Events Add an event Speakers Talks Collections
 
RSAC 365 Virtual Summit
January 27, 2021, Online
RSAC 365 Virtual Summit
Request Q&A
RSAC 365 Virtual Summit
From the conference
RSAC 365 Virtual Summit
Request Q&A
Video
The Return of Hacktivism – The Insider
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
197
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About the talk

This session will use real-world examples to demonstrate how the erosion of boundaries between work and life, coupled with an increasingly distributed workforce, have laid the groundwork for a evolved threat: insider hacktivists. This session will explain what this behavioral shift in employee mindset means and how it impacts the security of your corporate data.

About speakers

Jadee Hanson
CISO and CIO at Code42
Masha Sedova
Co-Founder at Elevate Security

As CISO and CIO at Code42, Jadee Hanson leads global risk and compliance, security operations, incident response, and the insider threat program. Prior to Code42, Jadee held senior leadership roles in security at Target Corporation, where she implemented compliance, risk management, and insider threat programs. She also served as the security lead for the sale of Target Pharmacies to CVS Health. Before Target, Jadee was a security consultant at Deloitte. Cyber Defense Magazine named Jadee one of the Top 100 Women in Cybersecurity for 2020 and SC Magazine called her a Women in Security: PowerPlayer in 2019. She is regularly quoted in cybersecurity media outlets and co-authored the book, Inside Jobs: Why Insider Risk Is the Biggest Cyber Threat You Can’t Ignore.

View the profile

Masha Sedova is an industry-recognized people-security expert, speaker and trainer focused on engaging people to be key elements of secure organizations. She is the co-founder of Elevate Security, an innovative new approach to security awareness. Elevate's Security Behavior Platform delivers highly-scalable personalized engagement, meaningful measurement, and practical feedback to motivate, reward and reinforce smart security behaviors of employees. Before Elevate, Masha Sedova was a security executive at Salesforce where she built and led the security engagement team focused on improving the security mindset of employees, partners, and customers.vThe scope of her work ran the gamut from general awareness such as phishing and reporting activity to secure engineering practices by developers and engineers. In addition, Masha is a member of the Board of Directors for the National Cyber Security Alliance and a regular presenter at conferences such as Blackhat, RSA, ISSA, Enigma, and SANS.

View the profile
Share

Well, hello everyone. Thank you for joining us. Today. We are going to be talking about the return them and more specifically The Insider. So I am getting. And then I've been working in security and technology for the past 17 years. I'm currently the CEO and CIO at Code 42 where I'm honored to lead a really Progressive and transparent security team. We have a large focus on securing and driving the business forward. So Corporation who is a software company? And we do you as we develop software for security teams, just

like yours to use, really excited to share with you today. Some of our earnings on this really important, topic inside a rest. So you think Sadie really pleasure to be able to do this with you today. My name is Ava and I am the founder of elevate security and my career has been Focus. I'm looking at human risk and organizations and giving tools to see Tso's and security team to be able to measure of the employee risking their organization and then have tools available to them to proactively secure and

potentially influence employees in there in in their organs to be part of the security defense. A lot of them. I am I careers and focus on is knitting together, the concepts of Behavioral Science and psychology into security, which is a theme that I'm really excited to even to some of our conversation today. So with that, let's get started. So in the next 30 or so minutes that we have together, what JD and I are going to cover with you. All is the question of what is inside a rest when we talked about this. What would it be mean? And ensure that we're all

on the same page with a common definition and then taking a look at 2020 and understanding how all the changes that happened in that year. How those affected Insider threat landscape, and how is that looks different from years before Jay Z, and I will walk through some recent cases in the news that are really valuable lesson for us all to learn from and then, walk through a couple of examples of what you can do to help address this risk in your organization. And then, look around the corner of round. What's next? And how you can think about solving this problem, going back in your, in

your orders tomorrow. So what is Insider risk? One of my favorite definitions of Insider risk is actually is is the spectrum. Because when we think about Insider risk, there isn't just one type of risk that exists in our organization. There are primarily two ends of the spectrum. One is malicious and that is when an employee or contractor or something, or if you're not working station decides to act with a conscious decision to do heart. So they are, this is a knowledgeable person who is acting against the best interests of a company and

