Insider Threats
Download
Report
Transcript Insider Threats
Securing Your Campus Against Data Loss and
Internet Threats
Victor C. Lee
Director, Data Protection Marketing
June 2009
Agenda
•
•
•
•
Introduction and Overview of Threats to Privacy
Mass Web Hack Attacks
Insider Threats
Highlight: Two Trend Micro Solutions
– Deep Security
– LeakProof
June 2009
Copyright 2009 Trend Micro Inc.
You are under constant attack
External
• Volume of attacks increasing exponentially
• Hackers moving from disruption to
profiteering
• Increasingly sophisticated malware seeking
valuable corporate data
THREATS
Internal
June 2009
• Malicious insiders stealing company data
• Worried workers proactively downloading info
• Careless Insiders losing private data and IP
• Increasing government regulations focusing
on privacy
Ponemon Institute, 2006 research Study
Copyright 2009 Trend Micro Inc.
3
The Impact of Data Loss
• Cost: $6.3M per breach*
• Loss of customers/business
• Brand damage
• Stock price decrease
• Regulatory fines
• Legal defense
• Notification and compensation
• Public relations & security response
* Ponemon Institute
June 2009
Copyright 2009 Trend Micro Inc.
What Types of Data Do Enterprises Want to Protect
Privacy: Customer,
Employee & Patient Data
Intellectual Property
Regulatory Compliance
Competitive
• Account Information
• Source Code
• Credit Card Numbers
• Engineering Specs
• Contact Information
• Strategy Documents
• Health Information
• Pricing
Company Confidential
Contracts
Reputation
• Quarterly Results
• M&A Strategy
• CEO Internal Email
• Internal Conversations
Increased transparency makes
privacy protection more difficult
June 2009
Copyright 2009 Trend5 Micro Inc.
Privacy Threat Landscape: Top Threats
1. Malware
-
Get employees to
unknowingly
compromise internal
systems
2. Hackers
-
Compromise web-based
applications to access
databases
3. Insider Threats
-
June 2009
Malicious and accidental
breaches of privacy data
Copyright 2009 Trend Micro Inc.
Example: URL’s instead of Attachments!
June 2009
Copyright 2009 Trend Micro Inc.
Mitigation Requires Cloud Based Correlation
Web
Reputation
Fake
by email.
A fakenews
video
A compromised
web site
One
click in a link.
Email
Reputation
URL
File
Reputation
Threat Analysis
IP
June 2009
Copyright 2009 Trend Micro Inc.
TrendLabs &
Malware Database
Files
2. Hackers
June 2009
“Mass Web Hack”
