Transcript Presentation Title Here

A Holistic Approach to Insider Threats
Terry Roberts
TASC Vice President, Cyber Engineering and Analytics
INSA Cyber Council Chair
FOSE 2014 | May 13 – 15, 2014
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc.Inc.
| TASC
Proprietary
The Threat
Cyber Security Evolution
Cyber Espionage
“APT”
Cyber Espionage
“Titan Rain”
Cyber Crime
“Kevin Mitnick”
Cyber Mischief
“The Morris Worm”
1988 - 1995
Perimeter Defense
Cyber Espionage
“Google Aurora”
Cyber Crime
“Russian Business Network”
Cyber Mischief
“Code Red”
1996 - 2002
Defense in Depth
Cyber Mischief
“Slammer”
2003 – 2010
Automatic Data Collection
Cyber War
“Stuxnet”
Cyber Hactivism
“Anonymous”
Cyber Espionage
“APT”
Cyber Crime
Cyber Mischief
2011 – Future
Actionable Intelligence
Threat Indicator Sharing
Data Analytics
The Solution
Cyber Intelligence
Data Collection (SIEM)
Data Collection (SIEM)
Vulnerability Management
Vulnerability Management
Incident Response
Incident Response
Intrusion Detection
Intrusion Detection
Anti-Virus
Anti-Virus
Firewall
Firewall
Incident Response
Intrusion Detection
Firewall
Anti-Virus
Firewall
2
Cyber Intelligence
©©
2013
TASC,
Inc. Inc.
| TASC
Proprietary
2014
TASC,
| TASC.COM
Cybersecurity Mission Space
Active defensive operations at
the system, network, enterprise,
and critical infrastructure levels
Conduct baseline vulnerability
assessment, ensure continuous
monitoring and analytics, T&E
Insider Threat
Detection and
Prevention
Risk management
and security policies,
plans, and key standards
Defensive
Operations
and Security
Management
Policies and
Standards
Workforce
Development
Secure
Software and
Systems
Engineering
Cyber
Intelligence
Understand the bad actors,
techniques, trends and targets,
with context and impact
Art and science of
“baking in” assurance
3
Workforce continually
the right skills, insights,
and abilities to conduct
cyber missions and
develop secure systems
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
Cyber Security + Cyber Intelligence Together = 360 Approach
Network focused: Reactive, additive –
perimeter centric approach
External focused: Continuous global situational
awareness – prevention of intrusions
Cyber Security:
Cyber Intelligence:







