Tune into our podcast, A Holistic People-Centric Approach to Insider Threat Management, to discover how the ObserveIT platform helps agencies protect against data loss, malicious acts, and brand damage.
Speaker 1: On behalf of Proofpoint and Carahsoft, we would like to welcome you to today's Podcast, A Holistic People-Centric Approach to Insider Threat Management, where Proofpoint’s ObserveIT Team will discuss the dangers of Insider Threats and how the ObserveIT platform helps organizations protect against data loss, malicious acts, and brand damage.
Liz McKenna: Thanks everyone for your time today. We really appreciate it. As was stated, I'm the director of channels at ObserveIT Proofpoint. And today for our agenda, I'm going to do a brief introduction on ObserveIT Proofpoint. Who we are, what we do, and then hand it over to Nick Hensley. He's our channel SC Manager to Proofpoint ITM. We were acquired by Proofpoint just about a year ago. And we were the first purpose-built Insider Threat Management Platform. And because of our People-Centric Approach to Insider Threat Management, we really aligned well with Proofpoints People-Centric Security Messaging. We have both on-prem and a newly released SAS Platform. So, we're referred to as Proofpoint ITM. It's short for Insider Threat Management. So, oftentimes you'll hear us refer to ourselves as ITM. And over time, you'll see us fully integrated with the Proofpoint Portfolio.
So, what is the... ITM? ObserveIT is an Insider Threat Management Platform that gives comprehensive visibility, proactive detection and rapid response. And what we're doing is really truly correlating data movement to user action and activity. So, all the actions, activities that a user makes at the Endpoint, we're going to capture it and make it really easy to detect a potential breach in real time by an Insider Threat. And give you the tools to respond to that breach very quickly. We'll help you investigate incidents faster with visibility because we are capturing and monitoring every action taken at the endpoint. Every keystroke, mouse clicks, any website that users go to, we're going to capture that and make it very easy to attack and respond to. So, now I will hand it over to Nick.
Nick Hensley: Hey, thanks Liz. I'm just going to talk kind of high level about stuff. So, really I'm going to talk about the nature of work has changed right? With the environment we're in. Right now people are working a lot differently right? We have a lot of different people that are connected to our environments. With the gig economy, we have people in our supply chains. A lot of people interact with the cloud. People are communicating a lot differently. And of course right now with everything happening, the remote working environment.
With that being said, one of the things at Proofpoint we like to look at are our employees right? In employees or your people, they really are your new Security perimeter. And they interact with all your tools. Are interacting with Salesforce, different devices, Workday, Dropbox. In some cases certain employees allow you to access your Facebook, maybe your personal banking, things like that. But you know this all goes to say that people really are your new Security perimeter. And this not only includes your employees but it also includes things like contractors, maybe partners that you work with suppliers and of course customers.
So, they're all interacting with those same systems. And when we start talking about Insider threats. We consider those a unique but also a highly complex threat vector from the Verizon Database Report. And 2019, you can see that 34% of breaches involved internal threat actors. And then kind of leading into that, some information we got this year from the Ponemon Institute was careless or negligent users accounted for about 62% of those Internal breaches. About 14% came from malicious user and 23% from compromised. And when you look at that, it leads to an average annual cost of about $11 million. With a meantime to resolve these incidents to being about 77 days. So, it's definitely a huge issue.
Now, when we start talking about information protection in 2020, and we look at data being attacked, things that are at risk but maybe poorly protected by legacy tools. Both external and internal threats are there. However, you can see that Insider breaches are definitely accelerating. When we're looking at external breaches, a lot of those do result from stolen credentials. So that goes back to that malicious category right? That's how a lot of those threat actors are getting in.
When we talk about employees, one of their biggest complaints when we start talking about data risk, Insider threat, things like that it always seems to go back to their DLP tools. And how those tend to cripple productivity. In fact, about 73% of organizations said that their DLP tools have some sort of negative impact on them. And then they start piling up without mitigating real risk. So, on average it takes about 15 minutes for an analyst to review an alert. And they get about 32 alerts per day for each full-time analyst or full-time employee...
At Proofpoint we are very much a people-centric focused. So, we're looking at things from the individual point of view right? And looking at managing those threats from that People-Centric Model. I'm going to go ahead and build this out here. So, one of the things that we believe is that you need to leverage context to understand the intent and monitor user risk. And then that also leads into detecting Insider incidents based on risky activity and how they're interacting with data. And then finally we like to visualize the user behavioral aspects of the events. So, you can actually streamline your incident response. And over here on the right, this is just kind of an example of some of the information you would see within the tool. So, here you can see the date and somebody opening up a Google Chrome tab.
Then they're using the browser to go to Salesforce.com. Then you might see them actually logging in. They're verifying their identity. And then here you have them downloading a file in this case client profiles 2020 dot XLS. And they're getting it from that Salesforce. So you can see the location locally where they save that file. From here it looks like they're going to Windows Explorer. Opening up a Window. They're renaming that file. And here you can see they've actually renamed that file from Client Profiles 2020 XLS to holiday underscore pictures that JPEG.
