Exabeam Roundtable: Tracking Compromised Accounts & Insider Threats Across Your Network
Sponsored content: Wednesday, 23rd September 2020 – ASEAN and Hong Kong
Focus Network, in partnership with Exabeam, brought leading IT Security executives to discuss where and how to focus the security team’s efforts to help keep organisations out of the press and better protect from financial loss and drastically reduce the amount of uninvestigated and unresolved alerts.
The session was coordinated by Blake Tolmie, Director – Operations, Focus Network expertly moderated by Andrew Milroy, Principal adviser, Eco-System and providing great insights into the session was experienced strategy and thought leaders Gareth Cox, Saleem Javed Mohamed Ismail and David Ng.
Brief introduction of the speakers
Gareth Cox, Vice President of Sales Asia-Pacific & Japan, Exabeam. With 20+ years of progressive experience achieving growth for top technology companies he enables organisations to automate security operations, accelerating the team’s ability to identify security risks, both internal and external.
Saleem Javed Mohamed Ismail, Human Managed Agent of Change, Exabeam. Saleem works with organisations to drive a higher Cyber Security Maturity, with a keen eye for exciting advancements, constantly learning, unlearning and relearning, experienced in dealing with senior executives in the morning and diving with the engineers & analysts in the afternoon to produce strategies that are both achievable and optimal.
David Ng, Head, Group Technology Information Security Office (TISO), OCBC Bank David has over 26 years of experience in Infocomm Security. He joined OCBC Bank in August 2014 as Head of TISO and is responsible for all aspects of the Bank’s cybersecurity strategy, security architecture, and security functions. Prior to joining the Bank, David worked in the Monetary Authority of Singapore (MAS) as Director of IT Security Division. He was responsible for the development of IT security strategies, programmes, policies and standards for the purpose of protecting the central bank’s core functions and information assets. During his tenure, the MAS’ IT security posture had transformed substantially. David represented MAS in key panels and working groups such as the Bank for International Settlement (BIS) G10 Group of Computer Experts on Security Issues.
Andrew Milroy, Principal adviser at Eco-System, an analyst firm based in Singapore, was moderator for this Exabeam event in partnership with Focus Network. The theme of the event is tracking compromised accounts and insider threats across our network.
Rogue insiders abusing privileged access or external attackers leveraging compromised credentials, both are notoriously difficult to spot and require lengthy, manual investigations. Invariably they involve lateral movement across the network further compounding the time and skills needed to identify the chain of events. Security operations metrics are time-driven: time-to-detect, time-to-respond, time-to-answer. Analysts are up against the clock to review, investigate, and act. Manual processes, manual analysis, manual decision making is borne from the idea that machines cannot always be trusted to understand threats as a human would. But your data haystacks continue to grow exponentially, and the needles ever harder to find. Today’s session focuses on the key challenges faced by security teams understanding where and how to focus security team’s efforts on ways security teams can detect, investigate and respond to attacks more rapidly.
Insider Threats – Compromised, Malicious or Accidental
“What we’re doing to help with security operations today is that we’re adding machine learning and automation into your existing security stack or replacing it”, says Gareth Cox, Vice President of Sales Asia-Pacific & Japan, Exabeam. “When you look at an insider threat investigation today, majority of the time, what an analyst is going to be looking at, is trying to figure out the intent of what the attacker is doing and if this is normal or abnormal, have they seen this on the network before and understand some patterns of risk so they can start their investigation. Majority of the analyst’s time is spend looking at triaging the investigation and trying to find out what insights are happening to identify these questions and to build an incident timeline. This incident timeline is not a trivial thing to do. You need a fair amount of collaboration within your organisation and the time to understand if this is a true attack or not, could take days rather than minutes.”
Compromised accounts and credential based theft are on the rise for the last five years. On the Verizon report, around 80% of all the attacks surge on people stealing credentials and then moving laterally throughout the organisation. And unfortunately, there’s a number of high-profile breaches all through Asia Pacific and around the world where credential based theft has caused some huge breaches would have made the press. 50% of Exabeam’s business is actually augmenting security operations. If you have a Splunk or a QRadar or if you’re building your own Elastic stack, by adding Exabeam’s analytics to really use the brain of all the data, enables to make things easier for the analysts.
A lot of organisations today, whether you’re a large organisation like a bank or a small university where you only have one or two analysts, can definitely leverage machine learning to help their analysts go through without the manual tasks and focus on the real threats. Since COVID and before COVID, the number one attack vector has been compromised accounts using phishing and malware-based attacks. A university in Canberra, Australia had a nation state attack where the adversary logged into the environment, stole credentials and lived in the environment around six to eight months and stole information. The other aspect of what we’re seeing out there is, malicious insiders are either disgruntled employees stealing information or people who are actually compromised by third party nation state actors.
