Embed Size (px)
Citation preview
© 2016 Imperva, Inc. All rights reserved.
Part 2: How to Detect Insider Threats
Amichai Shulman Chief Technology Officer
Imperva
© 2016 Imperva, Inc. All rights reserved.
Amichai Shulman – CTO, Imperva
• Speaker at Industry Events – RSA, Appsec, Info Security UK, Black Hat
• Lecturer on information security – Technion - Israel Institute of Technology
• Former security consultant to banks and financial services firms • Leads the Imperva Defense Center • Discovered over 20 commercial application vulnerabilities
– Credited by Oracle, MSSQL, IBM and Others
2
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
© 2016 Imperva, Inc. All rights reserved. Confidential 3
Direct EXTERNAL Attacks
Persistent INTERNAL
Attacks
Attacks are inevitable
Users get compromised
Data is the target
4 Crowd Research Partners, Insider Threat Spotlight Report, 2015
Why Detection is Difficult: Information Overload Hiding Abuse in Plain Sight
More legitimate data access Volumes of disparate logs Security alert overload
© 2016 Imperva, Inc. All rights reserved.
Layered Detection Strategy
6
Data access and theft
Lateral movement
Initial compromise Endpoints and BYOD
Internal Network
Data
Attack Lifecycle – Data is the Target
7
8
Crowd Research Partners, Insider Threat Spotlight Report, 2015
Layered Detection Strategy
9
Assuming that a compromise is inevitable, advanced technologies should be focused on finding the
attack past the initial foothold.
1. Deception
2. Behavior Analytics
© 2016 Imperva, Inc. All rights reserved.
1: Deception
10
© 2016 Imperva, Inc. All rights reserved.
What is Deception Technology?
• Deception technologies are defined by the use of deceit and/or feints designed to thwart or throw off an attacker's cognitive processes, disrupt an attacker's automation tools, delay an attacker's activities or disrupt breach progression.
Source: Gartner, Emerging Technology Analysis: Deception Techniques and Technologies Create Security Technology Business Opportunities, 16 July, 2015
11
© 2016 Imperva, Inc. All rights reserved.
Why Use Deception?
12
• Compromise is inevitable – No perimeter: BYOD, cloud apps, VPN – Legitimate apps (TeamViewer, DropBox) – Zero days – Social engineering
© 2016 Imperva, Inc. All rights reserved.
Why Use Deception?
13
• Compromise is inevitable – No perimeter: BYOD, cloud apps, VPN – Legitimate apps (TeamViewer, DropBox) – Zero days – Social engineering
• Find data breach within compromises – Compromises happen all the time… few of them may turn into a breach! – Response teams need to prioritize – 100 alerts << 1 alert
© 2016 Imperva, Inc. All rights reserved.
Why Use Deception?
14
• Compromise is inevitable – No perimeter: BYOD, cloud apps, VPN – Legitimate apps (TeamViewer, DropBox) – Zero days – Social engineering
• Find data breach within compromises – Compromises happen all the time… few of them may turn into a breach! – Response teams need to prioritize – 100 alerts << 1 alert
• Detect a breach ASAP – Reconnaissance and lateral movement
© 2016 Imperva, Inc. All rights reserved.
Deception Tokens
15
• Tokens deployed across the enterprise • Point the attacker towards a trap
– Internal web app, file server, database, etc. – Local / Domain Account – Passwords, Cookies, Authentication Tokens
© 2016 Imperva, Inc. All rights reserved.
Deception Tokens
16
• Tokens deployed across the enterprise • Point the attacker towards a trap
– Internal web app, file server, database, etc. – Local / Domain Account – Passwords, Cookies, Authentication Tokens
• Detection = harvest + used token – Deliberate attempt at the data center / gain more privileges
© 2016 Imperva, Inc. All rights reserved.
Deception Tokens
17
• Tokens deployed across the enterprise • Point the attacker towards a trap
– Internal web app, file server, database, etc. – Local / Domain Account – Passwords, Cookies, Authentication Tokens
• Detection = harvest + used token – Deliberate attempt at the data center / gain more privileges
Patent: Compromised Insider Honey Pots Using Reverse Honey Tokens
Compromised Users: Deceiving Attackers with Deception Tokens
18
• Trojan penetrates endpoint via phishing
• Tokens used: planted Windows Vault and Internet Explorer credentials
• Determine the source and scope of the attack without tipping off the bad actor
© 2016 Imperva, Inc. All rights reserved.
