Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Insider Threat!!!
What US Department of
Defense want?
Lan Nguyen
Co-founder
Veramine Inc.
Outline
 About Insider Threat
 Definition and Research
 Motivations and Statistics,
 US military cases: Snowden and ot...
About Insider Threat
Definition of Insider Threat (Wikipedia)
- malicious to an organization
- comes from people within th...
About Insider Threat
Veramine Inc.
Advanced Endpoint Security
Motivations
Veramine Inc.
Advanced Endpoint Security
2500INTERNAL SECURITY BREACHES OCCURRING IN US BUSINESS EVERY DAY
htt...
Motivations
Veramine Inc.
Advanced Endpoint Security
According to insider threat statistics from a Ponemon
Institute study...
Motivations
Veramine Inc.
Advanced Endpoint Security
The figures come from Verizon's Insider Threat
Report, a report relea...
Edward Snowden Case
- was a Central Intelligence Agency (CIA) employee and subcontractor
- given full administrator privil...
Other US military cases
Chelsea Manning
- former US Army soldier, assigned in 2009 to an Army unit in Iraq as an
intellige...
US Gov Reactions to Insider Threat
October 2011, US President Obama issued Executive Order 13587
establishing the National...
Committee on National Security Systems
Directive 504 (CNSSD 504) - 2016
Technical functionality that a user activity monit...
Cybersecurity Maturity Model
Certification (CMMC)
July 16, 2019 DoD Announces the Cybersecurity Maturity Model Certificati...
User and Entity Behavior Analytics
(UEBA)
 Examples of machine-learning detection algorithms:
 User tracking: deviances ...
DNN: Forward and backward functions
From Coursera
CNN: AlexNet
= ⋮ ⋮
227×227 ×3
55×55 × 96 27×27 ×96 27×27 ×256 13×13 ×256
13×13 ×384 13×13 ×384 13×13 ×256 6×6 ×256 9216 40...
Summary of RNN types
One to one One to many Many to one
Many to many Many to many
From Coursera
User Activities Monitoring (UAM)
User Control
 Keylogging, Screenshot
captures, Activities on
Browsing, Email, SMB
 Data...
User Activities Monitoring (UAM)
Device Control
 Devices Policy defines
a list of USBs based on
their Vendor Id,
Product ...
Specific device,
vendor, or product ID
can be given:
 No Access (blocked)
 Read-Only Access
 Read-Write Access
All by p...
 Based on Velociraptor,
collecting artifacts from
endpoints
 Includes ~60 Windows
artifacts
 Instantly send an action
t...
 Can define built-in collection tasks or define new ones
 VQL: SELECT [Columns] FROM [plugins(args)] WHERE [Conditions]
...
 VQL, simply improved
from SQL, allows artifact
collection tasks to be
quickly programmed,
automated and shared.
Turn-aro...
 Forensics tab has
searching, sorting, filtering
 Cancel Queued Collection
jobs, Delete Results from
already run jobs
Ve...
 New Forensics tab under “Response”
 List of jobs + state (queued, in progress, completed, error)
Veramine Inc.
Advanced...
 We show Velociraptor JSON, sortable, searchable
 Results ZIP has TXT, CSV, JSON, collected files
Veramine Inc.
Advanced...
Combined with Solutions for External
Threats
3 endpoint solutions that can also be packaged into 3-in-1:
- Endpoint Detect...
 Detection and Tracking of insider threats through SMB network share access;
 SMB file share tracking; where people copy...
IR Investigation: Yara Memory Search
 Sensor reports processes matching yara expression (per process, not
only system mat...
 Customers can Save + Update commonly-used Yara expressions
 Schedule periodic Yara memory search
Veramine Inc.
Advanced...
Yara Memory Search Easy UX
Veramine Inc.
Advanced Endpoint Security
IR Response Actions
Host Control: Network
Quarantine, Shutdown, Reboot
Veramine Inc.
Advanced Endpoint Security
User and S...
Deception Shares and Files
Veramine Inc.
Advanced Endpoint Security
Deception Shares and Files
Veramine Inc.
Advanced Endpoint Security
Deception Process, Service
Veramine Inc.
Advanced Endpoint Security
Deception Credentials
Veramine Inc.
Advanced Endpoint Security
Performance
 On average taking less than 1% CPU and 20 MB RAM.
 On average, per host, network traffic is less than 30 MB...
Q&A
Thanks!!
Contact: Nguyễn Duy Lân
Email: lan at veramine.com
Veramine Inc.
Advanced Endpoint Security
Vous avez terminé ce document.
Télécharger et lire hors ligne.
Prochain SlideShare
What to Upload to SlideShare
Suivant
Prochain SlideShare
What to Upload to SlideShare
Suivant
Télécharger pour lire hors ligne et voir en mode plein écran

