Responding to Insider Threats with Authentication and Endpoint Data

Sami:  Good afternoon everybody. We get to have the pleasure of having this session where everybody's in a food coma. So, if you fall asleep, we'll try to wake you up and revive you so you can go see Chris Hardwick at the closing keynote.

I'm Sami Laine, I'm the Director of Technical Marketing for Security at Okta, and the topic today is really looking at security through the lens of identity and say, "What can we do to respond to insider threats?"

And I'll start by setting the stage a little bit, and then we'll invite our partner on.

If you look at insider threats, and auth indication, we really can start it by looking at the breach data itself. So, the breach data that everybody wants to always look at is the corpus that Verizon publishes in their Data Breach Report every year. It's great because they look at actual incidents responses across the world, and the data is anonymized so all the IR partners usually are actually sharing. So, this is a good corpus of data.

In 2016, we had almost 2,000 confirmed breaches that the IR partners that Verizon collects from actually responded to. So that means the actual, real number is much higher. What's interesting, if you dig into that data is that, although 75% of breaches were initiated by outsiders, 25% involved internal actors in one way or another. So, while you like to trust your coworkers, you should trust and verify.

And, one way of looking at this is to say, the data that we have right now is in a lot more places than it used to be. We have all these cloud/SAS applications where the data is stored; you're employing your applications in your own data center, the old school rack and stack, and then deploy and install there, and you have your controls around those end points. You may be looking at the cloud data through the CASB's and see that you don't have any threat actors getting into it. 

You're securing your enterprise in those cloud services with multi-factor authentication. Some of you aren't securing through multi-factor authentication today, shame on you, but you can fix that now, for free. 

And then, lastly, the data that you have on the actual user end points - we tend to think about the end point usually in this game in a little bit different way, where we view the end point as something that's now largely going away. But, the fact is, still a lot of that processing happens on those mobile end points, too - laptops, and increasingly more on mobile devices.

If you look at the metrics data again, something else comes out: the insider breaches that resulted in data disclosures numbered in the Verizon data set, at 277. What's interesting here is then, if you look at it, of the organizations that we're working with, we found that about 58% assign access rights that go beyond an individual's role. We all know how hard the role-based accesses controls are. And I've talked to CISO's who say that the number of different roles that're defined in their organizations far exceeds the number of employees, which is counterintuitive but, if you look at the granular controls you're trying to put in, it gets harder and harder. And if you have 30 or 40 apps, it might be manageable, but what if you have 120 apps? It becomes very difficult to make sure that an individual only has rights to the things they should have.

And then, of course, 60% of those malicious insiders take data in hopes of profiting from it in some way. They might be using it to leverage later in their life, or they might actually be stealing it and selling it to someone. And then there's actual cases of insiders doing corporate espionage, etc.

Now, that data set is pretty sobering. And, what we can do, of course, is make sure that we manage the whole life cycle of that user, and minimize the risk. 

So, to look at that, I want to take you very quickly here into the building blocks here on how identity can be a control point in this.

You may have seen this from Okta before. We really look at security here saying, your identity and security, first step is you centralize your identity and access control. This is what most of you had selected Okta for, anyway. And then you ensure the strong authentication everywhere, I'm not going to beat on that one anymore.

But the third and the fourth one may deserve a double-click. We say, reduce your attack surface, and there's a couple of ways in how you can look at that. And, then look at how you actually get visibility into those incidents and identity events, and then how do you respond to it.

The reducing of the attack surface, and enabling visibility are the things Code42 and Okta are here, today, telling you about. Let me first give you the Okta perspective in those two elements. If we say, reduce your attack surface, you're already doing it. Every single application that you deploy where users do not have a user name and password anymore, is doing that. And, any time you automate, essentially, the deployment of an application in a way where you're using SAML or something similar to handle the authentication, where there is no password to be breached, and where you're life cycle management steps automate the provisioning and deprovisioning of those users. That eliminates the orphan account problem and takes that away.

And, of course, the access to the right applications, with the access work flows and permissions is another critical part of that. That 58% statistic, you can help eliminate that by having a tight, granular authorizations within an application, we can help with that.

And then, secondly, what we can do is say, how do you actually get visibility? And, how do can you respond to it? From the identity event perspective, Okta is already helping you there. We help you surface the actual activities that are happening. If, for example, users have multiple failed log in attempts, you can get more visibility in our new SysLog2 interface into that, and all of these features are available to plug into your security information and event management platforms, like Sumo Logic, and Splunk, and other partners.

But that's not the whole game. Okta doesn't have, actually, an end point tool. We don't have any kind of an element that's sitting on all of your laptops, usually, for example. And that's where the partner ecosystem, in a broader scale, comes up. And what I wanted to do, is bring on Mark Hubbard, Product manager from Code42. You may know them as the back up company, but that's not all they do, and Mark's going to tell you all about it. Thank you.

