InfoSecChat

A4: Automated, real-time controls implemented thru a well-designed DAM solution can prevent unauthorized actions

a4 The best offense is a good defense.. Go where the money is

A4: One of the core tenets of stopping #insiderthreats is watching the data. Know where the honeypots are and watch them. Know what users should be doing in those honeypots.@IBMSecurity

A4: DAM detects unusual queries and can block. Think SQL Injection

Since the ultimate asset is data, it makes sense to monitor who is accessing that data in real time, and what they are doing to it

Dont forget File Activity Monitoring !!

A4: And DAM detects behavioral changed – if user does something unusual

Since DAM can control access to the data, it can even prevent a breach by getting threat info from the network

A4: With the right solution, you can monitoring sensitive data and files and then tighten control around access

and correlate activity with network applications and identity and access management #SIEM

A4: Some cases redaction - if u don't trust user, blank out results

@AdrianLane It really is that user with what data they are touching combo. If you know what users should be doing with your data and then monitor that, then you have more than a fighting chance.

@andylandtx Yes - when do you not trust the user? It's beyond Authorization

@AdrianLane Agreed. Why show users more data than they need to see. Mask it, redact, to keep data private and secure.

I'm amazed how many #InfoSec pros are not aware of #DAM Data Activity Monitoring

@CCBigData or of File Activity Monitoring, I'm sure

@CCBigData Too busy managing their WAF

@cascoarias Data is what they want. So monitor it and who is accessing it.

A3: Monitoring. It’s the only way to detect database misuse. But specifically …

@IBMSec A3: looking behaviorally at what a user selects and quantity of data

First, you need to understand what you want to protect. The risk-value assessment

A3: Classify sensitive data. Monitor privileged user activity. Put in place user behavioral analytics. Take a programmatic approach. Hang in there!@IBMSecurity

A3: Monitoring, paired with blocking and alerting, to protect sensitive data

A3: really hard to differentiate between normal and abnormal use

@AdrianLane I think that's why machine learning is so important to apply to the issue

A risk-value assessment gives you a view of what resources/data is critical, but also who should be accessing

@AdrianLane Agreed that we have to be able to separate normal user activity from anomalous activity.

@LeslieW66749952 Machine learning is one way - semantic - meta data

Once you identify the current risk-value status, you can minimize that risk by cleaning up data, or entitlements, or change the access policies.

@AdrianLane Yes- machine learning is the only viable method for #BigData

A3 Another best practice is to use encryption to render sensitive data unreadable, so an attacker cannot
gain unauthorized access to data from outside.

@cascoarias Risk-value is the only way to do this within a budget.

You also need to verify that the insider risk is kept to a minumum as insides access the data on a regular basis.

@AdrianLane We do love the Racer X image. But where is Chim Chim?

and finally you need to mitigate risk dynamically by restricting access and integrating with IAM or Security configuration tools to mitigate access configurations.

@andylandtx - you know damn well he's in the trunk of the Mach 5

A1: An employee with valid credentials #infosecchat

A1: Anyone (employees, partners) that have access to sensitive data. So knowing what is sensitive to you is critical.@IBMSecurity

A1: Also a 3rd party or partner that has access

Can it be a vendor or 3rd party rep/

yes @AdrianLane and familiar with the organization's data & intellectual property as well as the methods that are in place to protect them

a1 anyone who has 1. Elevated privacy and 2. Access to valuable info

Thanks leslie!

@_Vicki_A_ Great minds think alike!

A1: Is an attacker with employee credentials an insider? #infosecchat

people or machines that have access to company resources

anyone who has access to valuable assets, whether an employee or contractor

@AdrianLane Good question. It's certainly a wolf in sheep's clothing. To the organization, it sure looks like the insider!

basically someone or something that has credentials

A1: The key is does the user have the entitlements to sensitive data. So, are you monitoring the users and data looking for anomalies. @IBMSecurity

@AdrianLane I say yes. I think part of Insider Threat is outsiders getting insider credentials.

@AdrianLane Adrian - what is the most common type of insider threat you end up discussing with folks?

right @andylandtx the important part is what type of credential access....

Pissed off employees #infosecchat

some could be a misconfiguration like a "guest" account with lots of access to sensitive data

@AdrianLane laid off ex-employees who still have credentials

@AdrianLane I think I would be monitoring tightly at review times in your company. :)