Upload
lauren-hanson
View
115
Download
0
Embed Size (px)
Citation preview
© 2016 Imperva, Inc. All rights reserved.
Protect Your Data from Insider
AttacksCarrie McDaniel – Imperva Product Team
February 23, 2016
© 2016 Imperva, Inc. All rights reserved.
About the Speaker
• Carrie McDaniel– Product Marketing Manager, Imperva Emerging Products
• Passionate about information security
• Prior to Imperva: Moody’s Analytics, Wells Fargo and NetApp
• Degrees in Marketing and French from Santa Clara University.
Confidential3
© 2016 Imperva, Inc. All rights reserved.
Topics
• The insider threat problem
• Why detection is difficult
• What to look for in a solution
• Imperva CounterBreach
Confidential4
Confidential7
Crowd Research Partners, Insider Threat Spotlight Report, 2015
Confidential10
Crowd Research Partners, Insider Threat Spotlight Report, 2015
© 2016 Imperva, Inc. All rights reserved.
Major Data Breaches Resulting from Insiders
Confidential11
Sources http://gizmodo.com/security-hell-private-medical-data-of-over-1-5-million-1731548110
http://www.systemasoft.com/
15Crowd Research Partners, Insider Threat Spotlight Report, 2015
Why Detection is Difficult
Confidential16
Legitimate Data Access Distinguish Good from Bad Security Alert Overload
© 2016 Imperva, Inc. All rights reserved. Confidential18
How do I respond
QUICKLYif not?
Exactly
WHOIs accessing my data?
?
Truly Detecting and Containing Breaches Requires Addressing All
OK?Is the access
Machine Learning Must-Haves to Address Insider Threats
Confidential19
Full contextual
baselineDoes not cry
wolf
Discern
“normal” from
“normal but not
right”
Data Access Expertise
All are required to detect compromised, malicious and careless insiders
© 2016 Imperva, Inc. All rights reserved.
BLOCK /QUARANTINE
BLOCK /QUARANTINE
Breach Detection Solution
Confidential21
LEARN AND DETECTMONITORMONITOR
CounterBreach
User Interface
Behavior machine
learning
Visibility
Contain
and
Investigate
LEARN AND DETECT BLOCK /QUARANTINE
MONITOR
Databases
Files
Cloud-based Apps
© 2016 Imperva, Inc. All rights reserved.
Behavioral Baseline: Good Data Access vs. Bad Data Access
Confidential23
PCI Database
Who is connecting to the
database?
How do they connect to
the database?
Do their peers access
data in the same way? When do they usually
work?
What data are they
accessing?How much data do they
query?
© 2016 Imperva, Inc. All rights reserved.
Example 1 - Suspicious Application Table Access
• Identify compromised, careless and
malicious users
– Application Table Access
Confidential24
Detect
Sensitive
Application Data
Metadata
Service Account
Interactive User
(DBA)
DB Account
Application
© 2016 Imperva, Inc. All rights reserved.
Example 1 - Suspicious Application Table Access
• Identify compromised, careless and
malicious users
– Application Table Access
Confidential25
Detect
Sensitive
Application Data
Metadata
Service Account
Interactive User
(DBA)
DB Account
Application
© 2016 Imperva, Inc. All rights reserved.
Example 2 – Service Account Abuse
• Identify compromised, careless and
malicious users
– Application Table Access
– Service Account Abuse
Confidential26
Detect
Sensitive
Application Data
Metadata
Service Account
Interactive User
© 2016 Imperva, Inc. All rights reserved.
Example 3 – Excessive Data Access
• Identify compromised, careless and
malicious users
– Application Table Access
– Service Account Abuse
– Unusual Data Retrieval
Confidential27
Detect
Sensitive
Application Data
Metadata
Customer Support
(Peer Group)
Typical:
Maintenance on 5
records
© 2016 Imperva, Inc. All rights reserved.
Example 3 – Excessive Data Access
• Identify compromised, careless and
malicious users
– Application Table Access
– Service Account Abuse
– Unusual Data Retrieval
Confidential28
Detect
Sensitive
Application Data
Metadata
DB Account
Support Analyst
Customer Support
(Peer Group)
Typical:
Maintenance on 5
records
Anomaly:
Retrieves 1,000
records out of
working hours