2: Behavior Analytics
19
© 2016 Imperva, Inc. All rights reserved.
How do I respond
QUICKLY if not?
Exactly
WHO Is accessing my data?
?
Truly Detecting and Containing Breaches Requires Addressing All
OK? Is the access
© 2016 Imperva, Inc. All rights reserved.
BLOCK / QUARANTINE
BLOCK / QUARANTINE
Detecting and Containing Breaches
21
LEARN AND DETECT MONITOR MONITOR
CounterBreach User Interface
BehaviorAnalytics
machine learning
LEARN AND DETECT BLOCK / QUARANTINE
MONITOR
Visibility
Contain and
Investigate
Deception Tokens
Monitor access to databases,
file servers and cloud apps
© 2016 Imperva, Inc. All rights reserved.
Behavioral Baseline: Good Data Access vs. Bad Data Access
23
PCI Database
Who is connecting to the database?
How do they connect to the database?
Do their peers access data in the same way?
When do they usually work?
What data are they accessing?
How much data do they query?
© 2016 Imperva, Inc. All rights reserved.
Learning Data Access Patterns
• Leverage machine learning to understand the environment
24
Learn
© 2016 Imperva, Inc. All rights reserved.
Learning Data Access Patterns
• Leverage machine learning to understand the environment 1. Identify user and connection types
25
Learn
Service Account
Interactive User (DBA)
Individual DB Account
Application
© 2016 Imperva, Inc. All rights reserved.
Learning Data Access Patterns
• Leverage machine learning to understand the environment 1. Identify user and connection types 2. Understand data
• Typical purpose of data
26
Learn
Sensitive Application Data
Metadata
Service Account
Interactive User (DBA)
Individual DB Account
Application
© 2016 Imperva, Inc. All rights reserved.
Learning Data Access Patterns
• Leverage machine learning to understand the environment 1. Identify user and connection types 2. Understand data
• Typical purpose of data 3. Understand data access patterns
• Amount of data • Comparison to peer groups • Typical working hours
27
Learn
Sensitive Application Data
Metadata
Service Account
Interactive User (DBA)
Individual DB Account
Application
© 2016 Imperva, Inc. All rights reserved.
1 – Suspicious Application Table Access
• Identify compromised, careless and malicious users – Application Table Access
28
Detect
Sensitive Application Data
Metadata
Service Account
Interactive User (DBA)
DB Account
Application
© 2016 Imperva, Inc. All rights reserved.
1 – Suspicious Application Table Access
• Identify compromised, careless and malicious users – Application Table Access
29
Detect
Sensitive Application Data
Metadata
Service Account
Interactive User (DBA)
DB Account
Application
© 2016 Imperva, Inc. All rights reserved.
2 – Service Account Abuse
• Identify compromised, careless and malicious users – Application Table Access – Service Account Abuse
30
Detect
Sensitive Application Data
Metadata
Service Account
Interactive User
© 2016 Imperva, Inc. All rights reserved.
3 – Excessive Data Access
• Identify compromised, careless and malicious users – Application Table Access – Service Account Abuse – Unusual Data Retrieval
31
Detect
Sensitive Application Data
Metadata
Customer Support (Peer Group)
Typical: Maintenance on 5
records
© 2016 Imperva, Inc. All rights reserved.
3 – Excessive Data Access
• Identify compromised, careless and malicious users – Application Table Access – Service Account Abuse – Unusual Data Retrieval
32
Detect
Sensitive Application Data
Metadata
DB Account
Support Analyst
Customer Support (Peer Group)
Typical: Maintenance on 5
records
Anomaly: Retrieves 1,000 records out of working hours
Confidential 33
The Power of a Layered Approach
© 2016 Imperva, Inc. All rights reserved.
Q & A
© 2016 Imperva, Inc. All rights reserved.
5 Minute Break
