RVAsec 2023: Colin Estep - Insiders packing their bags with your data скачать в хорошем качестве

RVAsec 2023: Colin Estep - Insiders packing their bags with your data

Presentation: Insiders packing their bags with your data What if your organization could discover which of your employees are exfiltrating data prior to leaving? We analyzed the behavior of more than 3 million users, and will present the insights found for employees preparing to leave, the nature and quantity of the data they target, and the services they use. Bio: Colin Estep is currently a threat researcher at Netskope focused on developing user and entity behavior analytics for cloud environments. Colin was previously the CSO at Sift Security (acquired by Netskope), where he helped create a product to do breach detection for IaaS environments. He was a senior engineer on the security teams at Netflix and Apple before joining Sift. Prior to Apple, he was an FBI Agent specializing in Cyber crime. As an Agent, he spent a fair amount of time coordinating with other countries to locate and arrest malware authors and botnet operators. https://rvasec.com/ 00:00:00 Colin Estep introduces insider threats and data exfiltration, sharing a hypothetical story. He emphasizes user and entity behavioral analytics as a solution. 00:05:00 The speaker presents data analysis from over 200 organizations, highlighting the percentage of employees who moved data and violated policies. Intellectual property and PII were common targets. They outline the talk's remaining content. 00:10:00 Understanding data direction and labeling applications are important in identifying insiders accessing corporate data. Policies within DLP systems help identify sensitive files. 00:15:00 Examples and results from the study are discussed, including DLP violations, industries involved, and popular apps for exfiltration. They emphasize monitoring data before the two-week notice. 00:20:00 Types of data exfiltrated, commonly used apps, and detection methods are discussed. Signals like direction, nature, and volume of data movement are examined. 00:25:00 Baseline behavior monitoring at user, peer group, and organization levels is explained. The process of building models and triggering anomalies is discussed. 00:30:00 Deployment of models, triaging alerts, and case studies are presented. Future development ideas and limitations are discussed. 00:35:00 Findings recap, including the percentage of insiders moving data and violating policies. Signals and manageable investigation of alerts are emphasized. The audience is invited to explore the Netskope Threat Labs blog.