Mark:  Thank you very much, Sami. And again, welcome everyone, and thank you for sticking around for the last session, especially after lunch.

So, as Sami mentioned, my name is Mark, and I'm with Code42. And, when we talk about security, when we talk about organizations protecting their data, oftentimes when we talk to the organizations, it becomes a conversation of balance. How do you make sure to give the employees the room to be productive, the room to run, the room to run at speed, while not being overbearing with your controls and limitations about where they can work, how they can work, and how they can move data around.

So, it's about, how do you increase that productivity, while making sure you don't put any limitations on. So, when we talk about data security, that's one of the main things that we hear, is this balance.

Now, organizations have multiple different ways to address this. Number one is identity management, right? How do you maximize productivity? Well, you enable fast onboarding, fast provisioning, no passwords, quick access into your applications. Not only on the front end, but then on the back end when something bad is discovered, being able to cut that off, being able to cut off the access.

Another piece that some people use is, say, a DLP, or data loss prevention application. So, those, basically, use data that's structured, or classification of data to prevent moving of that information, to prevent where that goes and how that gets transferred around. Great for highly classified and highly sensitive information.

But in an organization that is moving quickly, moving very fast, tough to keep up, tough to keep up on the classifications, tough to keep up on the tagging and all the rules, to make sure that you're not limiting from an organizational standpoint.

What I want to talk about today is using end point protection, using end point visibility, as another tool in your toolbox, to actually help protect and identify and respond to insider threats. Because insider threats will happen. No matter what thread, no matter what software, what protections you put out there, bad things will happen.

So, how do you react, and how do you respond when that does happen?

So, first, just a couple of minutes about Code42. Who here has heard of Code42 or AppCrash Plan? Okay, a couple of people in here. So, essentially, Code42 backup and recovery, we store every version of every file that's on your end point. The value of that is, when bad things happen, when you have your laptop accidentally take a swim, or when you spill a cup of coffee on your desktop like I did the other day, you're able to go in and recover those files. So, it's about being able to react when bad things happen.

Now, we store every version of every file, which enables a lot of great things, from a "hey, I want to be able to get this individual file, I want to be able to get these things back." And it scales, and it's a lightweight agent that scales to hundreds of thousands of users.

But, what we discovered, is that using that data, we can actually solve a couple of other different challenges from an organizational standpoint. 

First off, companies were able to reduce their IT support because, now, individuals were self-help themselves and restore those files that they may have accidentally lost, or they may need to restore because something else bad happened.

Technology refresh and migration. Organizations often have policies of new laptops every three years, new desktops. Well, because we have all this data, they can actually, after they image it, move all that data onto your machine, and simply exchange machines with you, as opposed to you limiting or reducing your productivity by taking up that machine.

And then, finally, one of the other pieces is legal hold. So, as organizations are involved in litigations or legal matters, it's often important to hold and preserve information and actually hang on to it for discovery. So, it's that collection and preservation. Well, we already have that information, so we're able to hang on to it.

So, a lot of times, that can be done-- sometimes you don't want somebody to know that they're under a discovery or a legal matter. So we can do that all behind the scenes.

So, us, as an organization, we traditionally have been an on-prem and we've accomplished this through a on-prem a server, or hardware that's located within customers' environments. What we've done is we've gone and started to migrate and really move to a SAS environment, as people have said, "Hey, I don't want a piece of hardware, I don't want to have to maintain that."

So, we heard a couple of really important considerations, just to talk just 2 minutes about, and we'll get into the insider threat.

This is about Okta and Code42 work together. So, one is, from a company, being a SAS organization, it's very easy for somebody to look great on a website, but what does a company background actually mean if you're a SAS application?

So, Code42, we've been around, strong background, strong backing, a lot of well-known customers. Does it solve a business problem? We sell backup, restore and security center, which is what we'll talk about here in just a minute. 

Security, does it fit in the profile of what the organization wants in terms of security? We're Soc 2 certified, lots of other different certifications, and we encrypt data both in transit and at rest.

Scalability, "Will you be able to grow with my organization?" Absolutely. We have over 40,000 organizations, 1.5 million users, continue to grow.

Now, ease of adoption actually is one that ties us in with Okta really tightly because, as we roll out to organizations, people want to be able to enable provision and sign into Code42 very easily, and that was possible when we were on premise, we hooked right into their LDAP system, into their AD system, rather, but via LDAP

Well, now that we're a SAS organization, that becomes more difficult. So we said "How do we do this? Who do we partner with?" And we didn't have to look too far. So, as Code42, we actually use Okta for over 85 applications, many of them with provisioning as well. We use Okta for multi-factor authentication. And Okta is actually a customer of Code42's, they use us for data protection and backup.

