By MarcAndre Frigon This disclaimer informs you that the views thoughts and opinions expressed in this presentation belong solely to the author and not necessarily to the authors employer organization committee or other group or individual ID: 775697
Download Presentation The PPT/PDF document " Privacy in the Workplace and Threat Mon..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Privacy in the Workplace and Threat Monitoring
By Marc-Andre Frigon
Slide2This disclaimer informs you that the views, thoughts, and opinions expressed in this presentation belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual.
Disclaimer #2- I’m making shortcut in the presentation to keep the flow.
Slide3Who Am I?
About 20 years of passion for Information Security Practitioner, from the trenches, in various roles and industriesGRCArchitectureOperationsPrivacy interest for more then 10 yearsAbout the same period of interest for privacy in the workplaceInvolvement in global organizationsCanada, USA, Europe (France, Germany, Switzerland, Finland, UK, etc.), India, China, …
Slide4Agenda
The risksSecurity measuresPrivacy in the workplaceConclusions
Slide5The risk(s)
Slide6Verizon Data Breach Investigation ReportAnalysis by Thycotic
Top Breaches:
Phishing
Use of Stolen Credentials
Backdoors or C2 (Command and Control)
Email
is still the top delivery method of cyber attacks and
Office Documents
are the top file types used to infect systems. Phishing is the most common technique used to gain trust.
The human is the top target as so many are likely to click on the links or unknowingly give over their credentials—including their password.
Slide7Mitre ATT&CK
Adversarial Tactics Techniques and Common Knowledge framework available from MITRE. It is a curated knowledge base of 11 tactics and hundreds of techniques that attackers can leverage when compromising enterprises.11 tactics
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Exfiltration
Command and Control
Slide8Slide9Threat landscape has change
Hacker don’t break in anymore,
they login
(I think it is a Cisco guy quote)
Slide10The risk is real.
Threat is realKnown tactics and technicsAttacker are fastVulnerability is realPeople are abusablePeople give away their credentialsImpact is real
Slide11Counter measures
Slide12“Prevention is Ideal, but Detection is a MUST”Dr. Eric ColePrevent, Detect, Respond Allocate resources wiselyBreach are inevitable, but DETECTION TIME & response is what makes the differences
Slide13Prevent?
Slide14Detection is a MUST … log everything!
Endpoint
protection + EDR,
sysmon
,
Osquery
, UBA, etc.
Network
traffic capture (
netflow
,
pcap
, etc.)
Egress traffic monitoring
(including
https inspection
)
Authentication
attempts
Critical Servers and services logs
DNS
…
Slide15Detection is a MUST -> log everything!
Slide16Detection is a MUST
How do you differentiate legatine users from a compromised account?
Slide17Slide18Security Operation Center (SOC) armed with Mitre ATT&CK
SIEM - automated log analysisSkills people looking for hints of attackBlue teamPlaybook
Slide19Privacy in the workplace
Slide20Privacy Law (
USA)
Laws basically allow employers to monitor employees except in changing rooms or bathrooms
, employees are starting to question the methods that employers are using to monitor employees.
Slide21Slide22In the Privacy Law class (in USA)
Students over the years have been surprised that there are so few laws that govern employees’ privacy in the work place, and in general believe that workers have an expectation of privacy. The law doesn’t really reflect this assumption.
Slide23Slide24Privacy at work in Canada
Shortcut -> pretty much the same as USA
Slide25WORKPLACE PRIVACY AND EMPLOYEE MONITORING
Computers and Workstations
Email and Instant Messaging
Telephones
Mobile Devices
Audio and Video Recording
Location (GPS) Tracking
U.S. Postal Mail
Social Media
Slide26Legally acceptable
How to it without
demoralizing the employees?