Partager

Insider threat-what-us-do d-want

Télécharger pour lire hors ligne

Nguyen Duy Lan - Insider threat-what-us-do d-want

  • Soyez le premier à aimer ceci

Insider threat-what-us-do d-want

  1. 1. Insider Threat!!! What US Department of Defense want? Lan Nguyen Co-founder Veramine Inc.
  2. 2. Outline  About Insider Threat  Definition and Research  Motivations and Statistics,  US military cases: Snowden and others  US Government and DOD Measures  Solutions to Insider Threat:  Public Information and Veramine projects with US DOD, DHS and Airforce  Strongly supported by Solutions for External Threats, i.e. EDR and Deception  UAM, UEBA: Detections by AI, Rules, and Controls over Data, User and Device  Forensics and Logs: Collecting Artifacts, Variety, Details, Realtime, Filtered  Incident Response Actions on Hosts, Users… Threat Hunting with Yara and Search Veramine Inc. Advanced Endpoint Security
  3. 3. About Insider Threat Definition of Insider Threat (Wikipedia) - malicious to an organization - comes from people within the organization - have inside information of the organization’s IT systems - involve fraud or theft of confidential or commercially valuable information - or theft of intellectual property, or sabotage of computer systems Research: CERT Insider Threat Center of Carnegie-Mellon University - database of 850+ insider threat cases, including fraud, theft and sabotage - blog to help organizations defend themselves against insider crime - Insider Threat Test Datasets for Data Analysis and Machine Learning https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508099 Veramine Inc. Advanced Endpoint Security
  4. 4. About Insider Threat Veramine Inc. Advanced Endpoint Security
  5. 5. Motivations Veramine Inc. Advanced Endpoint Security 2500INTERNAL SECURITY BREACHES OCCURRING IN US BUSINESS EVERY DAY https://www.isdecisions.com/insider-threat/statistics.htm
  6. 6. Motivations Veramine Inc. Advanced Endpoint Security According to insider threat statistics from a Ponemon Institute study, accidental insider threat cost roughly $283,000 per incident, but due to their frequency, these incidents racked up to $3.8 million per year, per organization
  7. 7. Motivations Veramine Inc. Advanced Endpoint Security The figures come from Verizon's Insider Threat Report, a report released this week that reframes data from the company's 2018 Data Breach Investigations Report (DBIR)
  8. 8. Edward Snowden Case - was a Central Intelligence Agency (CIA) employee and subcontractor - given full administrator privileges with virtually unlimited access to NSA data - copied and leaked thousands of highly classified information from the National Security Agency (NSA) in June 2013 - the disclosures revealed numerous global surveillance programs, run by NSA, European governments, Five Eyes Intelligence Alliance, telecom companies Snowden is very technical - six months training full-time at CIA's secret school for technology specialists - former NSA co-worker said Snowden was a "genius among geniuses" who created a widely implemented backup system for the NSA and often pointed out security flaws to the agency - offered a position on NSA's elite team of hackers, Tailored Access Operations Veramine Inc. Advanced Endpoint Security
  9. 9. Other US military cases Chelsea Manning - former US Army soldier, assigned in 2009 to an Army unit in Iraq as an intelligence analyst - disclosed to WikiLeaks nearly 750,000 classified, or unclassified but sensitive, military and diplomatic documents, in early 2010 Harold T. Martin III - accused of stealing approximately 50 terabytes of data - from the Central Intelligence Agency, the National Security Agency, the United States Cyber Command, the United States Department of Defense and the National Reconnaissance Office - US gov agencies failed to effectively detect and respond to Martin's practices and behaviors over 10 to 20 years, until 2016 Veramine Inc. Advanced Endpoint Security
