insider threat protection - etsi€¦ · engineered to detect insider threats. fortiinsight....
TRANSCRIPT
![Page 1: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/1.jpg)
1
Insider Threat ProtectionDr Jamie GravesVP Security Analytics
![Page 2: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/2.jpg)
© Fortinet Inc. All Rights Reserved. 2© Fortinet Inc. All Rights Reserved. 2
Robert Hanssen
![Page 3: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/3.jpg)
© Fortinet Inc. All Rights Reserved. 3© Fortinet Inc. All Rights Reserved. 3
• Psychology• Entitled Independent Model• Ambitious Leader Model
• Motivation• Ego• Monetary Problems• Alienation• Groomed• Anger/revenge• Ideology/Identification• Adventure/Thrill• Vulnerability to Blackmail• Compulsive/Addictive Behaviour• Family Problems
Psychology & Motivation
![Page 4: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/4.jpg)
© Fortinet Inc. All Rights Reserved. 4© Fortinet Inc. All Rights Reserved. 4
• Behaviour• Technical
• Attempts to circumvent auditing and logging functions• Copying, deleting, moving and printing sensitive files• Network interface or system hardware manipulation
• Non-Technical• Without need or authorisation, takes proprietary material or other
materials home • Interest in matter outside the scope of their duties• Unnecessarily copies material
Behaviour – Some Examples
![Page 5: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/5.jpg)
© Fortinet Inc. All Rights Reserved. 5© Fortinet Inc. All Rights Reserved. 5
Email25%
Removable Media25%
Network Access
23%
Laptops16%
Printed Docs6%
File Xfer5%
How Data Is Stolen
![Page 6: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/6.jpg)
© Fortinet Inc. All Rights Reserved. 6© Fortinet Inc. All Rights Reserved. 6
• The Insider Threat is not related to ‘Hackers’• The insider threat is not just a technical or cyber security issue• A good insider threat program should focus on deterrence, not
detection• Detection of insider threats should involve behavioural based
techniques
Insider Lessons
![Page 7: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/7.jpg)
© Fortinet Inc. All Rights Reserved. 7© Fortinet Inc. All Rights Reserved. 7
A Blind Spot in Security AnalyticsInsider Risk
• Malware analytics is taken care of through the following:• A ‘hard-shell’ and network monitoring provides
some perimeter visibility • EPP solutions mostly focus on malware
• A blind spot exists within the perimeter
• 30% of breaches were due to those within the organization acting negligently or maliciously
Network Security
![Page 8: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/8.jpg)
© Fortinet Inc. All Rights Reserved. 8© Fortinet Inc. All Rights Reserved. 8
Achieving UEBAMarket Landscape
Network-Based
• Unable to monitor off-network
• Unable to unencrypt if no key present
Log-Based
• Incomplete picture
• Log files are not designed to give necessary user insights
Endpoint-Based
• Visibility of user and data behavior on and off the network
• Provides the best granularity of telemetry to detect insiders
![Page 9: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/9.jpg)
© Fortinet Inc. All Rights Reserved. 9© Fortinet Inc. All Rights Reserved. 9
System ArchitectureAgent/Server
Windows Endpoint Agent• Lightweight, zero-configuration agent
• Encrypted connection (TLS 1.2)
• Push deployment
AWS Hosted
Storage, Presentation and Analytics• Rule Matching
• Machine Learning
• Threat Hunting
![Page 10: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/10.jpg)
© Fortinet Inc. All Rights Reserved. 10© Fortinet Inc. All Rights Reserved. 10
3
Unique 5-Factor Telemetry ModelEngineered to detect insider threats
FortiInsightWherever a machine is located and whatever network the machine is connected to, FortiInsight captures the key information from 5 anchors to deliver insights built upon, the key metadata and behavior analysis around:
1 2 54Users Processes Devices BehavioursResources
Data Analysis
![Page 11: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/11.jpg)
© Fortinet Inc. All Rights Reserved. 11© Fortinet Inc. All Rights Reserved. 11
Policies Detecting Predictable Threats
• Real-time inspection of incoming events against defined criteria• Encode compliance
• Generate Alerts on violation
• Create New Policy• Search based• Raw EPL
• Policy attributes• Enable\Disable• Severity• Frameworks• Labels• Email notifications
![Page 12: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/12.jpg)
© Fortinet Inc. All Rights Reserved. 12© Fortinet Inc. All Rights Reserved. 12
AI Scoring
• Using Naïve Bayes
• Severity Score = Risk as Anomaly
• Goal: determine risky activity
• Deviation from normal behavior
• Risk = static score (low 0-29, med 30-59, high 6 -100)
• E.g. cloud backup program = medium risk
• Two weeks to learn normal behavior, switch on alert mode
FortiInsight UEBA ML
![Page 13: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/13.jpg)
© Fortinet Inc. All Rights Reserved. 13© Fortinet Inc. All Rights Reserved. 13
VisualisationAlerts
• Use Visualization and summary table to find what’s important to you
• Users, Entities, Tags for scoping
• Feedback mechanism
• Pivot on Threat Hunting for context
![Page 14: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/14.jpg)
© Fortinet Inc. All Rights Reserved. 14© Fortinet Inc. All Rights Reserved. 14
Feedback Mechanism
• User input to system:• Thumbs up = positive feedback• Thumbs down = negative feedback
• System output:• Searchable Tags e.g. “potential leaver” =
user writing a CV file. “Sensitive data” etc
• Settings – allow define file types, folders, and users that are high risk
FortiInsight UEBA ML - Feedback
![Page 15: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/15.jpg)
© Fortinet Inc. All Rights Reserved. 15© Fortinet Inc. All Rights Reserved. 15
FeedbackTags
![Page 16: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/16.jpg)
© Fortinet Inc. All Rights Reserved. 16© Fortinet Inc. All Rights Reserved. 16
FeedbackTags
![Page 17: Insider Threat Protection - ETSI€¦ · Engineered to detect insider threats. FortiInsight. Wherever a machine is located and whatever network the machine is connected to, FortiInsight](https://reader034.vdocuments.site/reader034/viewer/2022050511/5f9b75a49f84162bab27dca6/html5/thumbnails/17.jpg)
© Fortinet Inc. All Rights Reserved. 17© Fortinet Inc. All Rights Reserved. 17
• FBI Insider Threat Lessons• CERT: Spotlight On: Insider Theft of Intellectual Property inside
the United States Involving Foreign Governments or Organisations
• CERT Insider theft of intellectual property for business advantage: a preliminary model
• CERT common sense guide to mitigating insider threats; 4th edition
Sources