Hello, my name is Hugh Njemanze. I'm the Chief TechnologyOfficer and Co-Founder of ArcSight and today we're going to talk aboutthwarting insider threats. So many people are familiar already with perimeterthreats, which just if you give me one second, I'm a fast drawer and I'llillustrate the problem for you.
So what's happening with perimeter threat is you have peopleoutside your castle, your corporation actually trying to attack. So whathappens is you need to find some way to repel those introducers. The industryhas come up with many solutions. There are products on the market such asfirewalls, intrusion detection systems and others whose thrust is basically tohelp defend against these intruders, these perimeter attackers. .
However, if the attacker is already within your organizationthen none of these defenses are going to be very useful. And to illustrate whatcan happen, there was a case reported recently where eight employees at theBank of America actually stole 700,000 customer records. And this was bad forthose customers but it was also bad for Bank of America because additionally,due to regulations such as SB1386 they have to report when an incident likethis happens and you can imagine that could erode the confidence of the entirecustomer base. .
So how do we deal with insider threat then? Well, we can usemany of the same tools that we apply for a perimeter threat. What we want to dois provide appropriate inputs. So in organizations, things like applicationsare typically run, maybe a database, other systems like Oracle, SAP,PeopleSoft. And with all of those systems, people have various things they'reallowed to do. They have log in, they have permissions, access controls and wecan monitor those to see if people are behaving according to what they shouldbe doing and what they're allowed to be doing. We also have access monitoring systemssuch as when you swipe your badge to get into or out of a building and we alsohave identity management systems that again, keep tags of who's who. .
And what you want to do is basically analyze those recordsin the same way that a security information management system was analyzingfirewall and IDS records, they want to do that here with this information. It'sessentially analogous to looking inside the windows of the building instead offocusing outwards. .
And just to give you an example, a phone company noticedthat some of their employees were actually selling phone records to privateinvestigators who were performing things like divorce investigations. Needlessto say, the phone company was not happy about this. What they were able to dois use a security information management system to analyze the employee'sactivity records and determine, for example, that a few employees would accessthe same customer records over and over, which would be very, very rarebehavior to happen just in natural life when a random phone customer dials in..
In a survey of enterprise CEOs, over 72 percent of themidentified insider threat as an equal or greater problem than perimeter threat.The good news is there is something we can do about these insider threats usinginformation that's available and combine and analyzing that with existingtools.
