Defend Against Attacks from the Inside

© 2016 Imperva, Inc. All rights reserved.

Protect Your Data from Insider

AttacksCarrie McDaniel – Imperva Product Team

February 23, 2016


Introduction

Welcome

Confidential2


About the Speaker

• Carrie McDaniel– Product Marketing Manager, Imperva Emerging Products

• Passionate about information security

• Prior to Imperva: Moody’s Analytics, Wells Fargo and NetApp

• Degrees in Marketing and French from Santa Clara University.

Confidential3


Topics

• The insider threat problem

• Why detection is difficult

• What to look for in a solution

• Imperva CounterBreach

Confidential4


About Imperva

Confidential5


The Insider Threat

Confidential6

Confidential7

Crowd Research Partners, Insider Threat Spotlight Report, 2015

http://app.demand.imperva.com/e/er?s=466&lid=3456&elq=00000000000000000000000000000000&elqaid=44&elqat=2&elqTrackId=a320e6cdcc124adaacf8a9c85a202e53

People are the

WEAK LINKConfidential8

MaliciousCarelessCompromised

Confidential10

Crowd Research Partners, Insider Threat Spotlight Report, 2015



Major Data Breaches Resulting from Insiders

Confidential11

12

Source: time.com

Sources http://gizmodo.com/security-hell-private-medical-data-of-over-1-5-million-1731548110

http://www.systemasoft.com/

http://gizmodo.com/security-hell-private-medical-data-of-over-1-5-million-1731548110

14

15Crowd Research Partners, Insider Threat Spotlight Report, 2015


Why Detection is Difficult

Confidential16

Legitimate Data Access Distinguish Good from Bad Security Alert Overload


Solving the Insider Threat Problem

Confidential17

© 2016 Imperva, Inc. All rights reserved. Confidential18

How do I respond

QUICKLYif not?

Exactly

WHOIs accessing my data?

?

Truly Detecting and Containing Breaches Requires Addressing All

OK?Is the access

Machine Learning Must-Haves to Address Insider Threats

Confidential19

Full contextual

baselineDoes not cry

wolf

Discern

“normal” from

“normal but not

right”

Data Access Expertise

All are required to detect compromised, malicious and careless insiders


Imperva CounterBreach

1

Confidential20


BLOCK /QUARANTINE

BLOCK /QUARANTINE

Breach Detection Solution

Confidential21

LEARN AND DETECTMONITORMONITOR

CounterBreach

User Interface

Behavior machine

learning

Visibility

Contain

and

Investigate

LEARN AND DETECT BLOCK /QUARANTINE

MONITOR

Databases

Files

Cloud-based Apps


Behavioral Baseline: Good Data Access vs. Bad Data Access

Confidential23

PCI Database

Who is connecting to the

database?

How do they connect to

the database?

Do their peers access

data in the same way? When do they usually

work?

What data are they

accessing?How much data do they

query?


Example 1 - Suspicious Application Table Access

• Identify compromised, careless and

malicious users

– Application Table Access

Confidential24

Detect

Sensitive

Application Data

Metadata

Service Account

Interactive User

(DBA)

DB Account

Application


Example 1 - Suspicious Application Table Access


malicious users


Confidential25

Detect

Sensitive

Application Data

Metadata

Service Account

Interactive User

(DBA)

DB Account

Application


Example 2 – Service Account Abuse


malicious users


– Service Account Abuse

Confidential26

Detect

Sensitive

Application Data

Metadata

Service Account

Interactive User


Example 3 – Excessive Data Access


malicious users



– Unusual Data Retrieval

Confidential27

Detect

Sensitive

Application Data

Metadata

Customer Support

(Peer Group)

Typical:

Maintenance on 5

records


Example 3 – Excessive Data Access


malicious users



– Unusual Data Retrieval

Confidential28

Detect

Sensitive

Application Data

Metadata

DB Account

Support Analyst

Customer Support

(Peer Group)

Typical:

Maintenance on 5

records

Anomaly:

Retrieves 1,000

records out of

working hours

Confidential29


Q & A

Confidential30

Technology

Defend Against Attacks from the Inside