Slide27My first experience with privacy in the workplace
Creation of a Security Operation Center
Late 2008 (more than a year of effort & $)
SIEM gathering logs for perimeter technologies & DMZ systems
NIPS/HIPS
FW
Web proxies
…
SOC main objective: detect external attacks
NOTE: Unionized environment
Slide28Slide29Slide30The union representative came to meet us … because they felt we were snooping on the employees
Slide31Slide32European countries (shortcut)
Strong expectations of privacy in the workplaceInalienable right under some conditionsLess liability on the enterprise if security incident occur
Slide33Switzerland
= FULL PRIVACY if you allow personal use
Slide34Published in 2005
Slide35Slide36Global vs local
Slide37But monitoring is needed.
Now how to make it good?
Slide38The world is flat, take a global approach
Transparency & openness
Keep in mind the bigger goal (support an organisational objective)
Hidden vs accepted (communication & change management)
Invasive (intrusive) vs respectful
Machine inspection (less) vs human analysis (more sensitive)
Anomaly detection
Eavesdropping vs traffic analysis
Don’t decrypt everything (hidden gardens – banking, medical, etc.)
Account vs person
Slide39If it a good idea, you should be able to speak it in front of everyone
Slide40Work with employees
Monitor accounts not employeesInsider threat (malicious or error) is out of scopeExplain the why & howExplain the why & howExplain the why & howExplain the why & how…
Slide41At the moment you think you have done too much communication;
is when you start having done enough.
Slide42“Prevention is Ideal, but Detection is a MUST”
Slide43Focus all effort on raising attacker costs
Ref: https://www.slideshare.net/PlatformSecurityManagement/asmc-2017-martin-vliem-security-lt-productivity-lt-security-syntax-error
Slide44Zero trust model – CORE CONCEPTS
Slide45Key takeaways
1. Privacy in workplace matters – review your practicesThe world is not that flat, but make your programTrust your people, but focus on account compromisedBe more respectful then invasive (intrusive)2. Integrate new approaches reconciling privacy with corporate security
“Freedom and democracy cannot exist without privacy”
(Daniel Therrien is the Privacy Commissioner of Canada)
Slide46Slide47Slide48Security risks
to organizations are pretty
common
, but
privacy expectations in the workplace vary across the globe
. The challenge is how to properly secure a global organization while not crossing the
thin line between protecting the organization while not demoralizing employees
. Not only would some expect a form of privacy at work, but things like
end-to-end encryption
have led to
new methods
that will ensure that security incidents are promptly detected.
Slide49Key takeaways
The world is not that flatTrust your people, but focus on account compromisedBe more respectful then invasive (intrusive)Lookout for new approaches reconciling privacy and security
“Freedom and democracy cannot exist without privacy”
(Daniel Therrien is the Privacy Commissioner of Canada)
Slide50Slide51“Breakout time” (by CrowdStrike)
“Breakout time” is the time that it takes an intruder to begin moving laterally outside of the initial beachhead to other systems in the network.
The current average breakout time is
1 hour and 58 minutes
(oct 2018), which means that if defenders are able to detect, investigate and remediate the intrusion within 2 hours, they can stop the adversary before they can cause serious damage.
Slide5216 Worst and Most Extreme Ways Employers are Spying on Their People (2017)by Aigerim Berzinya - Dec 20, 2017
1. Taking screenshots of employees’ screens, making video recordings, and offering live video feeds2. Invisible installs and stealth monitoring features3. Keyloggers4. Instant Messaging app monitoring5. Remote desktop control6. Spying on employees’ mobile devices7. Complete communication logs8. VOIP calls spying
9. Internet monitoring10. Keylogger11. Geofencing alerts12. GPS tracking14. Access to calendar, notes, and reminders15. Surroundings audio recording capability16. Taking over phone’s camera, making screenshots, and the ability to see all multimedia content on the infected
Extreme tracking features offered by classic employee monitoring solutions:
Slide53Global vs local
Threat is globalVulnerability is global Impact is global
Global solution
Slide54Technologies makes distances shrinking