• Data and Trends Collection
Intrusion Detection
Firewalls
Anti-Virus
Event Response
SIEM
Anti-Phishing
Einstein
‒
Gathering all available data
• Situational Awareness
‒ A big picture understanding of what’s happening
across the global network
• Indications and Warnings
‒
Indications of potential threat or vulnerability
• All-Source Analysis
‒
Fusion of all available data to for
actionable intelligence
Must have a resilient network and know what is coming at you from any direction
4
©©
2013
TASC,
Inc. Inc.
| TASC
Proprietary
2014
TASC,
| TASC.COM
Insider Program is Integral to Your Risk Management Cycle
Physical and
network
threats
Determine
Impact of implemented
remediation/solutions with
measures/metrics
Organizational risk framework
and processes
Organization’s
Environment
Create standards, policies
and technologies that
provide resiliency and
mission assurance
5
Insider
actions
Provide
Situational awareness,
indications and warning,
and vulnerability analysis
Identify
physical, systemic,
process and
insider gaps/risks
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
Impact of Insider Threat Defined
 Most damaging U.S. counterintelligence failures perpetrated by
a trusted insider with ulterior motives
– On average, insiders convicted of espionage have been active for a
number of years before being caught
 An insider threat arises when a person with authorized access to
corporate or U.S. Government resources uses that access for
personal gain or to harm the corporation or security of the U.S.
– Resources may include personnel, facilities, information, equipment,
networks, and systems
 Today, more information can be carried out the door on
removable media in a matter of minutes than the sum total
of what was given to our enemies in hard copy throughout
U.S. history
 Malicious insiders can inflict incalculable damage and can
compromise our nation's most important corporate or U.S.
Government endeavors
Implement comprehensive, risk-based security strategy to protect
critical assets against threats from inside and outside the enterprise,
with all employees understanding the stakes of system compromise
and loss or exposure of critical data
1 CMU/SEI-2012-TR-012; Common Sense Guide to Mitigating Insider Threats 4th Edition
6
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
The National
Counterintelligence Executive,
Mr. Robert Bryant, noted:
"Insider threats remain the
top counterintelligence
challenge to our community."
According to a CMU study1 of
insider threat cases through
2012: top six sectors most
frequently affected:
• Banking and finance
• Information technology
• Government: state and local
• Healthcare and public health
• Commercial facilities
• Federal government
Top patterns of insider threat:
• Fraud
• Theft of intellectual property
• IT sabotage
• Miscellaneous
The Challenge: Insiders are often aware of their
organization’s vulnerabilities
 Organizations often lack:
– A holistic view of insiders who may commit fraud, sabotage or theft of intellectual property
– The resources and expertise to thwart efforts to steal critical intellectual property
– Insider threat assessment and prevention as an enterprise function, even for well-trained and
well-staffed security professionals
 TASC is partnering with the Carnegie Mellon University (CMU) CERT Program2
– CMU CERT researched how each victim organization could have prevented the attack or
achieved early detection, through an optimal combination of widely accepted best practices
 Optimal insider threat approach is:
– A baseline vulnerability assessment across your organization to determine your preparedness
to prevent, detect and respond to insider threats
– A deterrence and detection offering that provides a socio-technical best practice based
insider threat assessment program
– A 360 degree behavioral-based body of knowledge and practice, unlike technology and
tool-only solutions that do not effectively blend the human element and organizational practices
– Derived from exclusive utilization of the U.S.’s largest database of known
insider threat occurrences
2 CERT is a registered mark owned by Carnegie Mellon University and part of its Software Engineering Institute
7
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
CMU CERT Insider Threat Center Objective
Know your risk, integrate a tailored framework and tools
and drive continuous transparency to key personnel
© CMU, Software Engineering Institute
8
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
ITVA at a Glance
Types of Insider Threats
 Objective
– Measure and assess organization’s level of preparedness
– to address insider threats
– Enable organizations to reduce exposure to damage from
potential insider theft, sabotage, fraud and espionage
FRAUD
INTELLECTUAL
PROPERTY THEFT
IT SABOTAGE
 Artifacts
– Pre-assessment presentation and questionnaires
– Set of workbooks based on vulnerabilities and
incidents identified in the CERT case library
 Approach
ESPIONAGE
Why TASC?
– Document review
– Organizational interviews at all levels
– Observations or demonstrations of process reviews
TRUSTED ADVISOR
CMU CERTIFIED
 Outcome
– Confidential report of findings, results and recommendations
– Complete suite of follow-on offerings and related
services from TASC
RICH HISTORY OF P2E
UNIQUE ACCESS TO
ITVA DATA
Objective: Impact insider threat access and damage in the digital age
9
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
Insider Threat Assessment Scoping:
To Your Unique Organization and Mission
ORGANIZATION MISSION
CRITICAL
SERVICE
CRITICAL
SERVICE
CRITICAL
SERVICE
BUSINESS PROCESSES
BUSINESS PROCESSES
BUSINESS PROCESSES
DESIGN
SUSTAIN
PROTECT
SUSTAIN
RESILIENCE MANAGEMENT IN THE LIFE CYCLE
FACILITIES
SUSTAIN
TECH
PROTECT
INFO
PROTECT
SUSTAIN
PROTECT
PEOPLE
PLAN
DEVELOP
DEPLOY
OPERATE
RETIRE
ACQUIRE
ASSET IN PRODUCTION
Critical Assets
HUMAN
DATA
RESOURCES OWNERS
IT
TRUSTED
SOFTWARE PHYSICAL BUSINESS
ENGINEERING SECURITY PARTNERS
LEGAL
ITVA WORKBOOKS
INSIDER THREAT ASSESSMENT PROCESS
ASSESSMENT
PLANNING
PREASSESSMENT
ONSITE
ASSESSMENT
POSTASSESSMENT
5-10 DAYS
4-6 WEEKS
3-5 DAYS
5-10 DAYS
© CMU, Software Engineering Institute
10
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
The Process and Results
 Multidisciplinary TASC team plans and then executes an assessment using
a 360-degree approach, resulting in a tailored risk management plan for
the customer
–
–
–
–
–
Review processes and procedures
Executive interviews
Findings of issues and risks
High level recommendations
Scorecard of categories related to insider threat
RISK ASSESSMENT
R/H
HIGH – Unacceptable. Major
disruption likely. Different
approach required. Priority
management attention required.
Y/M
MODERATE – Some
disruption. Different approach
may be required. Additional
management attention may be
needed.
G/L
LOW – Minimum impact.
Minimum oversight needed to
ensure risk remains low.
–
–
–
–
–
–
–
Info tech/info security
Software engineering
Data owners
Human resources
Physical security
Legal/contracting
Trusted business partner management
 Implementation service of risk remediation or mitigation are
secondary offerings
– For vulnerabilities and recommendations disclosed and included in the
risk management plan
– Process and procedure revisions
 Ongoing customer care (continuous service) is a secondary offering
LIKELIHOOD
 The ITVA covers seven primary focus areas
e
d
c
b
a
M
L
L
L
L
a
M H
M M
L M
L L
L L
b c d
CONSEQUENCE
– Prevention, response, mitigation, ongoing training
A typical assessment takes a cross-functional team of 4 people 3 weeks
11
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
H
H
M
M
L
e
H
H
H
M
M
INSA Insider Threat Task Force
12