They way that we deploy, similar to how you would expect us to, leveraging the agent within the client's environment, that communicates out with Code42, we manage single sign-on, provisioning, we're working and enabling groups and roles as well. So, taking all those complications that Sami talked about, and mitigating those.

So, now, let's talk about your cloud. Let's talk about your data. Let's talk about those important pieces of intellectual property that are so critical. There was a recent Deloitte study that showed that over 80% of a firm's value was contained in its IP. And where does a lot of that IP live? It lives on the end points.

So, when we think about data, when we think about your cloud, you have your data secured, you have best-in-class identity management, does this give you the ability to rest easy at night? Let's talk about Sean.

Sean is somebody in your organization. Sean is an engineer. Sean is a entrepreneurial, loves to be forward-thinking, really energetic, loves to work at places that are high-energy, very dynamic, which, of course, rules the office out, so we often find him at coffee shops.

Your organization depends on Sean. Sean is the lifeblood of your company. People like Sean are what's going to make your organization successful. Now, Sean has been working on some really meaningful stuff, very important to your organization, things that are going to transform, not only your company, but your industry as well. 

But Sean believes, has a different idea about what his future looks like, and it's not with your company. Sean is following his muse, and will be departing, except you don't know that yet. Sean also believes that all the work that he's done is actually, rightfully, his. He downloads 50GB of files, 50GB of information, and transfers them to somewhere where he can use it later. Whether that be on a USB drive, whether that be Google Drive, OneDrive, Dropbox, doesn't matter, some place where he can have access to it.

Now, Sean's a smart guy, and he knows the speed at which the organization goes, he knows the DLP process, he knows how to make that happen, that's why he's at a coffee shop, that's why he does things he does, in order to be able to get those files. 

So, nobody knows, to the naked eye, that that actually took place. More importantly, what was on those 50GB of files?

So, does this happen often? Does this actually happen? Sami talked about some of the statistics and, of course, it does. And, in fact, as Sami mentioned, a lot of the statistics are, I believe, vastly under-reported, because no one's really going to feel fantastic even though it's anonymized, to say "Hey, we had a data breach."

So, Sean has this information. And the clock is ticking. Your data has been exfiltrated out of your organization, and the speed to remediation, the speed of identification, and remediation, is key to minimizing that damage. Fortunately, you have an ED. What's an ED?

Well, ED is your security agent. ED is in the security team, and ED is notified that those 50GB are moved off of his computer, off Sean's computer, onto an external device. Now, moving those files, inherently isn't a bad thing, because it's part of the environment that you've grown, that you've fostered, that people can move anywhere, people can work anywhere. So, transferring files, not necessarily a bad thing.

But, ED needs to find out, are those files actually of concern? Is what he took a problem? So, fortunately, when ED is notified of that information, of the transfer of the files, he can see exactly what was transferred. Not only just the names of the metadata information, but the actual files themselves, he can open them and discover, is this something I need to be concerned about.

Well, ED has bad news. Yes, it's something that ED needs to be concerned about. So, what does ED do? Well, he does a couple of things. One, is leveraging his identity management, he stops the bleeding. Because ED found out right away, Ed can cut off access to all the applications on all the devices immediately. 

Number 2 is, ED escalates that internally. Ed says "Hey, we have a problem here. This is really critical information, we need to resolve this." 

Fast forward to a meeting with Sean. "Sean, here's the files that you took, here's when you took them. Here's the device, here's the serial number of that USB drive, here's the exact location, we need you to go and either hand in that device, or we need you to take down those files."

So, Sean is no longer able to use that information. More importantly, the risk to your organization's growth is preserved.

So, how does this happen? Well, fortunately, your organizations has an end point protection that looks at and keeps track of every file on every machine of every version. So, what that means, is that you're able to understand, without being intrusive, without being over-bearing, without limiting where Sean can work and what he can do, you're able to monitor, be alerted and be reactive and response to what happens when Sean is taking data and information.

One way to think about this, I've heard somebody describe it as, the approach, as kids playing a playground. So, if you think of kids who are in a playground, you know they're going to get into trouble, they're going to be in dangerous spots, and a helicopter parent is always there, is always there making sure, "Don't climb up on there, don't climb too high, don't fall down." And that kid, because this protection is so overbearing is naturally going to be a little bit more cautious, he's not going to play as hard, he's not going to grow as much.

Versus if you're a parent that is  more sitting on the sidelines, the kids are out playing, they don't feel that they're overly burdened, they're not intrusive, it's not an intrusive protection, but the parents are there when and if something needs to happen, and they're able to respond.

