不必再徹夜難眠─ 教你如何阻擋內賊與離 · mellon cert 97% 上司舉報了 ... •...
TRANSCRIPT
不必再徹夜難眠─AI 教你如何阻擋內賊與離職員工機密竊取
Daisuke Sato
Modern Work Global Black Belt
Microsoft Asia
The ‘Sly Dog’ gang
四名離職員工挾帶公司機密文件到競爭對手公司
主謀將企業的倉儲開發、物流及庫存管理營運文件寄給了自己的電子郵件信箱,主旨為 “you sly dog
you…” 並且又招募了三位同夥…
然後其他人將機密文件從工作電子郵件轉寄到個人信箱,主旨為“good stuff”
其中一個人不小心將電子郵件發送到舊的工作電子郵件地址,並附加了著作文件附件,並在在文件內放入競爭對手的LOGO,才發現了盜竊案。
2019年3月,一家擁有先進技術的大型汽車製造商,對四名前員工和競爭對手提起企業間諜活動的訴訟
內部的各種風險和違規行為
資料外洩
違反保密協定
IP 竊取
職場暴力 違反合規性
舞弊
違反公司政策
內線交易
利益衝突
敏感資料外洩 違反安全規定
職場騷擾
對於內部威脅
感到脆弱
您的組織有哪些內部風險?
內部風險是您最大的挑戰之一1
https://crowdresearchpartners.com/portfolio/insider-threat-report/
1. 95% of organizations surveyed were 100+ seats
哪一種內部人員是您最在意的?
不確定
惡意/蓄意造成內部風險
的內部人員
例如:故意造成傷害
無意造成內部風險
的內部人員
例如:因為疏忽或認證被盜用
導致惡意內部風險的途徑
51% 參與內部威脅事件的員工中,有曾經違反IT安全原則導致該事件發生Deloitte Metastudy 2016
59% 自願或非自願離職的員工,表示他們隨身攜帶敏感資料Deloitte Metastudy 2016
92% 在發生內部威脅事件前,曾經發生負面工作事件,例如解雇,降職或與主管發生爭執 Carnegie Mellon CERT
在蓄意破壞的事件中有 21.6% 認為未達到期望(升遷, 獎金, 表揚等.) Carnegie
Mellon CERT
97% 上司舉報了員工的行為,但是組織沒有進一步動作-Stanford University 研究的內部威脅案例,Deloitte Metastudy 2016
傾向
壓力源
行為
規劃 & 準備
風險
Insider Risk Management
• 檔案會在多台裝置或應用程式間存取與分享
• 很難追蹤檔案移動的軌跡
• 需要分析數百萬個不同訊號來源 (security/HR/legal)
企業通常用拼湊的方法防止內部風險
內部風險很難識別與管理
傳統的方法有其極限
UEBA (user behavior analytics) UAM (user activity monitoring) DLP (data loss prevention)
Complex setup • 設定需要腳本(工程人員主導或外包託管服務)
• Signal儲存和計算分析所需的硬體成本
• Signal管理需要其他解決方案(Firewalls, UAM, DLP, EDR)
• 每秒事件上限
• On-prem server-based model
• 需要部署endpoint agents 和 on-prem servers
• 管理agents很複雜
• Agent-based model 的規模有限和Performance問題
• 需要部署endpoint agents 和 on-prem servers
• 管理agents很複雜
• Agent-based model 的規模有限和Performance問題
• 有些解決方案只專注於電子郵件
Limited enrichment • 對內容的可見度低
• 低情緒分析
• 對內容的敏感性了解不足
• 對內容的可見度低
• 低情緒分析
• 有限的Signal關聯性
• 對內容的敏感性了解不足
• 對內容的可見度低
• 低情緒分析
• 有限的Signal關聯性
• 容易出現誤報
Narrow workflows • No integrated workflow beyond SOC • No integrated workflow beyond SOC • No integrated workflow beyond SOC
Intelligent insider risks solution
Transparent
平衡員工隱私與組織風險
Intelligent
利用機器學習來識別隱藏的行為模式
Integrated
整合式的工作流程可支援解決風險
Legal (Employment)
法規遵循
HR
健全的勞動力和工作環境
Compliance/ Privacy
遵守法規和政策
Security
Protect information
和 infrastructure
Personas
可從以下風險劇本開始
數據洩漏
有意或無意的洩漏敏感機密訊息
違反HR
Policy
偵測違反公司HR
Policy的行為和舉止(例如騷擾,歧視等)
離職員工資料竊取
離職員工盜取智慧財產權
59% 自願或非自願離開組織的員工表示他們在離職的時候帶走機敏資料1
1. 2016 Deloitte Debriefs “Insider threats: What every government agency should know and do”
量身訂做的腳本智慧關聯原生和third-party 的 signals
以保持內部風險的高度真實性
End-to-end 調查整體調查工作流程允許
跨IT,HR和Legal進行協作以採取行動
內建隱私匿名控制可確保有關風險的資料在組織內適當共享
Insider Risk Management
DEMO: Insider Risk Management
Intelligent compliance and risk management solutions
Information Protection
& Governance
Internal
Risk Management
Discover
& Respond
Protect and govern data
anywhere it lives
Identify and remediate
critical insider risks
Quickly investigate and respond
with relevant data
Compliance Management Simplify and automate risk assessments
Intelligent compliance and risk management solutions