They live in the network for a consistent period of time, usually around six months or even longer to a year. And they move laterally across multiple different devices in the organisation to steal the information. One of the three main areas of insider threats is a compromised insider. Or as in the example of Home Depot, a malicious insider, where you have a disgruntled employee stealing information from the account and the third one is an accidental insider where they’ve clicked on something accidentally or moved data they shouldn’t have to third party devices and accidentally caused a breach. Analysts need to understand the intent behind why people are accessing information in their organisation and what people are looking to do with this data and understand the baseline on that. Gartner just did a research paper about what they look at as insider threats has now caused between 50 and 70% of all security incidents in security operations today and 70% of breaches. And what we’re seeing at Exabeam is a number of PoCs (Proof of Concept) in a number of overviews around business leaders looking to try and solve these large percentages of security threats in their organisation to reduce risk.
With COVID-19, there’s a huge gap from when customers were on premise to when they went mobile and a huge explosion into cloud services. And it has increased even more in the last three to four months, especially in Southeast Asia. Some of the main issues that security leaders understand is that Salesforce and Office 365 are data stores and holds key information. But sometimes business leaders just want to get these solutions out there as quick as possible. There is a gap of what’s actually happening inside these cloud service providers and what information people are accessing. There is a huge risk among security leaders to understand if a user in salesforce, for example, is accessing the right information. If they are downloading reports that they shouldn’t be downloading or are they downloading it from an unsecure PC at home. Hence the need for putting some analytics across cloud service providers and understanding the context of what people are accessing is immense.
Major challenges in dealing with insider threats
“If a staff member is printing large volumes of data, the system detects this as user depicting abnormal behaviour. Then we were able to determine whether this is a behaviour for which we require investigation or not. The other aspect of the challenge is how do I distinguish between an action and the intent or perhaps the context of that action taken by the user”, noted David Ng, Head, Group Technology Information Security Office (TISO), OCBC Bank. “I don’t believe that machines have the ability to differentiate between an action and an intent, more so given that it may be an accidental mouse click or hovering over a button, therefore may not constitute a malicious action. I believe at this juncture of maturity, systems are not able to distinguish the two; between action and intent. That is the challenge. And it may lead to many false positives.”
With the onset of COVID, the biggest challenges that organisations face is that the profile or the demographic of the user have changed. From being fully office based to a sudden change to working from home has resulted in drastic changes in monitoring capabilities within organisations. After the Circuit Breaker (CB) in Singapore context, companies have come to a stage of realization that the demographic of the user is very fluid. Therefore, the system is trying to learn, unlearn and re-learn about the user. And this is the biggest challenges today resulting in the system giving a lot of red flags and false positives. One of the things that’s being monitored is the East-West traffic, while in the past, focus was about the North-South i.e. what is coming in and what’s going out. In today’s context the East-West traffic needs to be monitored and invested in and stay more focused on going forward. Today, management is cognizant about the user using intellectual properties for their personal gain as well for competition. We already subscribe to the fact that data is a new currency.
Insider threat management
Saleem Javed Mohamed Ismail, Human Managed Agent of Change, talked about insider threat management. Most of the times what we are really looking at is to protect ourselves against an insider incident and detect it. So, when it happens, we quickly jump in to respond and recover. When it comes to planning, we need to understand and that it is a lot about this and knowing your enemy, identify and try to deter the threat from actually targeting your business. If detected, there should be a consistent way of how you would respond to it. We should not be alienating the insiders because no matter what, this would affect the culture. Hence there is a fine balance between culture and insider threat program, which needs to be focused on. When it comes to monitoring and regulatory requirements, these are things which we really need to focus on.
When it comes to what really is an insider threat, it cannot be characterized as one specific threat actor. This could cut across multiple threat actors and what they are going after is most likely the typical motives which we have seen across all the threat actors; which is people, information technology and facilities which are critical assets for any organisation.