June
2009 Inc. Copyright 2009 Trend Micro Inc.
© Third
Brigade,
10
Multi Pronged Attack
• Sophisticated Attack - Numerous kinds of exploits
• Six different kinds of exploits – in most cases
–
–
–
–
–
–
SQL Injection
JavaScript Injection
Phishing
OS Vulnerability
Malware
Covert channel communication
• Added Evasion techniques such as JavaScript
Obfuscation
June
2009 Inc. Copyright 2009 Trend Micro Inc.
© Third
Brigade,
11
The Attack
4. Command
& Control
1a. SQL Injection
1b. Malicious Code
Injected
<IFRAME src=“xyz.com/1.js>
website
2b. Browser parses
injected code
2a. Visit
website
3b. Exploit unpatched
vulnerability
5. Passwords,
Sensitive Data
June
2009 Inc. Copyright 2009 Trend Micro Inc.
© Third
Brigade,
3a. Redirected to
malicious site
Malicious
website
12
Mitigation Strategies
1a. SQL Injection
1b. Malicious Code
Injected
website
Step
Proactive
Reactive
Comments
1. Protect the web site
•Fix application code
•Host/Network-based
IDS/IPS
•App Firewall
•Monitor database content
for changes
•FIM/Chng Mgmt
•Google searches can be
used to locate vulnerable
sites; bots can also be
used
June
2009 Inc. Copyright 2009 Trend Micro Inc.
© Third
Brigade,
13
Mitigation Strategies
2b. Browser parses
injected code
2a. Visit website
website
Malicious
website
Step
Proactive
Reactive
Comments
2. Detect outbound from
webserver and Protect
browser
•Turn-off or control parsing
of JavaScript
•Host/Network-based
IDS/IPS
•App Firewall
•Host/Network-based
IDS/IPS
•App Firewall
•Client may be outside of
your control
June
2009 Inc. Copyright 2009 Trend Micro Inc.
© Third
Brigade,
14
Mitigation Strategies
3b. Exploit unpatched
vulnerability
3a. Redirected to
malicious site
Malicious
website
Step
Proactive
Reactive
Comments
3. Protect system
•Host/Network-based
IDS/IPS
•Block access to ‘known
bad’ domains
•Patch systems
•Anti-virus
•Host/Network-based
IDS/IPS
•FIM
•IP’s and domains used
change rapidly
June
2009 Inc. Copyright 2009 Trend Micro Inc.
© Third
Brigade,
15
Mitigation Strategies
4. Command
& Control
5. Passwords,
Sensitive Data
Step
Proactive
Reactive
Comments
4. Monitor and detect
malware
•Host/Network-based
IDS/IPS
•Anti-virus
•Re-image systems
•Host/Network-based
IDS/IPS
•FIM
•Update AV until it detects
•Always check for ‘worstcase’
June
2009 Inc. Copyright 2009 Trend Micro Inc.
© Third
Brigade,
16
3. The Insider Threat
June 2009
Insider Threats: Market Dynamics
Economic Uncertainty Increases Risk
June 2009
Copyright 2009 Trend Micro Inc.
18
Insider Threats Increase
If you thought your job was at risk would you, as
a pre-emptive move, download
company/competitive information?
Cyber-Ark Survey, Nov 2008
June 2009
Copyright 2009 Trend Micro Inc.
Ex-Workers/Fired Workers
According to the 2009 Ponemon
Data Loss Study, nearly 60% of
ex-employees admitted to taking
company data
June 2009
Copyright 2009 Trend Micro Inc.
Regulatory Requirements Proliferating
June 2009
Copyright 2009 Trend Micro Inc.
21
The Importance of Endpoint Protection
Top Threat Vectors of Concern …
USB
Corporate email
Email on the public Internet
WiFi
Many of these
concerns can ONLY be
addressed via
endpoint intelligence
CD / DVD
PDA
Bluetooth
Bluetooth/ infrared
/ infrared
Printer
1
2
3
4
5
Source: Market Research International
June 2009
Copyright 2009 Trend Micro Inc.
22
6
DLP Technology Must Haves…
•
•
•
•
•
•
•
•
•
•
•
Off network enforcement and device control
Online/Offline policies
Policy reinforcement and education
Optimized endpoint fingerprinting
Full and partial fingerprint matching
Discovery of data at rest
Real-time content scanning of sensitive data
Smart identifiers (i.e. SSN, DOB, account numbers)
Regulatory compliance templates (PCI, HIPAA)
Language independence
Centralized management
June 2009
Copyright 2009 Trend Micro Inc.
Deploying DLP
2
Document
Management
Server
File Server
Offline
Source Control
Server
Private
Secret
VPN
Customer Info
Database
3
Secret
Internet
Intranet
4
1
Removable
Media
Anti-Leak Client
LeakProof™ LeakProof™ Security
DataDNA
Management
Server
Console
Branch Office
INTERNAL NETWORK
EXTERNAL NETWORK
1
2
3
4
Data classified,
DLP policy
configured
If fingerprints
required, content
repositories scanned
Policy &
fingerprints
pushed to clients
Violations detected,
logged & reported;
Endpoints scanned
June 2009
Copyright 2009 Trend Micro Inc.
Trend Micro Data Protection
THREAT
Description
Mitigation
Requires
Trend Micro
Solutions
Malware
Get employees to
unknowingly
compromise internal
systems
Cloud based
correlation of web,
file, email reputation
Endpoint Security:
OfficeScan with Smart
Protection Network
Web application
protection, Host
Based IDS/IPS
(HIPS)
Deep Security: Deep
Packet Inspection,
Server Firewall
Endpoint-based content
filtering / Data Loss
Prevention (DLP)
LeakProof, Email
Encryption
Hackers
Insider
Threats
June 2009
Compromise webbased applications
to access
databases
Malicious and
accidental breaches
of privacy data
Copyright 2009 Trend Micro Inc.
Trend Micro Data Protection Solutions
Now with
Deep Security!
June 2009
Copyright 2009 Trend26Micro Inc.
Data Security + Content Security
On-Premise + Cloud-based Solutions
+
• Email Reputation
• Web Reputation
Now with
Deep Security!
• File Reputation
With Global Threat Feedback
June 2009
Copyright 2009 Trend27Micro Inc.
Addressing Hackers: Deep Security
Deep Packet Inspection
IDS / IPS
June 2009
Web App. Application
Protection
Control
Copyright 2009 Trend Micro Inc.
Firewall
Integrity
Monitoring
Log
Inspection
Deep Packet Inspection
Web Application Protection
IDS/IPS
– Enables compliance with PCI DSS 6.6
– Vulnerability rules: shield
known vulnerabilities from
unknown attacks
– Shield vulnerabilities in custom web
applications, until code fixes can be
completed
– Exploit rules: stop known
attacks
– Shield legacy applications that cannot
be fixed
– Smart rules: Zero-day
protection from unknown
exploits against an unknown
vulnerability
– Microsoft Tuesday protection is
delivered in synch with public
vulnerability announcements.