  10. 10. US Gov Reactions to Insider Threat October 2011, US President Obama issued Executive Order 13587 establishing the National Insider Threat Task Force (NITTF) 2017 NITTF Insider Threat Guide and NITTF Tech Bulletin 20180527: How Committee on National Security Systems Directive 504 (CNSSD 504 - technical cores of insider threat prevention) Defines User Activity Monitoring (UAM) November 1, 2018, NITTF released the Insider Threat Program Maturity Framework, an aid for advancing federal agencies’ programs beyond the Minimum Standards, and builds upon 2017 NITTF Insider Threat Guide Veramine Inc. Advanced Endpoint Security
  11. 11. Committee on National Security Systems Directive 504 (CNSSD 504) - 2016 Technical functionality that a user activity monitoring (UAM) solution must have to meet the Directive’s requirements UAM “technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing U.S. Government information in order to detect insider threats and to support authorized investigations.“ - a structured, consistent, and continuous collection and reporting process - across the whole of an organization at the device level - for identifying, assessing, deciding upon responses to, and acting - upon specific analysis of insider threat behaviors Every department and agency (D/A) should have five minimum technical capabilities to collect user activity data - keystroke monitoring, - full application content (e.g., email, chat, data import, data export), - screen capture, - file shadowing for all lawful purposes (i.e., the ability to track documents when the names and locations have changed) - collected UAM data must be attributable to a specific user. The D/A should incorporate UAM data into an analysis system that is capable of identifying anomalous behavior. Veramine Inc. Advanced Endpoint Security
  12. 12. Cybersecurity Maturity Model Certification (CMMC) July 16, 2019 DoD Announces the Cybersecurity Maturity Model Certification (CMMC) Initiative - a framework aimed at assessing and enhancing the cybersecurity posture of the Defense Industrial Base (“DIB”), particularly controlled unclassified information (“CUI”) - in response to a series of high profile breaches of DoD information. - all companies conducting business with the DoD, including subcontractors, must be certified. Veramine Inc. Advanced Endpoint Security
  13. 13. User and Entity Behavior Analytics (UEBA)  Examples of machine-learning detection algorithms:  User tracking: deviances from norms of user logon & logoff behaviorSMB tracking: deviances from normal SMB behaviors indicating lateral movement  Printing tracking: deviances from normal printing behaviors of each user  Process profiling: deviances from norms of process behavior  “Data Exfiltration” detection  Insiders can gather important data (database of classified, ssn, financials, secrets...), compress and encrypt it, and then exfil it to external sites  deviances from historical and seasonal norms of network volume  Several other detections about anomalies in certs, networks, eop registries, process tampering, user activities…  Deep Learning, Bayesian network, Naïve Bayes, Regression… Veramine Inc. Advanced Endpoint Security
  14. 14. DNN: Forward and backward functions From Coursera
  15. 15. CNN: AlexNet = ⋮ ⋮ 227×227 ×3 55×55 × 96 27×27 ×96 27×27 ×256 13×13 ×256 13×13 ×384 13×13 ×384 13×13 ×256 6×6 ×256 9216 4096 ⋮ 4096 11 × 11 s = 4 3 × 3 s = 2 MAX-POOL 5 × 5 same 3 × 3 s = 2 MAX-POOL 3 × 3 same 3 × 3 3 × 3 3 × 3 s = 2 MAX-POOL Softmax 1000 [Krizhevsky et al., 2012. ImageNet classification with deep convolutional neural networks] From Coursera
  16. 16. Summary of RNN types One to one One to many Many to one Many to many Many to many From Coursera
  17. 17. User Activities Monitoring (UAM) User Control  Keylogging, Screenshot captures, Activities on Browsing, Email, SMB  Data on User, Sessions, Console, RDP…  Use case example: Monitoring activities on most important servers, such as AD, DB, SMB, Data Center servers, and designated computers accessing those servers.  Video Capability: near-real time “video” capability to view user activities at endpoints Veramine Inc. Advanced Endpoint Security
  18. 18. User Activities Monitoring (UAM) Device Control  Devices Policy defines a list of USBs based on their Vendor Id, Product Id, Serial. When such a device is plugged-in, sensor can block / allow access to this USB device based on policy settings.  History of USB activities such as Inserts, Removals Veramine Inc. Advanced Endpoint Security
