Thwarting insider threats

Hello, my name is Hugh Njemanze. I'm the Chief Technology Officer and Co-Founder of ArcSight and today we're going to talk about thwarting insider threats. So many people are familiar already with perimeter threats, which just if you give me one second, I'm a fast drawer and I'll illustrate the problem for you.

So what's happening with perimeter threat is you have people outside your castle, your corporation actually trying to attack. So what happens is you need to find some way to repel those introducers. The industry has come up with many solutions. There are products on the market such as firewalls, intrusion detection systems and others whose thrust is basically to help defend against these intruders, these perimeter attackers. .

However, if the attacker is already within your organization then none of these defenses are going to be very useful. And to illustrate what can happen, there was a case reported recently where eight employees at the Bank of America actually stole 700,000 customer records. And this was bad for those customers but it was also bad for Bank of America because additionally, due to regulations such as SB1386 they have to report when an incident like this happens and you can imagine that could erode the confidence of the entire customer base. .

So how do we deal with insider threat then? Well, we can use many of the same tools that we apply for a perimeter threat. What we want to do is provide appropriate inputs. So in organizations, things like applications are typically run, maybe a database, other systems like Oracle, SAP, PeopleSoft. And with all of those systems, people have various things they're allowed to do. They have log in, they have permissions, access controls and we can monitor those to see if people are behaving according to what they should be doing and what they're allowed to be doing. We also have access monitoring systems such as when you swipe your badge to get into or out of a building and we also have identity management systems that again, keep tags of who's who. .

And what you want to do is basically analyze those records in the same way that a security information management system was analyzing firewall and IDS records, they want to do that here with this information. It's essentially analogous to looking inside the windows of the building instead of focusing outwards. .

And just to give you an example, a phone company noticed that some of their employees were actually selling phone records to private investigators who were performing things like divorce investigations. Needless to say, the phone company was not happy about this. What they were able to do is use a security information management system to analyze the employee's activity records and determine, for example, that a few employees would access the same customer records over and over, which would be very, very rare behavior to happen just in natural life when a random phone customer dials in. .

In a survey of enterprise CEOs, over 72 percent of them identified insider threat as an equal or greater problem than perimeter threat. The good news is there is something we can do about these insider threats using information that's available and combine and analyzing that with existing tools.