knowingly, trying to steal data or information or cause harm. Now, I'm the other end. You have accidental Insider risk. And quite honestly, this is the one that happens significantly more often in the landscape and accidental is when employees who may be, because they don't know better, maybe, because they're distracted at, there's a lot of reasons that go into this and we'll talk about a few of them. The baby. They are not consciously trying to cause harm but still do so anyway. So in this presentation, we're going to cover both types of rest and talk about which kind of Insider

risk. We are focusing on. We give a specific example of a remediation technique. You are also going to notice that we are using the term Insider risk in this presentation and this very, very intentional. So I want to take a minute and just explain why we're not talking about the lp and we are not talking about Insider threats. So first lady LP, I think we can all agree. This has been kind of a failed technology for us. I can say that I am a recovering. User myself. And so for the last six years Gartner's and giving this same advice to customers about DLP

and the advice is don't do it. It's very cumbersome is designed to create an address a very specific compliance problem and we haven't really made the necessary changes that we need to to meet users where they are today. DLP hasn't made that change and so injured, Insider threat. So this term and the technology in this category were getting better, but as Masha pointed out this Arm is very focused on that malicious user and we need something brought her. We know that most of the data issues that we have today and most of the events that

happened in our organization that cause issues are due to non malicious actions. By our employees. Do we need something that can move beyond that 1% of employees. That is the malicious person, trying to access data and cover visibility to all of our end users. So interesting cider risk. And so inside a rest. This is a category that's really focus on protecting all of your data, all of your users and from everyday exultation rest, no matter in 10, so no matter of malicious or not malicious inside of wrist, is that a hundred percent visibility that

security teams are looking for in this distinction, though. It's small. It's just that it's a really important distinction that we want to make. So let's let's move forward. And what I want to do next is focus on how inside of risk has changed and what this really means for your organization's. So this this first screenshot here, this is from the 2019 data breach report and you can see on the yellow line there, that employer has consistently going up year after year. In 2019, employer was in the top three sources for data

breaches. This is actually beating out now. We're so it really important. I'm trying to keep our eye on and that's not slide. This is another really important. Stat from the data breach report 30% of breaches are happening as a result of Insider risk. A lot has changed in 2020. And the increase of breaches caused by insiders has really only gone up as we're going to dig into a few of the Reasons why starting with us next slide? So the very the very first reason. Maca reason why we think inside

of risk is such an issue. Now, is the fact that we're leveraging more and more collaboration technology within our organization. There was a comment from the IDC that said adoption of collaboration Technologies accelerated by almost 5 years just in the year 2020, based on what we were faced with and everybody kind of moving remote. So these these collaboration technology platform. Expand their crate, but they also pose a risk to our company's data using cloud storage locations. Make it a lot harder to track where your data is, how your

users are sharing it. One thing that I run into you on a very regular basis is my user's just accidentally making documents. They intend to be private public links because these platforms make it so easy to share, though, certainly putting our data at a higher risk. The second reason why we believe Insider risk is becoming a bigger issue and on the ride is employee turnover. So turnover, what companies has really never been higher. Justin's February over three million people have left their place of employment. And why is it such a big deal? When people leave

their place of employment? It's a big deal because we know that, when people leave companies, they take all their data with them. Our latest data research report, people were asked if they took data with them when they left their employees and 63% of people responded. Yes, they did. And these are just the people that are admitting it. We know that most people and they leave, the organization are taking data with them. Not surprisingly. Another reason we believe Insider risk is on the rise is a remote work. So remote work. It's something that has been growing in the

past few years, but overnight accelerated with the impacts of covid-19. So many of you are probably listening to this talk right now from home and you're thinking, okay. Why does it? What does this mean? Why does this play a role into the day to rest? And I'll explain it. When, when we're at home, are our data is at a higher degree of leaving the organization in a recent poll, 61% of Security leaders told us that remote work with a contributing factor in their particular data breach. And it's really not super hard to understand this next slide.

