不必再徹夜難眠─AI 教你如何阻擋內賊與離職員工機密竊取

Daisuke Sato

Modern Work Global Black Belt

Microsoft Asia

The ‘Sly Dog’ gang

四名離職員工挾帶公司機密文件到競爭對手公司

主謀將企業的倉儲開發、物流及庫存管理營運文件寄給了自己的電子郵件信箱，主旨為 “you sly dog

you…” 並且又招募了三位同夥…

然後其他人將機密文件從工作電子郵件轉寄到個人信箱，主旨為“good stuff”

其中一個人不小心將電子郵件發送到舊的工作電子郵件地址，並附加了著作文件附件，並在在文件內放入競爭對手的LOGO，才發現了盜竊案。

2019年3月，一家擁有先進技術的大型汽車製造商，對四名前員工和競爭對手提起企業間諜活動的訴訟

內部的各種風險和違規行為

資料外洩

違反保密協定

IP 竊取

職場暴力 違反合規性

舞弊

違反公司政策

內線交易

利益衝突

敏感資料外洩 違反安全規定

職場騷擾

對於內部威脅

感到脆弱

您的組織有哪些內部風險?

內部風險是您最大的挑戰之一1

https://crowdresearchpartners.com/portfolio/insider-threat-report/

1. 95% of organizations surveyed were 100+ seats

哪一種內部人員是您最在意的?

不確定

惡意/蓄意造成內部風險

的內部人員

例如：故意造成傷害

無意造成內部風險

的內部人員

例如：因為疏忽或認證被盜用

導致惡意內部風險的途徑

51% 參與內部威脅事件的員工中，有曾經違反IT安全原則導致該事件發生Deloitte Metastudy 2016

59% 自願或非自願離職的員工，表示他們隨身攜帶敏感資料Deloitte Metastudy 2016

92% 在發生內部威脅事件前，曾經發生負面工作事件，例如解雇，降職或與主管發生爭執 Carnegie Mellon CERT

在蓄意破壞的事件中有 21.6% 認為未達到期望(升遷, 獎金, 表揚等.) Carnegie

Mellon CERT

97% 上司舉報了員工的行為，但是組織沒有進一步動作－Stanford University 研究的內部威脅案例，Deloitte Metastudy 2016

傾向

壓力源

行為

規劃 & 準備

風險

Insider Risk Management

• 檔案會在多台裝置或應用程式間存取與分享

• 很難追蹤檔案移動的軌跡

• 需要分析數百萬個不同訊號來源 (security/HR/legal)

企業通常用拼湊的方法防止內部風險

內部風險很難識別與管理

傳統的方法有其極限

UEBA (user behavior analytics) UAM (user activity monitoring) DLP (data loss prevention)

Complex setup • 設定需要腳本(工程人員主導或外包託管服務)

• Signal儲存和計算分析所需的硬體成本

• Signal管理需要其他解決方案(Firewalls, UAM, DLP, EDR)

• 每秒事件上限

• On-prem server-based model

• 需要部署endpoint agents 和 on-prem servers

• 管理agents很複雜

• Agent-based model 的規模有限和Performance問題

• 需要部署endpoint agents 和 on-prem servers

• 管理agents很複雜

• Agent-based model 的規模有限和Performance問題

• 有些解決方案只專注於電子郵件

Limited enrichment • 對內容的可見度低

• 低情緒分析

• 對內容的敏感性了解不足

• 對內容的可見度低

• 低情緒分析

• 有限的Signal關聯性

• 對內容的敏感性了解不足

• 對內容的可見度低

• 低情緒分析

• 有限的Signal關聯性

• 容易出現誤報

Narrow workflows • No integrated workflow beyond SOC • No integrated workflow beyond SOC • No integrated workflow beyond SOC

Intelligent insider risks solution

Transparent

平衡員工隱私與組織風險

Intelligent

利用機器學習來識別隱藏的行為模式

Integrated

整合式的工作流程可支援解決風險

Legal (Employment)

