REDOWL gssIeifpo2TsmSas123o,a sIS aem 12At hemot2sbaic ... · REDOWL gssIeifpo2TsmSas123o,a sIS aem 12At hemot2sbaic omlsv t,cimsyua uoarsgsnz opsfid:F 5 In our experience, the most

1

Information Security Product Overview | April 2016| Tackling the Insider ThreatREDOWL

Insider risk within the enterprise is a significant and persistent challenge for security teams. A recent Intel/Mcafee

study indicates 43% of data breaches were directly caused by internal employees and contractors1. This supports a

finding from the 2015 Verizon Data Breach report which aggregates the top causes of breaches - 90% have some

tie to an internal human action2.

In response, we recommend Chief Information Security Officers (CISOs) and key security leaders establish a

comprehensive insider threat program rooted in security analytics to increase organizational capacity to proactively

monitor, detect, and respond to malicious, compromised, and negligent insider activities. This type of approach

delivers deep context and analytic flexibility, critical to effectively and responsibly

identifying, discouraging, and stopping unwanted activities including intellectual

property theft, corporate espionage, and client data loss, while also providing early

warning of potentially compromised accounts. The key is to build a program

integrated with a holistic, configurable, and contextual technology platform.

RedOwl delivers unparalleled visibility into employee activities, behaviors,

and relationships by fusing together unstructured, context-rich data streams

(email metadata and content, chat, voice, web and print content) with

structured data (server logs, SIEM, DLP, alerting feeds, endpoints, proxy, physical

security and print logs) to provide a comprehensive view of enterprise risk. Our

analytic models allow entities and events to be scored and prioritized through

multiple lenses across all of these data streams - previously unavailable to security

teams. Our integrations with Active Directory and corporate human resources systems

play a key role as well, and our analytic visualizations and workflow are second-to-none. As a result, we offer true

situational awareness of the human layer of the enterprise, and a rich, powerful forensic platform that radically

enhances internal investigations and follow-ups.

The alternatives, including some of the more traditional, black-box User and Entity Behavior (UEBA) tools, are built

on narrow views of human activity. They are also limited to structured data sources analyzed in disparate systems,

while conforming to a fixed configuration of analytics. Such an approach may allow a buyer to check the box -

“insider threat monitoring,” but these tools fail to deliver a holistic picture of risk because they present a disjointed

analysis of human behavior, and in the end, miss the entirety of why it is crucial to establish a comprehensive insider

threat platform-based risk management strategy.

Tackling the Insider ThreatINFORMATION SECURITY PRODUCT OVERVIEW

APRIL 2016

1 Intel-MacAfee: Grand Theft Data 2015 2 Verizon: 2015 Data Breach Investigations Report

1

43% of data breaches were

directly caused by internal employees

and contractors


2

RedOwl’s customers include Fortune 2000 companies in financial services, energy, aerospace and defense, and

hospitality. We are backed by leading investors at the Blackstone Group, Allegis Capital, and Conversion Capital.

With headquarters in Baltimore, MD and offices in London, New York and San Francisco, we have built the most

comprehensive platform to tackle insider risk.

What Are You Trying to Accomplish With An Insider Threat Program?

At the most basic level, your organization is attempting to protect against significant problems that can cripple leading companies:

Fraud – Unauthorized access or modification of an

organization’s data for personal gain

Information Technology Sabotage – Taking

advantage of corporate information technology to

harm or undermine the organization

3

4

Intellectual Property& Sensitive Data Theft –

Stealing data from the organization, often for

monetary gain or personal benefit

Corporate Espionage – Coerced theft for third party

gain national/strategic/competitive advantage

1

2


3

Without a clear plan and adequate technological capabilities, damage from insider activities is likely to be quite

severe. Examples of recent insider events of significance include:

• Major Financial Institution - An employee leaked data corresponding with 10% of the Private Wealth Management

clients of the firm, allegedly in order to sell information on the black market. 900 files were posted online; Stock

dropped 3%.

• Film Studio - Executive emails, films, intellectual property leaked with suspected insider involvement- led to

resignation of head of the studio.

• Energy Producer- Disgruntled employee reset all network equipment to default, disabled security, shut down

operations for 30 days.

• Telecommunications Provider - Employee accessed 1600 customer accounts as part of a plan to “jailbreak”

unlocked phones.

• Major Financial Institution - 27,000 customer files threatened to be sold on black market allegedly by internal

employee group.

• National Security Agency - Millions of sensitive files leaked by planted insider, Edward Snowden, fundamentally

affected reputation of the U.S., its allies, and employer- top U.S. consulting firm.

• U.S. Army - Simple web scraping enabled the theft of hundreds of thousands of cables leaked by Chelsea

Manning to an external organization.