They're at their two, important things going on here that I want to describe related to remote work. First employees, feel as though there's less oversight when they're working from home and they're more likely to engage in a malicious action. The other thing that's going on is that were incredibly distracted at home, especially this year, with kids and family members. Also working at home with us. I have my girls. I have my dog. My husband were all at home and there are endless and less distractions. I love some of these images that you see on the screen that show what it's

really like working from home and all the dust distractions that come with it. So, what does it mean for your company's data distractions lead to more and more of our employees? Just making mistakes again, not malicious. Mistakes, that mistake and these mistakes. We took unintentional data. Exposure is for our organizations. Yeah, so we also take a look at the reasons why they delays are networks. And put on the perspective of malicious Insider threat, we can see that there's, this is one of my favorite models that explains how incidents like this happen. If

we take a person who has a predisposition of of circumventing my authority, and maybe being inclined to Steven Davidson to begin with, and then they have stressors in their life. Sometimes Financial stress or sometimes emotional, sometimes mental, or physical, or there's a lot of different reasons why we think about dresser lamp of a situation in, which a, an individual might be more apt to conducting. What is what is illegal or unethical action? Now in the moment where they may want to do. So, there's a specific

choice that happens. They might be faced with a mitigating factor or a solution that Yes, I'm off of this tracking back to ignore and mitigating solution. While it sounds. Maybe corn looks totally normal. And it's our every day society as they, this is normal behavior. That is not and their ways that we can get somebody to rethink their actions. Now, without those Norms, those type of stressors can amplify and ultimately lead to concerning Behavior. Now, if we take a look at the situation that you just talked about and we're all working from

home and the circumstances of our normal work environment has totally changed. We no longer have those work Norms to help us with those mitigation. So not only do we have increased resting too much in a minute, but the things that help us get back on track, aren't really there. Cuz before if we have some suspicious activity happening around us, it's a lot harder to get away with that. Frankly, right? We're sharing cubicle space and But you can kind of see if someone is plugging in USB where they're not supposed to occasionally, right or putting in laptops into a bag that they haven't

taken taken out before. Right. There's more Norms that we can observe and record. Hold each other accountable to work from home. That doesn't exist for us and there's a lot less people to even ask for help. Write your it department is significantly far away. There's no Cube mates to say, is that a real fishing attack or not? So, both unintentional and malicious, have increased chance of happening in this type of environment. And as we saw in the previous slide, not only as mitigating factors one of the components of that but distress and stressors that Amplified situation.

And according to the most recent Gallup report, Americans are at a nine-year-old Time, Low of dissatisfaction and unhappiness. And for many people, it's a different reason, but there's plenty to choose from right politics pandemic. Unemployment. Their social movements. There's a lot going on in everybody's life, that truly increases the stress factor for every individual, and as a whole are organizations, which then translates to more of a Tinderbox. Is it relates to Insider threat at this risk? So

we wanted to do next, was dig into a few of the recent cases. I'm going to start with this first one that took place at Tesla. So Tessa obviously, have some really important intellectual property to protect has some very public Insider threat cases in the news, in this case here, outline and employ, a Tesla certainly was on that track where they were in. There were passed up for getting a job promotion. And so this was an increased stress moment in this employees life and they chose to exfiltrate, very sensitive data. The employee had to

trust it access and two large amount of sensitive data to an unknown. Third party aligned later called the action extensive and damaging sabotage. And the impact year for Tesla was a very expensive, lawsuit reputation damaged and we have not seen yet, but certainly impact to the stool in IP and this impact will start. Come to fruition a bit of a bit later. The next case here is something that happened at Shopify this year, the media reports that there were two Rogue employees that legitimately had access to customer transaction, records and

stole all of those customer records on transaction records. And what's do, you know what you think about? Like, what's the harm, which transaction records will typically did record include payment information on Shopify? Didn't confirm that they lost credit card numbers or not. But multiple Shoppers during that time also claimed that they suffered fraudulent credit card charges with the breach time window. So the impact to Shopify wasn't necessarily just for their consumers, but Shopify lost, Merchants, their stock dropped due to this particular

news, so certainly a big impact for the company. This last example that I wanted to share is one that actually took place in my company at cookery to and I mentioned before the inside of wrist programs. You need to cover both delicious and not malicious actions. And this example of our company's data here was with put at risk from a non malicious actions as part of my internal Insider risk program. What we do is we identify we go through and we have visibility to all of our employees actions. And we

identified a large amount of data moving from personal machines to personal and corporate machines to personal iCloud drive. And this was for two of our senior level employees, because my company has decided to use only box and G drive as our corporate Solutions. This iCloud data movement was certainly A very big red flag. So we dug in and upon further review. This is, this was not an intentional data exfiltration action. The employee's device itself was misconfigured to allow

this thing to take place in the first place. But this is a really great example of the level of visibility. We think customers and companies across need to address this risk to data exfiltration. And I had two examples that I wanted to bring up and four. For this particular talk was in related to both related to activism activism. For those of you who are listening, you may not be familiar is when someone hacks for social or political purpose. And when we say hack, in this case, it also means