And this is something that you're not going to see unless you're looking at the user system itself right? If you're just monitoring maybe at the boundary where items could be leaving the organization, you might see somebody uploading holiday pictures that JPEG or sending it out through an email and no big deal because it's a picture probably of their holiday. But if you have the information behind that in that context I was talking about, you can actually see that this file was originally called Client Profiles 2020 and where they actually got it in the first place.
And then you can see here they're moving that file over to... it looks like their local Dropbox folder which will automatically sync that up to the Cloud. So, you can kind of see how context goes into providing that visibility and painting a full picture around everything. Now, when we start talking about the tool, we do have about 400 plus threat scenarios included in our library. And our library it was originally built between us and Carnegie Mellon CERT Team. And they... Went and looked at about a thousand different Insider threat cases and examine those both from a behavioral and technical perspective.
And from that they built these roles right? So, with the tool being role-based what that means is you no longer have to work for any kind of baselining or anything, any kind of machine learning or AI where something needs to be built. As soon as you get it installed, you're going to actually start seeing alerts. Over here on the... You can see we have different categories. So in this case, a data exfiltration is highlighted. You can see some of the different roles within that category. So, things like connecting an unlisted USB device, exfiltrating to a Cloud storage, exfiltrating via a large print job, copying a sensitive folder, opening a Cloud storage, Sync folder, things like that.
There's other categories here like careless behavior. So maybe you have one for somebody opening a clear text file that might contain passwords, enabling a Windows Remote Assistance, downloading from insecure sites, using unapproved websites, exit on misconfiguration of a Cloud infrastructure, things like that. Unauthorized access another category here. In here you have things like modifying deleting rows in a database, running an authorized software on a server, unauthorized corporate share access, accessing sensitive folders or sensitive systems, things like that.
This here is just an example of some of the alerts that we see a number of our customers. Some of them have opted to share data with us and they're not sharing specifics. It's just really around what roles are using. So here you can see the top roles in 2020. And you can see exfiltrating attract files to the web is probably one of the top ones followed right behind that by connecting an unlisted USB device. If you go down a little bit further, you'll see things like browsing adult websites, browsing illegal drug sites.
Interestingly enough before a lot of our customers started working remotely. Those weren't even in the top 20. So, back to that earlier slide things have definitely changed with the environment we're in. Concerns that people had in 2019 have shifted to what the organization is primarily concerned with in 2020. But again, for Proofpoint we tend to start with the people right? So, protection starts with people. The tool itself is one of the only purpose-built people-centric insider threat platforms out there. We do have integrated components with Proofpoint and the rest of the people-centric story there. And we're recognized as a category defining ITM leader by Gartner. Definitely in the Vendor to watch on 2019 lists there. When it comes down to it, we talked about those negligent, compromised and malicious users earlier.
These are probably the main ways that data gets lost right? Or data its doesn't lose itself right. There's places where data should be and places where data shouldn't be. And things basically move from where they shouldn't be or where they should be to where they shouldn't be by one of these types of users. There may be some other users that you think about however, they definitely fall into one of these three categories when you look up at them.
The spectrum of users. So, talking about negligent users this might be a well-meaning employee just trying to share a file with a colleague or maybe copying something to a thumb drive because they want to use it on another computer. And then they go to get in their car and they accidentally had it in their pocket. And then the thumb drive falls out in the parking lot. And all of a sudden that information's out there in the world. More we're talking about those compromised or very attacked users. These are users who maybe they clicked on something they shouldn't have. Those accounts who have possibly been compromised. Once an account is compromised, basically they act as just another insider on the local network.
And then malicious users Right? So, this is basically those ones that probably a lot of concern around nowadays. So, this could be a nation state actor. It could be somebody took a role with an organization with the express intent of stealing schematics or something like that. So, just kind of break it down another way that apartment study we were talking about earlier. This shows you a little bit differently. Those numbers that we were looking at. So, you can see the negligent user here was the account for 62% of incidents. The total spend is about 307K.
Now, when you get into malicious and compromised users, the number of incidents goes way down. However, the cost more than doubles for these two categories. So, when you think about that, that actually makes sense right? We're looking at the malicious and compromised categories. These are people that are doing stuff with intent. Maybe that malicious guy, he's just wanting to take some source code with them to his next job. That's going to have some higher dollars associated with it. Then somebody who's just accidentally done something.
A couple of different scenarios here. Alice this might be just... It's kind of helped paint a better picture. Maybe she's getting home late and decides to finish her work from home. She downloads a sensitive file that contains social security numbers. And it's the file locally. As a social security row readings, the file in the news it's a Dropbox. These are all things that she's just trying to... She's actually going to work on it from home. So she's doing some off hours work there. Good employee but she's done things that we probably want to be alerted of and we may need to have a conversation with her.