When the risk comes from the inside, it represents either malicious individuals (those intending to do the

organization harm), negligent individuals (those violating policies often for convenience or perceived short-term

needs), or compromised accounts (i.e. credential theft).

POTENTIAL THREAT LANDSCAPE = THE EXTENDED ENTERPRISE

• Business

• IT Admin

• Developer

• Security

• Operational

• Management

• Administrative

EMPLOYEES

•

• IT Staff

• Business Consultants

• Building Maintenance

• Logistical

CONTRACTORS

• Shared Systems

• Guests

• Deal Collaborators

• Traditional Vendors

• Cloud Vendors

PARTNERS


4

For all of these use cases and for all user persona types, the consistent analytic requirement is to effectively

aggregate, analyze, and monitor all the data sources that expose evolving human activity, relationships, intent,

behaviors, and context with respect to their interactions with other individuals, content, devices, applications,

and even locations. Properly doing so allows the organization to be aware of when unwanted scenarios and

unexplainable anomalies develop and occur, ideally at the indicator stage.

Do You Have Visibility Into All Your Data?

Most security teams are experienced in assessing log data - network flow, endpoint logs, firewall logs, identity

access management logs - all feeding into a SIEM platform. Accessing and integrating such information feeds

in support of insider threat programs is important, but this approach to data management creates a significant

vulnerability for complex organizations.

Looking at SIEM-friendly “machine metadata” alone expose two fundamental gaps - content and context. By

expanding your focus through the use of a comprehensive platform, your team will be able to utilize “human

metadata” and “human content and context” to better assess risk across the organization. Both of these categories

of data sources are critical in making inferences, judgments, and decisions about the most sensitive entities within

the organization - employees and contractors.


5

In our experience, the most critical observable data points relevant to most insider incidents - whether they are

the actual events pertinent to a policy violation, breach, or even indicator events that ought to have provided early

warning - tie back to streams of data that most security teams today have no visibility into:

1 Communications data 4 Physical security data

2 Enhanced endpoint/proxy data (e.g. content) 5 Alert feeds

3 Enrichment data (e.g. human resources, Active Directory, public records)

In its recent market overview of security analytics, Gartner noted that security teams require:

Ensuring these types of data streams are fully aggregated, indexed, and analyzed as part of an insider program

is key. Content must be preservable (to the extent permitted by law) with appropriate back-end and front-end

capabilities within a security platform to make analysis and exploration feasible, effective, and efficient.

Can You Assess Behaviors, Not Just Anomalies?

Traditional black box User and Entity Behavioral Analytics (UEBA) vendors detect anomalies while exposing

organizations to three major security vulnerabilities:

1 Anomalies without context are highly noisy

2 Investigation (often through external tools) is costly and frustrating

3 Not every “relevant” scenario involves anomalies - statistical patterns still matter

RedOwl’s unique approach leverages anomaly detection along with robust pattern analysis and a built-in forensic

platform. Beyond just anomaly detection, RedOwl’s software was created to deliver three critical benefits to

security teams:

1 Holistic visibility into internal employee activity, behaviors, and relationships across all forms of critical

data in a rapidly evolving data environment

2 Proactive, not reactive, risk posture to detect and mitigate high-risk individuals, relationships, and events

3 Enhanced investigative response to alerts and reports through improved context, reduction of false

positives, quicker decision making, and greater exposure to previously unknown risk scenarios scenarios

By ingesting a comprehensive set of data sources and layering analytic techniques in order to fully understand

nuanced interactions that indicate changes in sentiment and behavior, RedOwl’s platform delivers detailed risk

narratives enabling analysts to assess high-risk user activity holistically.

3 Gartner: Market Guide for User and Entity Behavior Analytics, 22 September 2015.

“...semistructured and contextual unstructured information that informs organizations on

employee behavior and potential insider threats. For example, this behavioral information

may be found in various user communication channels, such as email and messaging.3“


6

Furthermore, analysts can quickly pivot from alert to investigation within a single application, instead of having

to move from one user interface to another. Built-in workflow is designed for both large and small enterprises.

Analysts and platform users are able to track their actions, form and collaborate on cases, enrich events and

individuals with notes and attributes, build dashboards, which improves the overall process.

Is Your Analytic Approach Configurable and Extensible?

RedOwl provides insight into high-risk behaviors and individuals, not just high-risk events. By evaluating nuanced

interactions between people, data, devices, and applications over time, RedOwl prioritizes context-rich timelines for

security teams.

Our software approach is built upon four key technical pillars:

1 Fusing disparate

employee data

sources into one

platform, including

content

2Applying multiple types

of rigorous behavior-

based analytics focused

on change, pattern, and

anomaly detection

3Exposing powerful

forensic search and

discovery tools through

a powerful user interface

4Delivering proactive

reporting that fully

integrates with human

workflow and existing

client information

architecture


7

This is further enhanced by our key analytic building blocks:

• Feature Extraction: Enrich events of interest based on analysis of both content and metadata patterns

incorporating domain expertise and advanced probabilistic models.