– On the host/server (HIPS)
June 2009
Copyright 2009 Trend Micro Inc.
– Prevent SQL injection, cross-site
scripting (XSS)
Application Control
– Detect suspicious inbound/outbound
traffic such as allowed protocols over
non-standard ports
– Restrict which applications are
allowed network access
– Detect and block malicious software
from network access
Integrity Monitoring
Monitors files, systems and registry for changes
• Critical OS and application files (files, directories, registry
keys and values, etc.)
• On-demand or scheduled
detection
• Extensive file property
checking, including attributes
(PCI 10.5.5)
• Monitor specific directories
• Flexible, practical monitoring
through includes/excludes
• Auditable reports
June 2009
Copyright 2009 Trend Micro Inc.
Log Inspection
Getting visibility into important security events buried
in log files
• Collects & analyzes operating
system and application logs
for security events
• Rules optimize the
identification of important
security events buried in
multiple log entries
• Events are forwarded to a
SIEM or centralized logging
server for correlation,
reporting and archiving
June 2009
Copyright 2009 Trend Micro Inc.
Data Leak Prevention: LeakProof 5.0
Standard
Privacy Protection &
Regulatory Compliance
LeakProof
LeakProof
5.0 Server 5.0
LeakProof Standard +
Intellectual Property
Protection
Advanced
June 2009
Copyright 2009 Trend Micro Inc.
32
LeakProof 5.0 Standard
Privacy Protection/Regulatory Compliance
Validators
Compliance templates:
• PCI
• SB-1386
• HIPPA
• GLBA
• US PII
• LUHN checksum
•German Tax ID (eTIN)
•Social Security No.
•IBAN
•Credit Card Number
•US Phone number
•US Date
Source Code Templates:
• C/C++
• Java
• C#
• Perl
• COBOL
• VB
•Taiwan ID number
•ROK (South Korean) Reg.#
•Swift BIC
•France INSEE Code
•Spanish Fiscal Identification
Number (NIF)
•Irish PPSN
•Norwegian Birth number
•Finish ID
•UK Date
•UK NHS Number
33
•ISO Date
•Polish ID Number
•ABA Routing number
Copyright 2009 Trend Micro Inc.
•HIC (Health Insurance Claim)
Number
•Canadian Social Insurance #
•American Names
HR Keyword Template:
• Adult
• Weapon
• Racism
June 2009
•PRC National ID
•National Provider Identifier (NPI)
LeakProof 5.0 Advanced: Intellectual Property
Protection via Unique Fingerprinting Technology
• Fast
• Small
• Accurate
• Language
independent
June 2009
Copyright 2009 Trend Micro Inc.
34
LeakProof 5.0 Product Components
LeakProof Client
• Intelligent
– Fingerprint, Regex, Keyword,
Meta-data
LeakProof
• Small Footprint
Client
• Invisible
• Independent
• Robust
Discover
Monitor
Educate/Self
Remediation
Protect
LeakProof Server
• Centralized Management
• Policy
• Visibility
• Workflow
June 2009
Copyright 2009 Trend Micro Inc.
LeakProof
Server
ACME Customer Privacy Protection
Employees of ACME are expected
to protect sensitive information
containing customer information
such as names, account numbers,
social security numbers etc.
Please report any …Call
the helpdesk or email.
Protecting Privacy: What To Do?
DO’s
• Identify top Privacy Data, Location,
and Channel (Threat)
• Engage data/information owners
• Understand what regulations are on
the horizon
• Start monitoring/discovering privacy
data usage
DON’Ts
• Try to boil the ocean – classify everything,
everywhere
• Monitor or prevent EVERY possible threat
• Forget to address people/process
improvements
June 2009
Copyright 2009 Trend Micro Inc.
Legal Cases,
WebMail/USB
Privacy
Email
Legal Cases,
Desktop/Laptop
Citizen Data
Web Aps
Think Again….You May Qualify for a
Free Threat Assessment
Trend Micro Tabletop Display
• What’s being offered?: We are offering a free, no obligation
assessment of your enterprise network to qualified applicants!
• What do I get?: You will receive a two week trial of the Threat
Detection portion of the Threat Management Solution. We even
provide onsite installation!
• How does it benefit me?: We will provide a detailed executive
report which shows actual vulnerabilities and penetrations of
your network, down to the individual PC level. We will provide
advice about how to close any security holes we find. No
purchase required
• If you think your network is safe – THINK AGAIN!
June 2009
Copyright 2009 Trend Micro Inc.
Questions and Discussion
June 2009