'

INSIDER THREAT KILL CHAIN

Понравилась презентация – покажи это...





Слайд 0

INSIDER THREAT KILL CHAIN DETECTING HUMAN INDICATORS OF COMPROMISE


Слайд 1

INSIDER THREAT KILL CHAIN DETECTING HUMAN INDICATORS OF COMPROMISE Ken Westin Product Marketing Manager kwestin@tripwire.com


Слайд 2

Your organization’s greatest asset is also its greatest threat. People.


Слайд 3

MY FIRST EXPERIENCE WITH TRIPWIRE ADMINISTRATOR BREAKING BAD


Слайд 4

INSIDER THREAT INTENTIONS THREAT = CAPABILITY * INTENT Source: CERT Breakdown of Insider Crimes in the United States


Слайд 5

IT Contractor fired for but allowed to finish working the day Had admin access to the company’s 4K servers Wrote logic bomb to disable logins and wipe logs on Jan 1, 2009 Another engineer found the code before it could execute Sentenced to 41 months in prison Before being caught had gone on to work for Bank of America, Amtrak and GE as Sr. Systems Administrator Rajendrasinh Babubhai Makwana ADMINS GONE WILD


Слайд 6

INSIDER THREAT KILL CHAIN Insider Timeline


Слайд 7

INSIDER THREAT KILL CHAIN Insider Timeline


Слайд 8

INSIDER THREAT KILL CHAIN Insider Timeline


Слайд 9

PREVENT: HUMAN INDICATORS OF COMPROMISE


Слайд 10

PREVENT Consider threats from insiders and partners in risk assessments Background checks Clearly document and enforce policies and controls Periodic security awareness training for all employees Monitor and respond to suspicious or disruptive behavior Anticipate and manage negative workplace issues Track and secure physical environment Establish clear lines of communication and procedures between HR, Legal and IT AWARENESS & TRAINING


Слайд 11

PREVENT: HUMAN TO MACHINE INDICATORS


Слайд 12

PREVENT & DETECT Implement strict password and account policies Enforce separation of duties and least privilege Extra caution with system administrators and technical or privileged users Implement system change controls Deactivate computer access following termination Log, monitor, and audit employee network activities POLICY & TECHNOLOGY


Слайд 13

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Слайд 14

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Слайд 15

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Слайд 16

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Слайд 17

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Слайд 18

LOG INTELLIGENCE & ANALYTICS REAL-TIME CORRELATION MEETS BIG DATA


Слайд 19

INSIDER THREAT CORRELATION TRIPWIRE LOG CENTER EXAMPLE RULES


Слайд 20

WHAT TO LOG? Firewall logs Unsuccessful login attempts Intrusion Detection Systems (IDS/IPS) logs Web proxies Antivirus alerts Change management BARE MINIMUM TO START


Слайд 21

ALL LOGS CONSIDERED Determine log volume: Identify number of events per second before selecting log management tool Establish log management policies and procedure: Ensure this includes log retention policies (work with legal counsel for requirements), what is collected and who manages logging systems False positives: Security devices make a lot of noise, tune system to reduce false positives and focus on events that matter Establish a baseline: What is normal behavior? Set baselines to distinguish anomalies from true threats Accessing information: Multiple departments need to access data to determine what information will be collected and who has permission to view…not just SOC CHALLENGES WITH LOG INTELLIGENCE & SIEM


Слайд 22

LOGGING REAL PROBLEMS Employee behavior shows potential risk to business Let’s monitor to see if he connects to to servers outside the network Set rules to watch and alert on connections from outgoing ports after hours: 22 (SSH), 23 (Telnet), 3389 (Terminal Services/RDP)


Слайд 23

LOGGING REAL PROBLEMS Employee behavior shows potential risk to business Let’s monitor to see if he connects to to servers outside the network Set rules to watch and alert on connections from outgoing ports after hours: 22 (SSH), 23 (Telnet), 3389 (Terminal Services/RDP) <event name=”Suspicious connection by risky employee”> <logTime>2014-04-07T12:17:32</logtime> <suser>maliciousinsider</suser> <src>10.0.0.1</src> <shost>insider_system</shost> <prot>TCP</prot> <dpt>{22,23,3389}</dpt> <start>17:00:00</start> <end>08:00:00</end> </event>


Слайд 24

Tripwire Log Center Dashboard


Слайд 25

Physical Security Meets Digital KEY FOB SYSTEMS GENERATE LOGS TOO


Слайд 26

CUSTOMER STORY: POWER COMPANY Deployment Tripwire Log Center immediately discovered account of terminated system admin in use Account was logging into network at 4AM on a Wednesday Also discovered logging disabled on key firewall MALICIOUS INSIDERS UNVEILED


Слайд 27

CUSTOMER STORY: DON’T TREAD ON ME Deployed PoC of Tripwire Log Center and Tripwire Enterprise at large tire retailer Discovered backdoor setup by terminated employee that was actively being accessed MALICIOUS INSIDERS UNVEILED


Слайд 28

RESPOND Implement secure backup and recovery processes Quickly audit user’s network behavior Develop an insider incident response plan (inter-departmental)


Слайд 29

I’m On A Boat! Network Admin Hacked Navy—While on an Aircraft Carrier http://www.wired.com/2014/05/navy-sysadmin-hacking/


Слайд 30

INSIDER THREAT KILL CHAIN Insider Timeline


Слайд 31

Questions? Ken Westin kwestin@tripwire.com Twitter: @kwestin


×

HTML:





Ссылка: