INSIDER THREAT KILL CHAIN презентация

Содержание

INSIDER THREAT KILL CHAIN DETECTING HUMAN INDICATORS OF COMPROMISE Ken Westin Product Marketing Manager kwestin@tripwire.com

Слайд 1INSIDER THREAT KILL CHAIN
DETECTING HUMAN INDICATORS OF COMPROMISE

Слайд 2INSIDER THREAT KILL CHAIN
DETECTING HUMAN INDICATORS OF COMPROMISE
Ken Westin Product Marketing Manager kwestin@tripwire.com

Слайд 3Your organization’s greatest asset is also its greatest threat.
People.

Слайд 4MY FIRST EXPERIENCE WITH TRIPWIRE
ADMINISTRATOR BREAKING BAD

Слайд 5INSIDER THREAT INTENTIONS
THREAT = CAPABILITY * INTENT

Source: CERT Breakdown of Insider

Crimes in the United States

Слайд 6IT Contractor fired for but allowed to finish working the day
Had

admin access to the company’s 4K servers
Wrote logic bomb to disable logins and wipe logs on Jan 1, 2009
Another engineer found the code before it could execute
Sentenced to 41 months in prison
Before being caught had gone on to work for Bank of America, Amtrak and GE as Sr. Systems Administrator


Rajendrasinh Babubhai Makwana

ADMINS GONE WILD

Слайд 7INSIDER THREAT KILL CHAIN
Insider
Timeline


Слайд 8INSIDER THREAT KILL CHAIN
Insider
Timeline


Слайд 9INSIDER THREAT KILL CHAIN
Insider
Timeline


Слайд 10PREVENT: HUMAN INDICATORS OF COMPROMISE

Слайд 11PREVENT
Consider threats from insiders and partners in risk assessments
Background checks
Clearly document

and enforce policies and controls
Periodic security awareness training for all employees
Monitor and respond to suspicious or disruptive behavior
Anticipate and manage negative workplace issues
Track and secure physical environment
Establish clear lines of communication and procedures between HR, Legal and IT

AWARENESS & TRAINING

Слайд 12PREVENT: HUMAN TO MACHINE INDICATORS

Слайд 13PREVENT & DETECT
Implement strict password and account policies
Enforce separation

of duties and least privilege
Extra caution with system administrators and technical or privileged users
Implement system change controls
Deactivate computer access following termination

Log, monitor, and audit employee network activities

POLICY & TECHNOLOGY

Слайд 14LOG INTELLIGENCE & ANALYTICS
REAL-TIME CORRELATION MEETS BIG DATA

Слайд 15LOG INTELLIGENCE & ANALYTICS
REAL-TIME CORRELATION MEETS BIG DATA

Слайд 16LOG INTELLIGENCE & ANALYTICS
REAL-TIME CORRELATION MEETS BIG DATA

Слайд 17LOG INTELLIGENCE & ANALYTICS
REAL-TIME CORRELATION MEETS BIG DATA

Слайд 18LOG INTELLIGENCE & ANALYTICS
REAL-TIME CORRELATION MEETS BIG DATA

Слайд 19LOG INTELLIGENCE & ANALYTICS
REAL-TIME CORRELATION MEETS BIG DATA

Слайд 20INSIDER THREAT CORRELATION
TRIPWIRE LOG CENTER EXAMPLE RULES

Слайд 21WHAT TO LOG?
Firewall logs
Unsuccessful login attempts
Intrusion Detection Systems (IDS/IPS) logs
Web proxies
Antivirus

alerts
Change management

BARE MINIMUM TO START

Слайд 22ALL LOGS CONSIDERED
Determine log volume: Identify number of events per second

before selecting log management tool
Establish log management policies and procedure: Ensure this includes log retention policies (work with legal counsel for requirements), what is collected and who manages logging systems
False positives: Security devices make a lot of noise, tune system to reduce false positives and focus on events that matter
Establish a baseline: What is normal behavior? Set baselines to distinguish anomalies from true threats
Accessing information: Multiple departments need to access data to determine what information will be collected and who has permission to view…not just SOC

CHALLENGES WITH LOG INTELLIGENCE & SIEM

Слайд 23LOGGING REAL PROBLEMS
Employee behavior shows potential risk to business
Let’s monitor to

see if he connects to to servers outside the network
Set rules to watch and alert on connections from outgoing ports after hours: 22 (SSH), 23 (Telnet), 3389 (Terminal Services/RDP)


Слайд 24LOGGING REAL PROBLEMS
Employee behavior shows potential risk to business
Let’s monitor to

see if he connects to to servers outside the network
Set rules to watch and alert on connections from outgoing ports after hours: 22 (SSH), 23 (Telnet), 3389 (Terminal Services/RDP)



2014-04-07T12:17:32
maliciousinsider
10.0.0.1
insider_system
TCP
{22,23,3389}
17:00:00
08:00:00

Слайд 25Tripwire Log Center Dashboard


Слайд 26Physical Security Meets Digital
KEY FOB SYSTEMS GENERATE LOGS TOO

Слайд 27CUSTOMER STORY: POWER COMPANY
Deployment Tripwire Log Center immediately discovered account of

terminated system admin in use
Account was logging into network at 4AM on a Wednesday
Also discovered logging disabled on key firewall

MALICIOUS INSIDERS UNVEILED

Слайд 28CUSTOMER STORY: DON’T TREAD ON ME
Deployed PoC of Tripwire Log Center

and Tripwire Enterprise at large tire retailer
Discovered backdoor setup by terminated employee that was actively being accessed

MALICIOUS INSIDERS UNVEILED

Слайд 29RESPOND
Implement secure backup and recovery processes
Quickly audit user’s network behavior
Develop

an insider incident response plan (inter-departmental)


Слайд 30I’m On A Boat!
Network Admin Hacked Navy—While on an Aircraft

Carrier

http://www.wired.com/2014/05/navy-sysadmin-hacking/

Слайд 31INSIDER THREAT KILL CHAIN
Insider
Timeline


Слайд 32Questions?
Ken Westin
kwestin@tripwire.com
Twitter: @kwestin

Похожие презентации

Мария Аристова 217
Понятие управления, управления качеством образования 333
Большаков Мирон Николаевич (Чойн) 299
Автоматизированная система учета учебного процесса ВУЗа 263
Результаты мониторинга в сфере образования г.Нягани, 2008-2009 учебный год 229
Паспорт объекта образования. Муниципальное казенное образовательное учреждение города Новосибирска 282

Обратная связь

Если не удалось найти и скачать презентацию, Вы можете заказать его на нашем сайте. Мы постараемся найти нужный Вам материал и отправим по электронной почте. Не стесняйтесь обращаться к нам, если у вас возникли вопросы или пожелания:

Email: Нажмите что бы посмотреть 

Что такое ThePresentation.ru?

Это сайт презентаций, докладов, проектов, шаблонов в формате PowerPoint. Мы помогаем школьникам, студентам, учителям, преподавателям хранить и обмениваться учебными материалами с другими пользователями.

Для правообладателей

Яндекс.Метрика