Cybersecurity Insider Threat Analytics

Cybersecurity Insider Threat Analytics

Speakers: Joel Amick, Cory Hefner, and Aysha Nahan

1

Disclosure

This material is for informational purposes only and should not be regarded as a recommendation or an offer to buy or sell any product or service to which this information may relate.

Certain products and services may not be available to all entities or persons. Past performance does not guarantee future results.

2

Who We Are

Joel AmickDirector,

Cyber Analytics

Cory HefnerSr. Info Security Analyst, Cyber

Analytics

Aysha NahanData Analyst,

Cyber Analytics

3

http://my.tiaa-cref.org/Person.aspx?accountname=AD/hefnerc

In Partnership With

TIAA Cybersecurity Mentors

Internship Associates

Joel AmickDirector,

Cyber Analytics

Cory HefnerSr. Info Security Analyst, Cyber

Analytics

Interns from the Professional Masters in Data Scienceprogram at the University of North Carolina at Charlotte (UNCC), with experience in Advanced Analytics and Machine Learning.

David Milbern Kshitij Khurana Aysha Nahan Abhinay Reddy

Graduate Students in Data Science Program at UNCC

4

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiyz5mvxvjXAhVEKiYKHdsgB5kQjRwIBw&url=https://analytics.uncc.edu/&psig=AOvVaw3d8HtSgOqABJzPI7uKdZxz&ust=1512758409399302

http://my.tiaa-cref.org/Person.aspx?accountname=AD/milbern

http://my.tiaa-cref.org/Person.aspx?accountname=AD/khurak

http://my.tiaa-cref.org/Person.aspx?accountname=AD/hefnerc

Who is TIAA?

https://www.tiaa.org/public/pdf/facts_stats.pdf 5

Who is TIAA?

https://www.tiaa.org/public/pdf/facts_stats.pdf 6

PHOTO FROM WIRED.COM 7

What is an Insider Threat?

8

1Study by Ponemon Institute in Sep 2016

Malicious

21.6% of Incidents1

Fraud

Intellectual Property Loss

Sabotage or Destruction

Negligent

78.4% of Incidents1

Accidental

Phishing

Shared/Stolen Credentials

Insider Threat Detection

9

Network Proxy

VPN

Phishing Awareness

Printers

Access Privileges

Use Cases From Prior Investigations

Physical Security

Data Loss Prevention

Proof of Concept

10

Scoring Approach

11

Threat

Non

Identified Threat


Internal Phishing

VPN

Outbound External Email

Web Proxy

Data WeightedFinalScore

Weighted Ensemble Approach to ScoringSeparate Scores by Data SourceEasily Scalable

12

Success of Scoring Algorithms

13

0%

5%

10%

15%

20%

25%

30%

35%

50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900 950 1000

Pe

rce

nt

of

Re

spe

ctiv

e T

ota

l

Risk Scores

Non-Identified Threat Threat

Non-Identified Threat

Threat

*Distributions are representative of actual data, but numbers are anonymized

Quantifying the Threat

14

Most Likely Potential Loss Distribution


0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

Pe

rce

nt

of

Emp

loye

es

Loss Magnitude

Implementation

16

Security Events (SIEM)

Data Warehouse

Internal Phishing

VPNOutbound External Email

Web ProxyData Loss Prevention

Data Warehouse

Case Study

17


“Joey Jobsearch” Threat Score: 821 Potential Loss: $2.1M

“Blocked Bobby” Threat Score: 680 Potential Loss: $2.4M

$K

$500K

$1.0M

$1.5M

$K

$500K

$1.0M

$1.5M

0

500

1,000

0

500

1,000

Insider Threat Score Loss Magnitude Insider Threat Score Loss Magnitude

VPN 25 Connection Failures in the last month

Web Proxy83 Job Searches in the past day32 File Sharing web pages visited in the past week


10 Email Attachments blocked in the past 6 months14 Cybersecurity Policy Violations in the past 6 months

Internal Phishing 1 Internal Phishing Training Email opened in the past year

VPN 5 Connection Failures in the last month

Outbound External Email

2 Blocked Emails in the past week


293 Files Loaded to USB in the past quarter2 Email Attachments blocked in the past week

Internal Phishing 2 Internal Phishing Training Emails reported in the past year

$0K $0K

Actionable Intelligence

18

Most Likely Potential Loss Distribution


0.0%

5.0%

10.0%

15.0%

20.0%

25.0%

30.0%

Pe

rce

nt

of

Emp

loye

es

Loss Magnitude

“Joey Jobsearch”

$2.1 million

“Blocked Bobby”

$2.4 million

Successes

1Collaborated with Cyber Risk team for Projected Loss

2Actionable intelligence was identified & escalated to the Insider Threat team

3Process is robust and allows for easy tuning or additions of new data sources

4Provided new exploratory information about Insider Threat data sources

Impact and Successes

19

Business Impact

1Insider Threat and Detection Teams can use scores to prioritize incidents

2Quantifiable value of the Insider Threat Program

3Matures Cybersecurity Investigations and Operations

Challenges

1Algorithms are trained predominantly with negative behavior. Opportunity to incorporate positive attributes in future tuning efforts.

2Structured and unstructured data stored in disparate data sources

3 Managing scope

Challenges and Opportunities

20

Identified Opportunities

1Complete dashboard visualizations for Investigations

2Generate “Harm-Ability” scores based on the capability (permissions and exceptions) of employees potential for impact to the company

3Incorporate additional data sources to further improve the accuracy of the Insider Threat score

Next Steps

21

Questions?

22

Documents

Cybersecurity Insider Threat Analytics