It’s Coming from Inside the BuildingDefending against internal threats

Introductions

Troy Moreland - Founder & CTOJosh Orum - MarketingJames Orrange - Enterprise SalesEric Capistran - Enterprise Sales

Security Threat Risk Sources

Hacker

Computer Criminal

Terrorist

Industrial Espionage

Insiders

Mitigating Risk Best Practices

Mitigation Steps

● Define risks● Prioritize risks● Recommend controls● Prioritize control actions● Select controls● Implement control actions● Review and refine control actions

Identify Threats and Define Controls

(1)Risk

(2)RiskLevel

(3)Recommend

edControls

(4)ActionPriority

(5)SelectedControls

(6)Required

Resources

(7)ResponsibleTeam/Person

(8)Start Date/End Date

(9)MaintenanceRequirement

/Comments

Unauthorized users can telnet to XYZ server and browse sensitive data

High - Disallow inbound telnet- Disallow world access to sensitive company files- Disallow the guest or assign hard-to-guess password

High - Disallow inbound telnet- Disallow world access- Disallow guest

10 hours to reconfigure and test the system

John Doe, XYZ server admin

Jim Smith, firewall admin

9-1-2010 to9-2-2010

- Perform periodic system review and testing to ensure adequate security

Myth vs. Reality

Myth: Reality:

“According to a report from the Identity Theft Resource Center the number of data breaches in 2014 increased 27.5 percent over the previous

year.”

“In a recent USA Today article, Michael Bruemmer, vice president of consumer protection at credit

information company Experian Consumer Services, pointed to a relatively unknown breach in Korea

where a worker at the Korea Credit Bureau hacked into a database and stole 27 million records

containing personal and credit card information.”

“JPMorgan Chase & Co., which has racked up more than $36 billion in legal bills since the

financial crisis, is rolling out a program to identify rogue employees before they go

astray, according to Sally Dewar, head of regulatory affairs for Europe, who’s overseeing the

effort. Dozens of inputs, including whether workers skip compliance classes, violate

personal trading rules or breach market-risk limits, will be fed into the software.”

Verizon 2014 Data Breach Investigations Report:

"61% of breaches were direct hacking- Targeting individual accounts (Passwords

hacked, privileges gained for authorized access)"

“18% of incidents were insider misuse:- Inappropriate or malicious use of privileges”

“89% of employees retained access to at least one app from a former employer”

“66% had access to corporate data via cloud apps after they left the company”

“45% retained access to ‘confidential’ or ‘highly confidential’ data”

“49% logged into an account after leaving the company”

Employees are Human and That’s a Risk

Insider Threat Actors

The Hoarder

The Lazy

The Curious

The Ignorant

The Rebel

The Jerk

The Vengeful

Defining Insider Threat Risks

Insider Threats Risks● Lack of access governance● Manual identity provisioning/de-

provisioning● Existing access never removed● Access campaigns too cumbersome● Too many passwords and complex

policies● Limited use of multi-factor

authentication● Too many back door accounts● ...

(1)Risk

(2)RiskLevel

(3)Recommend

edControls

(4)ActionPriority

(5)SelectedControls

(6)Required

Resources

(7)ResponsibleTeam/Person

(8)Start Date/End Date

(9)MaintenanceRequirement

/Comments

Manual identity provisioning/de-provisioning

High

Existing access never removed

High

Mitigating Controls for Insider Threats

(1)Risk

(2)RiskLevel

(3)Recommended

Controls

(4)ActionPriority

(5)SelectedControls

(6)Required

Resources

(7)ResponsibleTeam/Person

(8)Start Date/End Date

(9)MaintenanceRequirement

/Comments

Manual identity provisioning/ de-provisioning

High - Implement automated identity lifecycle mangement solution

High

Existing access never removed

High - Implement access certification campaigns- Implement time-based access certification

High

...

Controls for Insider Threats

1.Identity Administration2.Identity Governance

Introducing RAPIDIDENTITY

Profiles Groups

Accounts Self Service

Passwords Integration

Authentication

Federation

Single Sign-On

Entitlements Requests

Roles Certification

Policy Delegation

Access Privileged Intelligence Compliance

Identity Administration

Identity Governance

Text Files

Database

Directory

EmailCloud App APIs

Endpoints

Elevated

Linked

Shared

Reconciliation

Analytics

Correlation

Events

Tracking

Reporting

Risk

Profiles Groups

Accounts Self Service

Passwords Integration

Authentication

Federation

Single Sign-On

Entitlements Requests

Roles Certification

Policy Delegation

Access Privileged Intelligence Compliance

Identity Administration

Identity Governance

Text Files

Database

Directory

EmailCloud App APIs

Endpoints

Elevated

Linked

Shared

Reconciliation

Analytics

Correlation

Events

Tracking

Reporting

Risk

(1)Risk

(2)RiskLevel

(3)Recommended

Controls

(4)ActionPriority

(5)SelectedControls

(6)Required

Resources

(7)Responsi

bleTeam/Person

(8)Start Date/End Date

(9)MaintenanceRequirement

/Comments

Manual identity provisioning/ de-provisioning

High - Implement automated identity lifecycle mangement solution

High - Implement automated identity lifecycle mangement solution

RapidIdentity

- Sysadmins- Identity Specialists

- CSO, CIO

Existing access never removed

High - Implement access certification campaigns- Implement time-based access certification

High - Implement time-based access certification

RapidIdentity

- Sysadmins- Identity Specialists

- CSO, CIO

...

http://www.identityautomation.com/rogue-employees

Rogue Employees eBook

Action Items

Next 30 Days❏ Download this presentation❏ Identify Insider Threats

Next 60 Days ❏ Define Controls to Mitigate Insider Threats

Within 6 Months❏ Implement Control Actions (RapidIdentity)

Q & A