• Behavioral Models: Apply advanced statistical methods to analyze entities over time and proactively

detect deviations from normal baselines (individual and global)

• Content Analytics: Incorporate a variety of natural language processing and sentiment analysis

techniques to feature tag events and score sentiment

• Powerful Visualizations: Use visualization techniques to enhance the human role within the analytic

process - make analysts smarter, and include their brains in the platform

• Extensible Data Model: Flexible to handle all structured and unstructured data sources within an

extensible core - an opinionated data model.

• Machine Learning: Classify, group, and isolate statistically relevant features in order to discover similar

events or behaviors related to other individuals within the organization.

Our user interface is built to enable analysts - not just data

scientists - to easily implement and refine the analytics to

meet unique use cases and evolving security needs without

custom software development. RedOwl layers analytic

techniques because each available analytical strategy - such

as descriptive statistics and sentiment analysis - answers a

unique question pattern. Depending on the use cases you

are tackling, you may want to use each analytic capability

individually or in combination.

We fundamentally believe that a one-size-fits-all approach

to analytics is not appropriate for large organizations. A lack

of configurability leads to major long -term weakness. “Black

box” analytic platforms do not provide enough flexibility for

organizations which face different types of threats and uses

cases that evolve over time. Instead, configurable analytics

allow the platform to adapt to your use cases, learn as you

learn, and even enable you to tackle new problems and use

cases within one application.

Sample Question 1: “Which of my employees are exhibiting

negative sentiment that may be a

precursor to malicious behavior?”

Analytic Technique(s):

Content analytics plays a key role.

Sample Question 2: “Which of my employees are exhibiting

behavior indicative of reconnaissance

activities on the network, and is

completely strange to their own history?”

Analytic Technique(s):

Requires a combination of feature-based

extraction, behavioral modeling, and

machine learning.


8

How We Do It: Data, Features, and Models Lead to Narratives

The combining of enriched, tagged, and modeled unstructured and structured data sources is precisely what

enables security teams and management to detect early signs of high-risk behavior within the company. At scale,

these interactions also indicate the relative and evolving risk of human activity across the firm.

RedOwl understands a wide range of structured and unstructured data sources, including:

• Communications: Email, chat, voice, SMS, phone logs

• Network and endpoint activity: SIEM and EDR

• Physical activity: Badge access, print logs

• Employee transactions: Trades, changes in benefits

• Enrichment data: Human resource records, expense reports

At the core of everything we do is the exposure of extensible event-level features. Features enable analysts to track

events - “micro-policies” or indicators that warrant further attention - but they do not necessarily trigger unwanted

and noisy alerts throughout your Security Operations Center. This approach allows the RedOwl platform to make

early judgments about which groups of events matter initially. Over time, the platform ties in deeper entity-level

temporal aggregations and flags events in the user interface for the analyst.


9

Note that there are a variety of examples of features:

The platform also takes advantage of attributes ingested from existing knowledge stores such as Active Directory

or Workday, which plays a key role in our entitlements capabilities. This allows us to apply features to only events

by certain types of actors, or weight the events differently depending on the attributes of the individuals involved.

Direct/Self-Contained Features

Lexicon-based: Racial slurs, profanity, restricted stocks, competitors, deal terms

Metadata-based: Number of attachments, size of event, number of recipients

Directional: Output to a particular/set of domains, or input from such

Time grouping: Emails that are sent late at night, badging into a building outside of business hours

Contextual Features

Sequential: Does a particular event follow another event within a given time frame?

Global Statistical: Does a recent aggregation of similar events represent a statistical spike compared to the organizational “normal?”

Actor Statistical: Does a recent aggregation of similar events represent a statistical spike compared to the individual’s own “normal?”

Contextual: Does any field within the metadata represent an abnormal quantity for the individual’s own history?


10

Next, our platform is based on the important concept of a “model.” A model is a weighted collection of features

that allows us to aggregate individual events over time and drives us towards a very flexible, extensible way of

deriving risk scores for individuals tied to configurable use cases within the application.

Data Gathering Recon Model: This sample model looks at abnormal user activity around file access, SSH server

access, IT policy violations, and even internal communication wall crossings.

Negative Behavior Model: This example, focused on general negative behavior, examines granular elements of

sentiment-related content features.


11

Over time, the aggregation of data models tied to individuals enables us to do several key things:

1 Develop a sense of what is normal for a given individual

2 Expose which individuals are displaying characteristics of a given model at a higher level than others in

the organization for a given time period

3 Expose which individuals users are displaying characteristics of a given model at a higher level

than normal

The platform gives you the ability to build collections around multiple models. In this particular case, risk narratives

are tracked within the platform within our insider risk chain so you can leverage previously unknown insights and

quickly take action.

