intent to do Harm

Machine-Based Detection = Lots of

Anomalies

High Risk Roles Well Understood – No Meaningful Data

Key Variables Role-Driven Detection

Presentation to (ISC)2 Cyber Workshop 2014 4

This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient

Organization Risk Assessment: Our comprehensive risk assessment examines an organization’s business operations and processes to identify the most critical areas of concern. We develop baselines of expected behavioral norms for the various roles within an organization, rooted in context of the organization’s policies, geographic locations, IT, and communication infrastructure.

Trigger Development: Building on the organizational risk assessment, we are able to utilize our library of already-developed and proven triggers as a jumping point . Behavioral “fingerprints” detailing the typical interactions between various roles and their respective aspects of the organization (i.e., data, applications, communication channels, business processes, cross-functional individuals or teams, and travel locations) are developed.

Technical Detection: Actions and events occurring outside of the pre-defined behavioral baseline are identified and flagged for further analysis and classification based on various contextual evidence.

Data Analytics: We use a variety of structured analytic models to recognize patterns, regressions, clustering, nearest neighbor, text data, and social networks from large and disparate data sources to build contextual evidence around the observed anomaly.

Mitigation and Escalation: Once an alert occurs, our Project BEACON provides an automated workflow process that shapes and manages the response. BEACON will document actions and ultimately provide a chain of custody for administrative or legal action. BEACON can be tailored to specific stakeholders in the process and will organize response to triggers to reduce confusion, saving time and money. BEACON will also provide substantial enterprise behavior metrics and insights. This information can help quantify policy adherence, training effectiveness and workforce habits, dramatically increasing the program ROI and creating objective metrics for program success - thus protecting the corporate bottom line.

Mature Detection Efforts: By providing continuous feedback on the value and quality of the technical and non-technical triggers (policy violations), reassessing the risk profile and modifying user profiles, the number of false positives will minimize unnecessary expenditure of resources and time.

This evolutionary process leverages industry experience to address organization-specific business operations, technical,

and personnel needs

Approach…

Presentation to (ISC)2 Cyber Workshop 2014 5

This document contains Booz Allen Hamilton Inc. proprietary and confidential business information – Intended Only for the Recipient

Our thought leadership in the insider threat domain is solid and growing, from influencing the national agenda to

developing holistic insider threat program approaches…

Intellectual Capital and Delivery

Authored The Insider Threat SOAR under an IATAC TAT

DoD Defense CI and HUMINT Center (DCHC) CONOPS for Insider Threat Technology solutions

Author of Cyber Fusion Center CONOPS, developed analytics TTP, introduced behavioral analysis and integrated data aggregator at NGA

Participated in the National Insider Threat Working Group

DoD Enterprise-wide Solutions Steering Group (ESSG) Insider Threat Gap Analysis

Key architect in standing up DHS and USCG CI and Insider Threat programs – to include the pillars

Intellectual capital behind the Army’s TARP

Key architect in data aggregation, storage and analytics at DISA for 59 Use Cases defined by CYBERCOM

Developed analytic TTP around alerts generated from Raytheon tool

Capabilities with CI, IA, and Security

Presentation to (ISC)2 Cyber Workshop 2014 6