Time
8 hours 6 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson discusses automated applications which can be used to pinpoint employee behavior which might indicate they're an inside threat. These include: · Net Spy Pro · Veriato · ObserveIT · Securonix · Splunk In addition, companies can also take preventative measures by having employees sign Non Disclosure Agreements (NDA) and performing background checks (these are only two examples).

Video Transcription

00:04
so
00:05
a lot of the stuff that we talked about It's great, but you may not have time to look a tw 20,000 people and your organization looking checking all of these centers for all of those indicators. But
00:18
you're in luck. There are tons of automated programs out there now that can help you start looking and automating these processes. I listed just a few of the common ones. They're obviously out others out there,
00:35
the 1st 1 that I've listed his Nets by pro. It's monitoring software works across multiple computers but does not prevent external devices from connecting to the computers. But you can again, by that deal, Pete Technology separately.
00:49
But that that is one type of technology to use.
00:53
Uh, Barato are formally known as SPECTRE soffits, investigator re Kon and 360 and that's going to be a behavior analytics and activity monitoring type of software. So it's going to start aggregating a lot of that data and looking for those anomalies within that behavior.
01:10
The next one is going to be observed. I t on. It's a complete visibility. All employees activity kind of stacked rank. That way. You could look at your riskiest users. And then you can begin to
01:23
enforced company policies with certain notifications
01:27
secure. Onyx is another one, Lastly, have Splunk. A lot of people are familiar with this plump. You could correlate multiple data sources to identify high risk behaviors by employees and contractors. So again, those were just some automation tools that are going to go in and start looking at a lot of those
01:48
indicators and sensors that we talked about again. If you don't have a large organization, you could do all of this by hand. Just note that it will take time on some of these things that you would be able to go in and look after the fact. If you have found out that someone is an insider threat,
02:06
you can go back and start looking
02:07
for those indicators in the evidence that you have.
02:12
So that would be how you would do that investigation.
02:16
But like we said, we want to essentially prevent the insider threat activity before it happens. Going back and looking at the material after it's happened, it's already there. It's evidence you can go back, and you can check those sensors. You can check for the indicative behavior of
02:35
was this person insider threat.
02:38
Check their computer logs. You could figure out where they were talking to. That's all well and good, but your dad is still gone.
02:45
Uh, so preventing. That is what we hope to accomplish through this course. So, first and foremost, you want to have all of your employees contractors in trusted business partner signed in D. A's upon hiring in termination of employment contracts.
03:00
Again that just a piece of paper. It will not guarantee that someone does that. However, it does provide some type of legal recourse. If you do find out someone has absconded with your dad,
03:15
the next one is to ensure trusted business partner as perform background investigations
03:21
on all of its employees that will have access to your organization system or information.
03:25
And he should be committed commensurate with your organization's own background investigations and required as a contractual obligation. So obviously you're doing background checks on your employees to a certain standard. You would not want someone else to bring in their employees into your own organization
03:45
with a lower standard
03:46
of background checks, so you would want to be equal, especially if you're dealing with the same type of data
03:54
moving on for acquiring companies during the merger acquisition, performed background check investigations on all employees to be acquired at a level commensurate with its policy. So again, what? You're acquiring these cos you're gonna bring in folks to your organization. You want to know who you're bringing on, and you want everyone to be cleared at the same level.
04:15
Next, you want to prevent sensitive documents from being printed. If they're not required for business purposes, insiders could take a print out
04:23
of their own or someone else's sensitive document from Predator garbage desk officer. Electronic documents could be easier to track. You can also digitally watermark those documents. But again,
04:32
uh, if you are dealing with massive amounts of sensitive information, leaving things on the printer or in a garbage dumpster memory hole, someone could go by, pick up that information, walk out the door with,
04:47
uh
04:49
so ideally, you want to have certain policies in place that limit the amount of printing in the amount of paperwork that is thrown in the garbage.
04:58
Next, you want to avoid direct connections with information system of trusted business partners. If possible,
05:04
provide partners with task related data about providing access to your organization's internal network.
05:11
So again, that kind of goes to them that, uh,
05:14
principle of leaks privilege. If they don't need access to certain information, don't provide it to them.
05:19
Give them the least amount of information possible
05:24
and the next. Restrict access to the system Backup process. Toe only administrator responsible for backup in restoration.
05:30
And that makes sense because if you don't limit that access and anybody could get a copy of that backup process or access to the backup process, whether if an incident does occur on you're trying to do your back up and you find out your back up, Mister Shorter corrupted. It doesn't do you a lot of good. So,
05:50
uh,
05:50
protecting and access to that backup is very important.
05:57
More prevention tips continued. Prohibit personal items in secure areas because they may be used to conceal company property or a copy and store company data.
06:06
If your organization doesn't have any security policies that people could just bring in, whatever they want,
06:14
may want to take a look at that
06:15
because people could be walking out the door of the data and there's there's no way you would ever know
06:20
us so in the government world, especially with information security and
06:28
the level of classifying information on a lot of instances, you're not able to bring in certain items to that. You won't location
06:38
next conductor risk assessment all systems to identify critical data, business processes and mission critical systems. And then, you know, for more information. You can see that this publication 830
06:50
but be sure to include insiders encrusted business partners as part of the assessment. So essentially looking at everything to identify weaknesses and then trying to
07:01
remediate these weaknesses will help you stave off disaster. Hopefully,
07:08
the next one is to implement data encryption solutions that crypt dad out seamlessly and that restrict encryption tools to authorized users as well as restrict decryption of the organization's encrypted data authorized users. So, basically,
07:23
you want to secure your data and some type of manner that allows only people to access that data. You want to access it
07:30
next, it's implement a clear separation of duties between regular administrators and those responsible for backup and restoration. So doesn't allow someone to have too much power, too much authority,
07:44
and the next forbid regular administrators access to system. Back up media are the Elektronik backup process, which we talked about earlier. One of those people was compromised. They already have three high levels
07:59
rights to begin. Well, they could damage her system on one side that they had access to the backups. They condemned it on the other, and that would be complete ruining of your information systems.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan
Instructor