So, we look at a lot at end point protection as that ability to be there to respond, to react, but yet not be overbearing and limit production.

So, let's look and see how this looks in two examples. So, traditional insider threat, what happens? Sean takes that data, awesome. Nobody really knows about. Month goes by, two months go by, somebody from HR or somebody finds out, "Hey, he went to a competitor." Or, "Boy, that thing on the internet looks a lot like what Sean was working on." Okay, now we have a problem, now we get the forensics team engaged, they engage, they discover "Yes, Sean actually took something." Now we get the legal team engaged, now we can start to have some type of remediation and start to manage this process.

It's an inconsistent process that's really reliant on human intervention because, first, somebody has to say "Hey, I think Sean went somewhere." Let's compare that to how ED was able to respond. Well, ED is able to have that notification immediately, that there's a potential problem, investigate, and oftentimes remediate that problem before any damage is done. So, with that instant notification, ED is able to-- what's ED able to do? I forgot. Two things!

ED is able to eliminate access for Sean, stop the bleeding. The second thing actually have Sean come in and remediate and eliminate the potential outsider threat. That's what ED does. And again, this is without being overly intrusive. 

So, let's talk about Code42. So, Code42, as an end point agent, with our security center, you're able to have that visibility, have that insight, without being overly restrictive, without interfering with the productivity of your employees.

Now, it's the same agent that's delivering other types of values. And, a lot of what we hear, and a lot of the value of an end point agent is the fact that you're able to get many different values out of one particular piece.

So, let's talk about Code42 specifically, and what this actually addresses. So, you have employees that are are going to be departing, that you know of that are going to be departing. Let's watch them. You have people that you know have access to highly classified, highly sensitive information. You can put them on a notification watch. After you do that, you're able to set up thresholds, actually identify what are the criteria that you're concerned about? Is it the number of files, is it the size of the files, is it the frequency of transfers? How do you want to be notified, how do you want to be alerted?

So, using our security center, you can identify the individuals that you're actually concerned about. Again, these are coming straight from Okta, straight from however you do your identity management. Identify those that you want to select, and say how you actually want to be alerted. Again, is it number of files? Is it size of files? Is it frequency? And what types of destination? Is it a USB drive, is it a Dropbox, other types public devices?

And then, finally, when you do get those notifications, redirect back to the organization, to Code42, to be able to get that specific detail so, again, you can respond, remediate as quickly as possible.

So, from an application standpoint, the whole concept is, how do you enable your organization for growth? How do you enable your organization, and your employees to run at speed, while giving yourselves the ability to react and respond when bad things will happen, because they will happen, no matter what types of things you have engaged.

So, when we think about our security application today, this is in production. So, today, we have companies using this to identify who's potentially taking information, doing the research and remediate it.

From a future standpoint, what if we can start to predict what Sean was doing? How do we start identifying more specific behaviors about Sean because 5 gigs of transferring of data, or 50 gigs, may be totally normal for person A, but for person B that's totally out of his range. How do we personalize that information, and how do we personalize that identification using things such as machine learning, making that automated, integrating that with your security orchestration system, using that data, those triggers, those notifications to automatically eliminate and cut off access.

What if we could say "Hey, this is an event we're concerned about", I don't even want to wait for ED to have to do that, I want Okta, or whomever my identity provider is, to immediately cut off access.

So, those are some of the places where we see our security app using our end point protection as going. So, having that visibility into what's going on on each end point, what's going on with the files, and being able to react and respond in a timely and efficient manner, really minimizing and mitigating the damage.

So, I really wanted to cover how Okta and Code42 work together, and then talk about how an end point protection is another tool in your toolbox to help react and respond to insider threats.

So, I guess I'll stop here, take any questions, and we'll go from there. 

Oh, and we have a keynote, too. 

So, questions?

I answered every single one. Awesome!

Sami:  Please come up to the mic. We have two mics here.

Audience:  So, we're a Code42 customer, and on the backend, when you're watching, do we get to help set those thresholds? Or is that something that you primarily do, in terms of the user base? How do you come up with that strategy and the learning part on profiles of users?

Mark:  Sure, so, as a Code42 customer, how do we set those profiles? Yes, that is something that you get to set, by each individual profile or security threshold that you want to set. So you can assign, say, "These ten users, I want to use this particular profile", and you get to craft that particular profile yourself. "These 50 users, I want to use this type of profile." 

And that's where we are today. And again, the advantage in where we're going with things like machine learning, is how do you actually personalize that down to an individual where you don't have to do that type of interaction, and in fact it's going to be accurate because it's going to learn my specific behaviors, and react and respond to that.

Great question.

Sami:  Anyone else?

All right, we'll see you at the keynote. Thank you.