Most of the time, the impact is going to be to CIA (Confidentiality, Integrity and Availability). There’s a lot of threat modelling which has been done around insider threats, but most of it, like behavioural sciences, normally focus on how you start looking at an actual risk of an insider attack. And this was mainly not focused just on cyber, but it was also on physical. In this case, it’s very close to what we are looking at from a nation state, which is a blended attack, that is a combination of cyber as well as physical, which could have both cyber and/or physical impact. This is the reason why an insider threat is much more complex to detect and respond. If it is a national security level, then depending on which business you are into, this could either be part of a much larger campaign, to which a certain number of you would be part of the campaign strategy that the attacker is executing or sometimes you are the target of it. The focus seems to be really from the work-from-home setup, and this is something which all of these applies to especially when talking about theft of IP and fraud, as well as a systems sabotage, these are things which are very prevalent now. The target is mainly PII or customer information. Most of the time the access used is going to be authorized. At the same time, there is a fine line between a fraud and cyber. And most of the time, it always starts with the cyber and ends as fraud. Insiders or incidents could be an accidental disclosure, not understanding the Acceptable Use Policy (AUP) and posting something that could be easily blocked by proxy, but with work-from-home option, this is getting more and more prevalent in terms of data getting leaked and an increase in Github posts. This is something which is not a malicious insider, but accidental disclosure. Malicious code is actually the topmost attack where a user is compromised using social engineering though a phishing email. And this is something that is considered a malicious insider. However, this is could be a non-malicious insider because the user is unaware most of the time.
Insiders are basically individuals who have or had authorized or unauthorized access to organisation assets and use that access to intentionally or unintentionally affect the organisation in a negative way. And there are different types of individual assets which will be targeted with different type of motives. When focusing on these different types of insiders, this would start building your use cases in terms of what it takes to monitor and depending on the priority and security, you would be working on how to respond and how to resolve as well.
There are different types of data sources which we could look at. A lot of technical and non-technical data sources could be focused on; the non-technical sources mainly focus on data which could be available from human resources as well as physical access controls. A typical reference architecture would have all the different cybersecurity analytics tools. Then you would have physical analytics cluster, which is where you would combine all those different user access video analytics. And lastly, you would have those behavioural analytics tools depending on the industry you are in. All of these can be combined into a threat-based aggregation system, which is where an analytic solution backed by machine learning, such as Exabeam comes into play in terms of correlating multiple information, building use cases and establishing patterns and anomalies to which a behaviour can be identified and investigated upon. If there is no specific way of declaring whether the insider is malicious or non-malicious and what the impact could be, the only way is to identify every single anomaly and respond to it as if you are under attack.
There’s a lot of collaboration happening within the threat. Most of these attackers and threat actors collaborate a lot among themselves them. Nation state actors, especially like the Lazarus Group, which did multiple attacks between 2016 to 2018, depicted this collaboration. They were categorized as a nation state, but people who were part of the Lazarus Group were actually from the North Korean nation state actors. Lazarus Group were classified as a cyber-criminal group, but the attackers were part of the nation state. Hence there is a lot of overlapping happening where nation state actors using cyber criminals. And likewise, cyber criminals are using specific individuals who have been trained by nation state to execute those different type of attacks. This marks the existence of a marketplace within the threat actors’ group where they collaborate a lot. Whereas the defenders are not really collaborating that well. The threat intelligence, as much as it is good, is pretty much public information and enterprises should pick threat intelligence services based on the pertinence to their business.
Managing threats in various industries
“We’re doing a lot of things not just in SingHealth but across the whole public health care space”, said Kim Chuan Chua, Chief Information Security Officer, SingHealth. “We have been doing a lot actually in the area of security monitoring surveillance to try to move as fast as we can. COVID-19 slowed us down and one of the challenges of being in public health care is that we’ve got the worst of both worlds. We are not a government agency and yet we cannot execute our own commercial organisation. We have to go through the due process of buying things the government way which is frustratingly slow. One of the most important things that we’re trying to do is to the level up our security monitoring surveillance which is still a fair way away from completion. We have done something called Internet Surfing Separation (ISS), a concept we borrowed from government where you can’t surf the Internet on your end point, which is creating a lot of operational issues on the ground for our researchers and clinicians and we are trying very hard to see whether we can we can work through this kind of constraint or not. In an ideal situation, we would have a best in class security monitoring operation center and fully automated SOC compliance that works. And then on top of that, we hope to have parallel tracks around the area of threat hunting and looking for specific attacks. There is still work to be done to get there.”
Eng Guan Ng, IT Security Director, Resorts World Sentosa commented further on the challenges of a security compromise in his organisation. “A compromise is definitely a challenge for us, especially in an environment in which we have a very diverse demographic of staff, from cleaners to the management, consultants to developers. At the moment, we are struggling to have a comprehensive solution. We try to focus and monitor the crown jewels so to detect any compromise access at that level. And that’s why I’m trying to explore other foolproof methods that we can actually implement in our environment to actually tie every single account, which is a challenge because we have daily onboarding of staff; account creation deletions. It’s quite a tedious operation.”