inside or stress, right? So does a type of action and Melissa's farm. So in 2017, during Trump's presidency, an employee at Twitter without the company's permission, deleted the president's account for a very visible 11 minutes and that obviously, put Twitter in the headlines and had a lot of cleanup to do as a function of that. And this is, this was totally in line with the employees access level. However, it did not have the level of controls or authentication that Twitter has since and put in One of the examples that taught Twitter, how to, how do you think about insider trading a little bit

of a different capacity and most recently, the very beginning of January and angry staffer at the state department decided to update the state Department's website reflecting their opinion of of Trump's term and saying that it ended several weeks earlier several weeks earlier than it actually did. So again, this might seem funny or or something that's worth putting putting on social media or, or news attention on. However, this is something that may be an

incremental change. But in the back end, who knows what a disgruntled employee with this type of access. Might also be interested in doing and might be able to do. So, all of these are relatively easy changes to restore. Both of them have put Twitter and stayed apart. Headlines and and are maybe symptoms of much larger Insider threat of things happening in their organizations that's related to activism and politically-motivated. So when we think about the fact that they're these Insider threats in our organization, the next

sessions, what do I do about? Yes, I understand that 2020 is is introducing additional risk to My Religion. But what can I have the security practitioner or is he? So do going back to move my organization and to address this threat, there's two components that we want to talk through with you next. The first is employee risk, and the second is data risk, the two elements of Insider risk. So let's start with the first So in all of those case study that we just walk there with you, we heard that they're it were employees making risky decisions in an organization.

Sometimes knowingly, sometimes, but very few organizations that I work with today, have the ability to answer, which employees are making risky decisions. What decisions are they making? And how often, and why? That is incredibly important. If we are able to answer this question today, then we can have a sense of control of where we need to be investing. Our time resources, monitoring controls education, any type of intervention start addressing this risk for when we look at the

unintentional because when we look at malicious, it's often a lot more calculated and doesn't always necessarily have the three flags that that The Accidental might have. But I have some Great news to share with you all are on how we might even start understanding, which employees are making your risky decisions. And that is the fact that the past decisions of our employees are one of the best predictors we can use for future actions. There's a fantastic study done in 2015, by Dr. Caputo are on fishing, acceptability and spear fishing as one example of her. And her

work found that if an employee clicked on one, spear fishing out of three, he was a very high indication that they were going to click on the future second and third. So how we deal with one risk in one point of time, is an excellent map of our mindsets are and how we think about Security in the decisions you make in the future, so Let's look at our employees risks, as a function of all of the behaviors and decisions. They make on your network. We can take a look at how proactive someone is around security. Do they store strong passwords? Where are they on the other end where they're

navigating to Marshall spice downloading malware? As he was mentioning accidentally, but oversharing not being mindful about the permissions or setting in their accounts, but regularly making small risky trade-offs that do not benefit security. That helps understand that this is a risky employee. And the good news is that this data exist in most of your environment already. These are related to the logs for your Security Solutions that you've likely invested in from endpoint email security to kasby solution. And so instead of just thinking of them as incident log, think of those

logs as security decisions that employees are making that you can use to learn from around where your risks are growing or existing your organs. And in doing so, you are able to be able to map the risk. Not just a department and not just to someone with a critical access to every individual based on what kind of decisions you are seeing them do well or poorly and why that is incredibly exciting. And by the way, to think about managing this, just going forward that it helps us. Think about

how we architect our permission and going forward as well. And as we all may be familiar with the prevalence of work from home environment has given rise to zero trust security, which is basically allowing is making sure that we're not granting access to a user, to particular permit to data or applications until that identity has been verified. And now the things that can go into that identity determine who that individual is. A variety of things including with a user's location, the time of day, but their risk reputation. And what we just talked about

is a valuable component that can go into the passport of understanding whether or not we should be allowing users access to specific types of data information. And that is a very effective way of action. And what we know about employer risk and helping us, mitigate, and minimize the blast radius of risky decisions that an employee might be able to make the future. I'm going to take it to the next miles. We talked a lot about knowing your employer, ask, and I want to just give you a couple ideas

