- Email: [email protected]
Insider threat monitoring is enhanced by asset relevance
Column
Insider threat monitoring is enhanced by asset relevance Today, it is very rare to attend a security conference, read a security book or even have a discussion with a security vendor without insiders being addressed. It seems we’ve hit a turning point where more businesses are finally viewing security as government organisations have done for years. However unappealing the idea, threats will be generated from the inside. But how can the insider threat be prevented? Brian Contos, Arcsight There are a lot of solutions around insider threats. Ttechnology has been designed to prevent insiders. These solutions are incredibility difficult to scale because insiders have two things that external attackers don’t: trust and legitimate access. And, at some point certain people will need access to sensitive assets in order to do their jobs – including those that may be malicious. Thus, prevention alone will never work. Technology is also designed to detect insiders. Monitoring will balance out the shortcomings of prevention; this is focused on correlating events, detecting anomalous behaviour, and looking for unusual patterns. Businesses have invested prevention and detection technologies and many have also taken the additional, necessary steps to ensure that their incident response program is effective. For example, the incident response team may have gotten executive support and stakeholder involvement from managers, legal, human resources, IT, facilities, etc. They may have written policies and procedures, integrated alerting and escalation into their investigation process, conducted awareness campaigns, and educated and trained their users. But there is a piece that seems to be consistently missing from these programs time and again. The missing piece is an accurate and up-to-date asset database. Having an understanding of business asset relevance greatly assists in clarifying the potential severity of the insider’s actions. Asset information is always important, even if we’re talking about an external attacker trying to get through a firewall. However, it is especially important with insiders because they have a far broader and deeper reach than an external attacker. They can commit surreptitious activity more quickly, and because being a malicious insider has very low technical barriers to entry, virtually anybody can become one. It doesn’t take a super hacker to plug in some removable media, start copying information, and walk out the door with gigabytes of intellectual property ten minutes later. Because the reach is so far beyond the perimeter firewall, an asset inventory is essential in understanding the risk that an insider may have placed on the business. Getting this information into a centralised event monitoring system where it can do the most good has become more common over the last few years. By using data feeds from a multitude of
Brian Contos
solutions that a business may already own, they can populate an asset database and allow that information to be used by the event monitoring system. The asset population process varies, but often consists of the event monitoring system receiving feeds from: • Network discovery tools • Vulnerability scanners • Data classification systems • Content management systems • Configuration Management Databases (CMDB) • Purpose-built asset tracking/accounting systems • RFID and GPS • Proprietary solutions Having this information automatically populated provides a holistic perspective of the environment regarding: • Business relevance • Mission-criticality • Sensitivity of information • Associations with regulatory compliance • Ownership • Geography • Technical specifications such as operating system, applications and vulnerabilities Armed with this asset information the business has a better understanding of its risk posture and can decide to accept, mitigate or manage the risk. It is impossible to understand the potential damage that an insider may have caused or make educated decisions about what to do next without a complete understanding of asset relevance. A practical insider threat management program will consider people, process and technology. The technology used will consist of incident prevention, detection and response capabilities. To be able to understand the potential severity of any attack, but especially one from an insider, up-to-date and accurate asset information must be readily available within the event monitoring system.
INFOSECURITY EUROPE 2007
47
Insider threat monitoring is enhanced by asset relevance Today, it is very rare to attend a security conference, read a security book or even have a discussion with a security vendor without insiders being addressed. It seems we’ve hit a turning point where more businesses are finally viewing security as government organisations have done for years. However unappealing the idea, threats will be generated from the inside. But how can the insider threat be prevented? Brian Contos, Arcsight There are a lot of solutions around insider threats. Ttechnology has been designed to prevent insiders. These solutions are incredibility difficult to scale because insiders have two things that external attackers don’t: trust and legitimate access. And, at some point certain people will need access to sensitive assets in order to do their jobs – including those that may be malicious. Thus, prevention alone will never work. Technology is also designed to detect insiders. Monitoring will balance out the shortcomings of prevention; this is focused on correlating events, detecting anomalous behaviour, and looking for unusual patterns. Businesses have invested prevention and detection technologies and many have also taken the additional, necessary steps to ensure that their incident response program is effective. For example, the incident response team may have gotten executive support and stakeholder involvement from managers, legal, human resources, IT, facilities, etc. They may have written policies and procedures, integrated alerting and escalation into their investigation process, conducted awareness campaigns, and educated and trained their users. But there is a piece that seems to be consistently missing from these programs time and again. The missing piece is an accurate and up-to-date asset database. Having an understanding of business asset relevance greatly assists in clarifying the potential severity of the insider’s actions. Asset information is always important, even if we’re talking about an external attacker trying to get through a firewall. However, it is especially important with insiders because they have a far broader and deeper reach than an external attacker. They can commit surreptitious activity more quickly, and because being a malicious insider has very low technical barriers to entry, virtually anybody can become one. It doesn’t take a super hacker to plug in some removable media, start copying information, and walk out the door with gigabytes of intellectual property ten minutes later. Because the reach is so far beyond the perimeter firewall, an asset inventory is essential in understanding the risk that an insider may have placed on the business. Getting this information into a centralised event monitoring system where it can do the most good has become more common over the last few years. By using data feeds from a multitude of
Brian Contos
solutions that a business may already own, they can populate an asset database and allow that information to be used by the event monitoring system. The asset population process varies, but often consists of the event monitoring system receiving feeds from: • Network discovery tools • Vulnerability scanners • Data classification systems • Content management systems • Configuration Management Databases (CMDB) • Purpose-built asset tracking/accounting systems • RFID and GPS • Proprietary solutions Having this information automatically populated provides a holistic perspective of the environment regarding: • Business relevance • Mission-criticality • Sensitivity of information • Associations with regulatory compliance • Ownership • Geography • Technical specifications such as operating system, applications and vulnerabilities Armed with this asset information the business has a better understanding of its risk posture and can decide to accept, mitigate or manage the risk. It is impossible to understand the potential damage that an insider may have caused or make educated decisions about what to do next without a complete understanding of asset relevance. A practical insider threat management program will consider people, process and technology. The technology used will consist of incident prevention, detection and response capabilities. To be able to understand the potential severity of any attack, but especially one from an insider, up-to-date and accurate asset information must be readily available within the event monitoring system.
INFOSECURITY EUROPE 2007
47