法規遵循

HR

健全的勞動力和工作環境

Compliance/ Privacy

遵守法規和政策

Security

Protect information

和 infrastructure

Personas

可從以下風險劇本開始

數據洩漏

有意或無意的洩漏敏感機密訊息

違反HR

Policy

偵測違反公司HR

Policy的行為和舉止(例如騷擾，歧視等)

離職員工資料竊取

離職員工盜取智慧財產權

59% 自願或非自願離開組織的員工表示他們在離職的時候帶走機敏資料1

1. 2016 Deloitte Debriefs “Insider threats: What every government agency should know and do”

量身訂做的腳本智慧關聯原生和third-party 的 signals

以保持內部風險的高度真實性

End-to-end 調查整體調查工作流程允許

跨IT，HR和Legal進行協作以採取行動

內建隱私匿名控制可確保有關風險的資料在組織內適當共享

Insider Risk Management

DEMO: Insider Risk Management

Intelligent compliance and risk management solutions

Information Protection

& Governance

Internal

Risk Management

Discover

& Respond

Protect and govern data

anywhere it lives

Identify and remediate

critical insider risks

Quickly investigate and respond

with relevant data

Compliance Management Simplify and automate risk assessments

Intelligent compliance and risk management solutions

Information Protection

& Governance

Internal

Risk Management

Discover

& Respond

Protect and govern data

anywhere it lives

Identify and remediate

critical insider risks

Quickly investigate and respond

with relevant data

Compliance Management Simplify and automate risk assessments

Information Protection & GovernanceDetect, protect and control access to your sensitive content

Auto-apply policies at the data layer

定義資料保護和資料治理策略，並根據原則管理敏感資料和降低風險

Unified approach and broad coverage

在數位資產和應用程式中偵測敏感內容，並套用資料保護和資料治理的原則

Control your data with privileged access and

encryption keys

確保透過適當的存取控制保護對機敏資料的存取

Data growing at exponential rate

Detect

→ Privileged Access Management

→ Customer Lockbox and Zero Standing Access

→ Customer Key and other key options

→ Validate and investigate with label analytics

Protect

→ Encryption

→ Retention and Deletion

→ Data Loss Prevention

→ Records Management

→ Classify on-prem, file shares and O365

→ Sensitive information types

→ Keyword, Query Based

→ Across Office 365 applications

Control

Intelligent compliance and risk management solutions

Information Protection

& Governance

Internal

Risk Management

Discover

& Respond

Protect and govern data

anywhere it lives

Identify and remediate

critical insider risks

Quickly investigate and respond

with relevant data

Compliance Management Simplify and automate risk assessments

Intelligent compliance and risk management solutions

Information Protection

& Governance

Internal

Risk Management

Discover

& Respond

Protect and govern data

anywhere it lives

Identify and remediate

critical insider risks

Quickly investigate and respond

with relevant data

Compliance Management Simplify and automate risk assessments

“Collect and export” is risky and costly; we address

them with Advanced eDiscovery

Pain points of

“collect and export”

Move sensitive data to other

systems

Work with disjointed tools

Lose insights in large amount of

data

Advanced eDiscovery

design principles

Collect and discover data where

it is

Manage end-to-end workflows in

one solution

Find relevant data and insights

intelligently

Export

Collection into document review sets

Manage static sets of documents within a case, that can be

independently searched, analyzed, shared, and acted upon

Advanced eDiscovery: an end-to-end solution

Custodian Management and Communications

Preserve content by custodian, send hold notifications

and track acknowledgements

Deep crawling and indexing

Deep processing (e.g. much higher size limits, non-Microsoft

file types, …) to extract and index text & metadata

Cull your data intelligently with ML

Use predictive coding, near duplicate detection, email threading,

Themes and ML models to identify potential high value content

Review and take action on documents

View content via a native and text viewer, organize documents

with tags and redact sensitive information prior to export

https://www.youtube.com/watch?v=tmPfS-coPGY