Information Protection
& Governance
Internal
Risk Management
Discover
& Respond
Protect and govern data
anywhere it lives
Identify and remediate
critical insider risks
Quickly investigate and respond
with relevant data
Compliance Management Simplify and automate risk assessments
Information Protection & GovernanceDetect, protect and control access to your sensitive content
Auto-apply policies at the data layer
定義資料保護和資料治理策略,並根據原則管理敏感資料和降低風險
Unified approach and broad coverage
在數位資產和應用程式中偵測敏感內容,並套用資料保護和資料治理的原則
Control your data with privileged access and
encryption keys
確保透過適當的存取控制保護對機敏資料的存取
Data growing at exponential rate
Detect
→ Privileged Access Management
→ Customer Lockbox and Zero Standing Access
→ Customer Key and other key options
→ Validate and investigate with label analytics
Protect
→ Encryption
→ Retention and Deletion
→ Data Loss Prevention
→ Records Management
→ Classify on-prem, file shares and O365
→ Sensitive information types
→ Keyword, Query Based
→ Across Office 365 applications
Control
Intelligent compliance and risk management solutions
Information Protection
& Governance
Internal
Risk Management
Discover
& Respond
Protect and govern data
anywhere it lives
Identify and remediate
critical insider risks
Quickly investigate and respond
with relevant data
Compliance Management Simplify and automate risk assessments
Intelligent compliance and risk management solutions
Information Protection
& Governance
Internal
Risk Management
Discover
& Respond
Protect and govern data
anywhere it lives
Identify and remediate
critical insider risks
Quickly investigate and respond
with relevant data
Compliance Management Simplify and automate risk assessments
“Collect and export” is risky and costly; we address
them with Advanced eDiscovery
Pain points of
“collect and export”
Move sensitive data to other
systems
Work with disjointed tools
Lose insights in large amount of
data
Advanced eDiscovery
design principles
Collect and discover data where
it is
Manage end-to-end workflows in
one solution
Find relevant data and insights
intelligently
Export
Collection into document review sets
Manage static sets of documents within a case, that can be
independently searched, analyzed, shared, and acted upon
Advanced eDiscovery: an end-to-end solution
Custodian Management and Communications
Preserve content by custodian, send hold notifications
and track acknowledgements
Deep crawling and indexing
Deep processing (e.g. much higher size limits, non-Microsoft
file types, …) to extract and index text & metadata
Cull your data intelligently with ML
Use predictive coding, near duplicate detection, email threading,
Themes and ML models to identify potential high value content
Review and take action on documents
View content via a native and text viewer, organize documents
with tags and redact sensitive information prior to export
https://www.youtube.com/watch?v=tmPfS-coPGY