Bob here, he's received a faintly in an email to reset his password. Provided his credentials. The attacker captured that. And then the bad actor uses those credentials he captured to log into one drive and he then be sent to Proofpoint isolation platform where he may get blocked and is unable to download the file. But he shares it with another user via email.
Carol, this is somebody who downloaded a sensitive file in this case is one that contains social security numbers. She hit that file with a password then deletes the original. And she attempts to send it via an email. It gets blocked by the Proofpoint email. DLP solution then deletes the zip file. Then she downloads that same the file again. This time she renames it to that holiday pictures that JPEG that we were talking about earlier. Copies that over to USB and the cover tracks she might go delete the history and the cookies on our machine and everything. With all these actions, these are all things that we can actually see and be able to grab screenshots for.
Here's a handful of federal used cases. I'm just going to talk to them real briefly. The federal used case for ITM differ slightly from commercial used cases. It's less of a concern for financial and intellectual property and Insider threat. And it's more of a focus on counter intelligence and counter espionage. Edward Snowden and Chelsea Manning are a showcase examples of keeping classified information from getting into the public domain. Is a primary ITM issue in the Federal Government.
And rather than CIO or CIS or the primary customer for ITM and the Federal Market, is going to be the Chief Security Officer, the officer of Counterintelligence and the office of the Inspector General. With exceptions such as sensor research or a high value personally identifiable information. And then executive order one, three, five, eight, seven was around structural informs to improve the security of classified networks and responsible sharing of classified information. And this established a National Insider Threat Task Force. Preventing an insiders with a trusted access from illegally providing sensitive and or classified information from being released is a primary objective of the Federal Insider Threat Management.
And kind of talked about this earlier with the way you can see all these different pieces. I like this image. It just paints a nice picture. In this case we're talking about user activity. So, over here on the left maybe you know whatever the user is doing. If they're going out and interacting with Salesforce or going over to SAP or interacting with the database or a collaborative platform, or maybe they're copying something from a local files share. And they're moving that, copying it, renaming it, deleting it, printing it out, putting it on a CD-ROM, copying it to a thumb drive, sending it via email. Whether that be Outlook or Gmail, uploading it to Dropbox, maybe moving something to Google drive, sending it out through a chat medium like WeTransfer or Slack. We can actually see all of these things that happen and actually be able to grab screenshots with them.
One of my favorite examples here is around cut and paste. Say somebody were to open up a Excel Spreadsheet and they highlighted and copied a bunch of rows. And then pasted that inside of a email. We're actually going to be able to see them performing all these steps. And when that email gets sent, we'll see that somebody pasted some information that originally came from whatever super secret dot XLS file that they were pulling information from. So, it doesn't actually have to be a file per say. It could be one of these actions. And that's how those roles are created. The roles that I was talking about earlier that those 400 pre-configured Insider threat roles.
Just another view here of the categories across the top here. We have about 33 different categories. And then the role specifics themselves. And these again were the ones that were built on those Carnegie Mellon roles. The roles themselves even though they are included with the system, you can customize your own roles, create your own, get very specific and granular to what you are looking for. The way the architecture works for the system. I like starting over here on the right. We do... The observer system does sit on top of a window server. And it has a couple of different components. Has a Application server, a Web server and SQL database. We pull in LDF information so you can pull on your user information.
And then we have a web-console-frontend. So, you can access it across a browser like most tools these days. In the middle here, this is really kind of talking more about the agents that we have. So we have agents that run on a Windows, Linux, Macintosh, Citrix, Terminal servers, VDI, VMware. And the agents themselves you can install those silently. They do have a... We have a couple different flavors of them. So, one you can actually see like running in your Windows taskbar. If you go look for processes, you'll see process names.
And then we also have a No-label version. So, that's not going to show up in your task manager. It's not going to show up the process. Names are all off educated. You can roll these out, whatever. You can roll them out if you're looking into something that just happened. You can roll them out without requiring a system reboot. So, they're going to start grabbing information as soon as that agents deployed. The agents themselves really are truly lightweight. So, they sit in user space and not Kernel. So they're not going to cause a lot of issues like blue screens and a lot of the other tools are out there.
They tend to take up about one to 3% CPU utilization. And in 20 to 30 Megs of RAM. And that's going to vary depending on the number of roles you have turned on. How heavy you are on image, capturing the resolution you're capturing and things like that. When we do like an initial standup, as long as somebody has that Window server, good to go. We can usually get the application server, Web server stood up and about an hour and a half along with a handful of agents deployed. So, that brings me to the end of the... What I wanted to cover today.
Speaker 1: Thanks for listening. If you would like more information on how Carahsoft or Proofpoint can assist your agency, please visit www.carahsoft.com or email us at proofpoint@carahsoft.com. Thanks again for listening and have a great day.