and thought-provoking things that you can take back to your organization around knowing your data, rest. So is Masha, set the stage for knowing employee risk. We, we also have to do the combination of employee risk and employee risk, indicators tied to our data at our organization and data access, and this is where it all kind of comes together. So first off, you all have to evaluate the impact that we talked about earlier in the presentation, to your company. Are we all using more and more collaboration software? Do you have a high Workforce turnover? For

most of us were certainly in a spot where we have more and more remote workers. And we are all part of this crazy 2020 year and into 2021 year and we all have increased dress. Throughout our organization, the ones we evaluate all of these impact factors on our organization, encourage you all to evaluate your data exfiltration visibility across the organization. So it's really important that each of us understand where exultation points are and where we need additional monitoring and additional visibility in one of our latest

surveys are our respondents indicated that the top exfiltration is email Fall by printing external hard drive. That's not going to be the exact same for all of you but getting a sense of like, where is important data leaving? My organization is a really important question to answer. The other thing that I would challenge you on is what you need to type back to what monster talked about. Like, what are our users doing with your data are users using corporate stores locations that you provided them? Or are they using something else? Because they liked it more. They like the UI

more in another, one of our starting our studies. We also found that 37% of our employees responded that they are using unsanctioned cloud sharing technology. So they're essentially not using the corporate sharing technology, but they're flipping to a different one. And the thing that we all have to ask ourselves a Security Professionals is, do we have visibility to that and do we have the right monitoring to all those different extra-axial, tration locations, so that we can assess risk for ourselves.

So as we talk about, what's next year, I want it, we covered a ton but in summary we want to emphasize the importance of first knowing your employee risk, and then also knowing your day to rest and we thought we would wrap this up with two really simple questions for you to think through. And the first one is like what types of mistakes are on the rise internally in Marshall, talked a lot about this. What what are the employees in my organization doing today? And what are those non-malicious mistakes that are happening? Somebody stink in their device to

iCloud on an enchanting is a really great example of that. And then, secondly, what is my wrist to data? Where do I actually have those data axle tration points and do I have the right visibility and the right monitoring on those different points? That's what we as we closed. We also want to leave you with a few things to think about related to employee first and day to rest. And these are almost considerations as you ask those first two questions and you start to solve this problem first, make sure that you plan your

investments in technology and programs that really Embrace where your employees want to work. I think we can probably all agree that this thing called remote work is here to stay and we all need to consider. How do we get visibility without what we used to have without the office without the network perimeter? Secondly, make sure you factor in how your employees want to work. We know that collaboration Solutions. Do pose a risk to data, but we also know that there are really needed part of our business today. Our teams. Games, love collaboration

solutions, they drive efficiencies Innovations. They essentially help get work done faster. And these Solutions are really here to stay. So we need to make sure that we plan investment not to block these collaboration Technologies, but instead, allow the security teams have visibility to be Solutions. One staring statistic that I'd share, is that 51% of Security leaders receive daily, or weekly complains about blocking legitimate work. I don't want to be one of those security teams. Like, I definitely want to enable my team to do the work that they need to

do so that I don't have. Employees go around me and I can still have the visibility in the monitoring that I need. The last point that I wanted to share with you all is rethinking Insider risk. As this big headline, that is always a lawsuit Insider risk can show up in an organization's as a thousand small decisions that our employees are making or data leaving our Network. Each of those can be lessons that teach us how we defend ourselves against a much larger of that. And as we talked about with the Code, 42, example, or Twitter learning from

access to certain types of permissions, like, deleting accounts without the secondary control, each of those, instead of being seen as failures and use those for opportunities to apply small changes and involve your, the security posture of your organization, to be able to withstand something much larger, and encourage every part of your security team to take these as learning opportunities. And Evolve as a security team, because that's how we we get better. We we don't, we don't plan for the the future theoretical thing. We learn about the

things that are happening today, and help us to, to get to where we actually want to go in the future. And with that. We're looking forward to seeing you all in our interactive session for questions.

Cackle comments for the website

Buy this talk

Access to the talk “The Return of Hacktivism – The Insider”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 365 Virtual Summit”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Tomasz Bania
Cyber Defense Manager at Dolby
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Jason Rivera
Director, Strategic Threat Advisory Group at CrowdStrike
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Michael Mylrea
Senior Director of Cybersecurity R&D (ICS, IoT, IIoT) at GE Global Research
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video
Access to the talk “The Return of Hacktivism – The Insider”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
843 conferences
34172 speakers
12918 hours of content
Jadee Hanson
Masha Sedova