A Preliminary Examination of
Insider Threat Programs in the
U.S. Private Sector

Intelligence and National Security
Alliance (INSA) Insider Threat Task
Force, September 2012

Provides preliminary benchmark of
private sector insider threat programs
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
Process – INSA Insider Threat Task Force
 Interviewed 13 companies - mostly large, national or global
–
–
–
–
–
–
IT services and consulting firms
Financial institutions
Technology vendors
Aerospace and defense organizations
Research institutions
Data analytics providers
 Conducted online survey of 71 organizations from the financial sector
13
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
Major Findings
 Just over half of the organizations interviewed and 25% in the financial
sector have an insider threat program; many are technology-focused
 A program cannot succeed without senior leadership support
 Only 5 companies interviewed and less than half in the financial sector have
an insider threat incident management plan
 Over half of the organizations have an awareness program related to
insider threat
 An effective insider threat program requires the entire organization
working together:
–
–
–
–
14
Information security
Human resources
General counsel
Counterintelligence
–
–
–
–
Information technology
Public relations
Ethics
Executive management
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
The Impact
CONDUCT VULNERABILITY ASSESSMENT
Independent/unbiased/best practice
REPORTING AND ALERTS
IDENTITY VULNERABILITIES
Strategic updates to CMU body of
knowledge, continuous monitoring,
notification of emerging threats
Based on 160 controls
FOCUSED MITIGATION RECOMMENDATIONS
ANALYZE AND CERTIFY COMPLIANCE
Based on 800 case knowledge base
Tailored to customer needs
Know where your organizational risks are and how to effectively address them
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary
Learn more, contact us…
Terry Roberts
VP Cyber Engineering and Analytics
(202) 314-1132
[email protected]
16
Luis Cruz-Rivera
Technical Director, Cyber and IT Division
(202) 203-3041
[email protected]
© 2014
TASC,
| TASC.COM
© 2013
TASC,
Inc. Inc.
| TASC
Proprietary