“We are trying to avoid the one that we found in our own country’s experience with United Coconut Planters Bank (UCPB) nation state attack where hackers were able to steal through malware, which gave them remote access functions and allowed them to send and receive cash online. They publicly announced something like 167 million pesos in loss as a result”, reflects Carlos Tengkiat, Chief Information Security Officer, Rizal Commercial Banking Corporation, Philippines. “So those are of great concern for us. That’s why the problems that we noticed now is, like what was mentioned before by David. You get to see a lot of lateral movement now. So, our SOC team is busier than ever because a lot of those will be sometimes false positives. But again, we always tell them to review always, because you should never underestimate how some of these predators would behave and they would lull you into a sense of what would you call a false sense of security by doing it again and again. And then one day you’ll suddenly see an incident.”
“What we focus on is the context of the user, the user group, the applications the user uses, the times they log in, where they’re logging in from etc. And we do a baseline of what activity is normal and abnormal. We then bubble up insights and put risks on. We’re basically using the machines to follow all the breadcrumbs to build a bigger picture”, says Gareth Cox, Vice President of Sales Asia-Pacific & Japan, Exabeam. “So, the analysts, as mentioned by Carlos, with all the activity and alerts, your SOC is under the pump right now. They’re under the pump everywhere. And what we’re trying to do is eliminate all that noise so you guys can focus on the key things and can also do threat hunting on top of that. Exabeam simply helps them using machines and users build credentials, as you need to build the picture up if your credentials are stolen.”
“For the credentials we have the IT management team who is responsible for creating and granting access based on the access metrics’, notes Tharaka Gamage, Head, IT Security, Etiqa Insurance. “We monitor them ongoing through the Security Operation Center where we enrol the user IDs with them, but still have some level of visibility in the network layer, like how those credentials are being used. For example, the privileged IDs have MFA for that privilege. We can thus identify the user because they already have the multi-factor authentication. Other than that, there are work-from-home initiatives, where we have to identify the devices as managed devices and un-managed devices. So, once we are able to identify the devices and users, we can protect the workload, authentication request and everything else.”
David Ng, Head, Group Technology Information Security Office (TISO), OCBC Bank said, “Why I invested in Exabeam is to augment that human intervention with AI with the tools to really zero in to make sure that we are spending the right energy on the right focus at the right problem, because today we know that the east-west movement is very noisy and without tools, the people on the ground spend a lot of time sieving through and finding a needle in a haystack. In fact, I am reaping the benefits from Exabeam already as they are really helping me a lot and therefore, I am focusing on what I need to focus.”
Gareth notes that when you’re doing an investigation, you need to understand the extent of what the crime is. And this could be a cyber investigation or if you’re looking at a police investigation of a robbery etc., they need to figure out the intent. For trying to figure out the intent of a cyber-attack, you need to know what is normal and abnormal and have a baseline of what is happening. And that’s where companies are coming to Exabeam to help their analysts look at the intent. But for most analysts these days, it’s incredibly hard to do their job with the tools that they have today. As everything is manual. There are too many alerts and too many things happening. Your data is moved to too many different places and without some assistance and machines to help them identify the attempt, it’s almost impossible to look at solving this issue. And it’s on the rise. As per the Verizon data breach report, around 70 to 80% attacks are credential based attacks. Gartner says that between 50 to 70% of all security incidents are based on credentials or insider threats. During COVID the amount of phishing attacks that Google actually stopped per day was incredibly large. It’s just it’s too much for companies to keep on top of and there’s too many cyber breaches happening every single day on the news. It’s very hard for good companies to protect their data today and that’s where machine learning and collaboration internally helps. Hence the need for as much intelligent automation as they possibly can and not have too many dashboards and far too many false positives hitting them.”
This brought to close a fantastic discussion which touched on quite a variety of different issues relating to insider threats and how those threats can be addressed.
Focus Network facilitates a data-driven information hub for senior-level executives to leverage their learnings from, while at the same time assisting businesses in connecting with the most relevant partners to frame new relationships. With a cohort of knowledge hungry and growth minded delegates, these sessions have seen imparting great value for participants. With the advent of the new ways of working remotely, Focus Network continues to collaborate with the best thought leaders from the industry to still come together to share and navigate the ever-changing landscapes that’s barrelling into the neo industrial revolution.
Tags: Application Security, Cyber Security, Exabeam, Insider Threat Managment