Part 4 - Using Automated processes to look for indicators of in insider threats

Video Activity

This lesson discusses automated applications which can be used to pinpoint employee behavior which might indicate they're an inside threat. These include: · Net Spy Pro · Veriato · ObserveIT · Securonix · Splunk In addition, companies can also take preventative measures by having employees sign Non Disclosure Agreements (NDA) and performing backgro...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson discusses automated applications which can be used to pinpoint employee behavior which might indicate they're an inside threat. These include: · Net Spy Pro · Veriato · ObserveIT · Securonix · Splunk In addition, companies can also take preventative measures by having employees sign Non Disclosure Agreements (NDA) and performing background checks (these are only two examples).

Video Transcription
00:04
>> A lot of the stuff that we talked about, it's great,
00:04
but you may not have time to look at
00:04
20,000 people in your organization looking,
00:04
checking all of these sensors
00:04
for all of those indicators.
00:04
But you're in luck.
00:04
There are tons of
00:04
automated programs out there now that can help
00:04
you start looking and automating these processes.
00:04
I've listed just a few of the common ones.
00:04
There are obviously others out there.
00:04
The first one that I've listed as Net Spy Pro.
00:04
It's monitoring software
00:04
>> works across multiple computers,
00:04
>> but does not permit
00:04
external devices from connecting to the computers,
00:04
but you can again buy that DLP technology separately.
00:04
But that is one type of technology to use.
00:04
Veriato or formerly known as SpectorSoft,
00:04
it includes Investigator, Recon and 360.
00:04
That's going to be a behavior analytics
00:04
and activity monitoring type of software.
00:04
It's going to start aggregating a lot of that data and
00:04
looking for those anomalies within that behavior.
00:04
The next one is going to be ObserveIT,
00:04
and it's a complete visibility and
00:04
all employee activity stack rank
00:04
where you look at your riskiest users.
00:04
Then you can begin to
00:04
enforce company policies with certain notifications.
00:04
Securonix is another one.
00:04
Then lastly, you have Splunk.
00:04
A lot of people are familiar with it.
00:04
Splunk, you can correlate
00:04
multiple data sources to identify
00:04
high-risk behaviors by employees and contractors.
00:04
Again, those are just some automation tools
00:04
that are going to go in and start
00:04
looking at a lot of
00:04
those indicators and sensors that we talked about.
00:04
Again, if you don't have a large organization,
00:04
you can do all of this by hand.
00:04
Just note that it will take time.
00:04
Then some of these things that you would
00:04
be able to go in and look after the fact,
00:04
if have found out that someone is an insider threat,
00:04
you can go back and start looking for
00:04
those indicators and the evidence that you have.
00:04
That would be how you would do that investigation.
00:04
But like we said,
00:04
we want to essentially prevent
00:04
the insider threat activity before it happens.
00:04
Going back and looking at
00:04
the material after it's happened,
00:04
it's already there, it's evidence.
00:04
You can go back and you can check those sensors.
00:04
You can check for that indicative behavior,
00:04
of, was this person an insider threat?
00:04
You can check their computer logs,
00:04
and you can figure out who they were talking to.
00:04
That's all well and good,
00:04
but your data's still gone.
00:04
Preventing that is what we hope to
00:04
accomplish through this course.
00:04
First and foremost, you want to have
00:04
all your employees, contractors,
00:04
and trusted business partner sign NDAs upon
00:04
hiring and termination of employment contracts.
00:04
Again, that's just a piece of paper.
00:04
It will not guarantee that someone does that.
00:04
However, it does provide some type of
00:04
legal recourse if you do
00:04
find out someone has absconded with your data.
00:04
The next one is to ensure
00:04
trusted business partner has performed
00:04
background investigations on all of its employees
00:04
that will have access to
00:04
your organization system or information.
00:04
They should be commensurate with
00:04
your organization's own background investigations and
00:04
required as a contractual obligation.
00:04
Obviously, you're doing
00:04
background checks on your employees,
00:04
so a certain standard.
00:04
You would not want someone else
00:04
to bring in their employees into
00:04
your own organization with
00:04