The risk chain report depicted below is comprised of five analytic models. Each model consists of several different

behaviors, queries, and analytics. Together, they provide a holistic and contextual view of the profiled individual’s

behavior over time. Analysts can move from the high level risk chain visualization directly into significant events and

the underlying data sets in order to fully understand risk narratives.


12

The final piece of the analytic puzzle is tying this into a configurable dashboard to build multiple real-time lenses

with which to view the organization.


13

Deployment Options

Our platform is a distributed, fault-tolerant, full-stack application that gives you unprecedented visibility into your

critical data steams. The only software required to use RedOwl is a current web browser. RedOwl is designed to be

horizontally scalable, allowing us to add capacity as data needs grow, and to provide redundancy.

RedOwl designed our security analytics platform with multiple deployment models in mind — it can be deployed

either in a customer’s preferred cloud environment as a virtual private cloud or directly within the data center. The

platform can be also deployed in a fully redundant fashion - it does not have any runtime dependencies on client

data stores, or any external resources.

What You Get: Risk Use Cases

Build an integrated program designed to deter, prevent, detect, and respond to insider threats:

DEPLOY A TRULY

COMPREHENSIVE INSIDER THREAT

PROGRAM

DETECT INTELLECTUAL

PROPERTY LOSS

PERFORM FASTER,

CONTEXT-RICH INCIDENT

RESPONSE & DISCOVERY

SITUATIONAL AWARENESS

ABOUT EMPLOYEE, DEPARTMENT OR ORGANIZATION

RISK

Build an integrated program designed to deter, prevent, detect, and respond to insider

threats and data sources include SIEM, identity, Active Directory, endpoint agents, and

unstructured data including email/chat, and telemetry data including badge or shift

information.

Pinpoint the theft or premature disclosure of sensitive corporate information including

ideas, plans, methods, or technologies. This could include SaaS usage for transferring

content or evidence of corporate espionage.

Better gauge the size, scope and business impact of a security incident with additional

context, helping responders to quickly and accurately assemble a narrative. In cases where

attacks are successful and data is stolen or systems compromised, an enterprise may be

able to learn how to block future attacks through forensics. For example, forensic analysis

may reveal behavioral and technical clues that security teams can monitor in the future.

Leverage advanced analytic techniques to fully understand the inner workings of your

organization and to manage risk comprehensively.


14

Conclusion: Secure the Human Layer to Reduce Risk

In 2015, Gartner named RedOwl a Vendor to Watch, explaining that RedOwl:

Today’s technology-enabled employees pose an asymmetric risk to enterprises unprepared to identify and disrupt

unwanted behavior. The cost of being unprepared is high. The FBI recently warned, “Victim businesses incur

significant costs ranging from $5,000 to $3 million due to cyber incidents involving disgruntled or

former employees.5”

A holistic platform that understands human activity is the cornerstone of a comprehensive insider threat program,

providing insights into high-risk behavior and evolving threats within your company.

Information security teams have limited visibility into network traffic patterns and perimeter threats - but little

visibility into the human layer. With RedOwl, security teams can incorporate important signals buried within

unstructured data, gaining real visibility into the human behaviors, activities, and relationships of the employees,

contractors, and partners with routine access to internal networks.

RedOwl’s platform enables unparalleled situational awareness of people within the extended enterprise, continuous

monitoring for threats such as fraud, intellectual property loss, reputational risk, and effective incident response.

Security teams have two choices: look at log data and add a traditional black box UBA solution to a SIEM, or use a

holistic platform built on configurable analytics to comprehensively tackle insider risk.

“... positions its platform as a means to help with issues ranging from risk and compliance to legal,

investigative and organizational. Through the use of additional contextual information and analysis,

it is able to show issues that may have otherwise gone overlooked, such as noncompliance, rogue

insiders or employees showing behavioral patterns that indicate they are about to

leave an organization.4”

4 Gartner: Market Trends: Security Analytics — A New Hope for Security, or Just Hype?, March 20155 http://www.ic3.gov/media/2014/140923.aspx

DETECT ROGUE, NEGLIGENT OR COMPROMISED

EMPLOYEES

Spot potentially damaging aberrant and unwanted behavior to identify and distinguish

rogue, negligent or compromised employees, including monitoring privileged users.

Documents

REDOWL gssIeifpo2TsmSas123o,a sIS aem 12At hemot2sbaic ... · REDOWL gssIeifpo2TsmSas123o,a sIS aem 12At hemot2sbaic omlsv t,cimsyua uoarsgsnz opsfid:F 5 In our experience, the most