  19. 19. Specific device, vendor, or product ID can be given:  No Access (blocked)  Read-Only Access  Read-Write Access All by policy Veramine Inc. Advanced Endpoint Security User Activities Monitoring (UAM) Device Control
  20. 20.  Based on Velociraptor, collecting artifacts from endpoints  Includes ~60 Windows artifacts  Instantly send an action to one host or many.  Actions send immediately to connected hosts, queue for disconnected hosts Veramine Inc. Advanced Endpoint Security Forensics
  21. 21.  Can define built-in collection tasks or define new ones  VQL: SELECT [Columns] FROM [plugins(args)] WHERE [Conditions] Veramine Inc. Advanced Endpoint Security Forensics
  22. 22.  VQL, simply improved from SQL, allows artifact collection tasks to be quickly programmed, automated and shared. Turn-around from IOC to full hunt: a few minutes.  E.g. VQL to collect files (artifacts) in users’ temp directory which have been created within the last week, or changed in the last hour. Its parameters:  Target group of hosts  Directory to search  Required age of files Veramine Inc. Advanced Endpoint Security Forensics
  23. 23.  Forensics tab has searching, sorting, filtering  Cancel Queued Collection jobs, Delete Results from already run jobs Veramine Inc. Advanced Endpoint Security Forensics
  24. 24.  New Forensics tab under “Response”  List of jobs + state (queued, in progress, completed, error) Veramine Inc. Advanced Endpoint Security Forensics
  25. 25.  We show Velociraptor JSON, sortable, searchable  Results ZIP has TXT, CSV, JSON, collected files Veramine Inc. Advanced Endpoint Security Forensics
  26. 26. Combined with Solutions for External Threats 3 endpoint solutions that can also be packaged into 3-in-1: - Endpoint Detection and Response (EDR), a main anti-APT tool set, to effectively provide Detection, Investigation, Response, Data Collection... - Dynamic Deception System (DDS), a Platform of Traps, such as Deceptive services, processes, mutexes, credentials, network listeners, data shares, registry helper, virtual boxes, VMs..., as Active Defense to Detect and Prevent attacks - Insider Threat Prevention (ITP), combining Advanced Controls of Users, Data and Devices, such as Key loggers, Screenshots, Browsing, Email activities, USB Tracking and Permissions, Digital Forensics... Veramine Inc. Advanced Endpoint Security
  27. 27.  Detection and Tracking of insider threats through SMB network share access;  SMB file share tracking; where people copy files from a network share to their local drive  captures files, exfiltration  Look for compromised accounts, using mimikatz to obtain credentials EDR Detection for Insider Threat Veramine Inc. Advanced Endpoint Security
  28. 28. IR Investigation: Yara Memory Search  Sensor reports processes matching yara expression (per process, not only system match) Veramine Inc. Advanced Endpoint Security
  29. 29.  Customers can Save + Update commonly-used Yara expressions  Schedule periodic Yara memory search Veramine Inc. Advanced Endpoint Security Yara Memory Search Easy UX
  30. 30. Yara Memory Search Easy UX Veramine Inc. Advanced Endpoint Security
  31. 31. IR Response Actions Host Control: Network Quarantine, Shutdown, Reboot Veramine Inc. Advanced Endpoint Security User and Session Control: Disconnect, Disable, Enable
  32. 32. Deception Shares and Files Veramine Inc. Advanced Endpoint Security
  33. 33. Deception Shares and Files Veramine Inc. Advanced Endpoint Security
  34. 34. Deception Process, Service Veramine Inc. Advanced Endpoint Security
  35. 35. Deception Credentials Veramine Inc. Advanced Endpoint Security
  36. 36. Performance  On average taking less than 1% CPU and 20 MB RAM.  On average, per host, network traffic is less than 30 MB / 1 day.  Network traffic can be further tuned using collection policies which allows to configure which events are collected by sensors. Veramine Inc. Advanced Endpoint Security
  37. 37. Q&A Thanks!! Contact: Nguyễn Duy Lân Email: lan at veramine.com Veramine Inc. Advanced Endpoint Security

Nguyen Duy Lan - Insider threat-what-us-do d-want

Vues

Nombre de vues

623

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

417

Actions

Téléchargements

6

Partages

0

Commentaires

0

Mentions J'aime

0

×