a lower standard of background checks.
00:04
You would want to be equal,
00:04
especially if you're dealing with
00:04
>> the same type of data.
00:04
>> Moving on, for acquiring companies
00:04
during the merger or acquisition,
00:04
perform background checks,
00:04
investigations on all employees to be
00:04
acquired at a level commensurate with its own policies.
00:04
Again, when you're acquiring these companies,
00:04
you're going to bring in folks to your organization.
00:04
You want to know who you're bringing on and you
00:04
want everyone to be cleared at the same level.
00:04
Next, you'll want to prevent
00:04
sensitive documents from being
00:04
printed if they are not required for business purposes.
00:04
Insiders could take a printout of their own or
00:04
someone else's sensitive document from
00:04
a predator garbage desk for
00:04
office electronic documents can be easier to track.
00:04
You can also definitely watermark those documents.
00:04
But again, if you are dealing
00:04
with massive amounts of sensitive information,
00:04
leaving things on the printer or the garbage dumpster,
00:04
memory holds, someone could go by and
00:04
pick up that information and walk out the door with it.
00:04
Ideally, you want to have
00:04
certain policies in place to limit
00:04
the amount of printing and the amount of
00:04
paperwork that is thrown in the garbage.
00:04
Next, you want to avoid direct connections with
00:04
information system of
00:04
trusted business partners, if possible.
00:04
Provide partners with task-related data without
00:04
providing access
00:04
>> to your organization's internal network.
00:04
>> Again, that goes to that principle of least privilege.
00:04
If they don't need access to certain information,
00:04
don't provide it to them.
00:04
Give them the least amount of information possible.
00:04
The next, restrict access to
00:04
the system backup process to
00:04
only administrator responsible
00:04
for backup and restoration.
00:04
That makes sense because if you
00:04
don't limit that access and anybody can
00:04
get a copy of
00:04
that backup process or access to that backup process,
00:04
when or if an incident does
00:04
occur and you're trying to do your backup,
00:04
and you find out your backup is destroyed or corrupted,
00:04
it doesn't do you a lot of good.
00:04
Protecting access to that backup is very important.
00:04
[NOISE] More prevention tips continued,
00:04
prohibit personal items in
00:04
secured areas because they may be
00:04
used to conceal company property
00:04
or to copy and store company data.
00:04
If your organization doesn't have any security
00:04
policies and people can just
00:04
bring in whatever they want,
00:04
you may want to take a look at that.
00:04
Because people could be
00:04
walking out the door with the data,
00:04
and there's no way you would ever know.
00:04
In the government world, especially
00:04
with information security
00:04
and the level of classifying information,
00:04
in a lot of instances,
00:04
you're not able to bring in
00:04
certain items to your work location.
00:04
Next, conduct a risk assessment of
00:04
all systems to identify critical data,
00:04
business processes, and mission critical systems.
00:04
Then for more information,
00:04
you can see the NIST Publication 800-30.
00:04
But be sure to include insiders and
00:04
trusted business partners as part of the assessment.
00:04
Essentially, looking at
00:04
everything to identify weaknesses and then trying
00:04
to remediate those weaknesses will
00:04
help you stay off disaster, hopefully.
00:04
The next one is to implement
00:04
data encryption solutions that encrypt data seamlessly,
00:04
and that restrict encryption tools
00:04
to authorize users as well as
00:04
restrict decryption on the organizations
00:04
encrypted data to authorized users.
00:04
Basically, you want to secure your data in some type of
00:04
manner that allows only people to
00:04
access that data who you want to access it.
00:04
Next is implement a clear separation of duties between
00:04
regular administrators and those
00:04
responsible for backup and restoration.
00:04
It doesn't allow someone to
00:04
have too much power and too much authority.
00:04
The next, forbid regular administrators
00:04
access to system backup media
00:04
or the electronic backup process,
00:04
which we talked about earlier.
00:04
If one of those people is compromised,
00:04
they already have very high levels
00:04
of rights to begin with,
00:04
they could damage your system on
00:04
one side that they had access to that backups,
00:04
and they can damage it on the other,
00:04
and that would be a complete ruining
00:04
of your information systems.
Up Next