Privacy in the Workplace and Threat Monitoring - PowerPoint Presentation

Slide1

Privacy in the Workplace and Threat Monitoring

By Marc-Andre Frigon

Slide2

This disclaimer informs you that the views, thoughts, and opinions expressed in this presentation belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual.

Disclaimer #2- I’m making shortcut in the presentation to keep the flow.

Slide3

Who Am I?

About 20 years of passion for Information Security Practitioner, from the trenches, in various roles and industriesGRCArchitectureOperationsPrivacy interest for more then 10 yearsAbout the same period of interest for privacy in the workplaceInvolvement in global organizationsCanada, USA, Europe (France, Germany, Switzerland, Finland, UK, etc.), India, China, …

Slide4

Agenda

The risksSecurity measuresPrivacy in the workplaceConclusions

Slide5

The risk(s)

Slide6

Verizon Data Breach Investigation ReportAnalysis by Thycotic

Top Breaches:

Phishing

Use of Stolen Credentials

Backdoors or C2 (Command and Control)

Email

 is still the top delivery method of cyber attacks and

Office Documents

are the top file types used to infect systems. Phishing is the most common technique used to gain trust.

The human is the top target as so many are likely to click on the links or unknowingly give over their credentials—including their password.

Slide7

Mitre ATT&CK

Adversarial Tactics Techniques and Common Knowledge framework available from MITRE. It is a curated knowledge base of 11 tactics and hundreds of techniques that attackers can leverage when compromising enterprises.11 tactics 

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Slide8

Slide9

Threat landscape has change

Hacker don’t break in anymore,

they login

(I think it is a Cisco guy quote)

Slide10

The risk is real.

Threat is realKnown tactics and technicsAttacker are fastVulnerability is realPeople are abusablePeople give away their credentialsImpact is real

Slide11

Counter measures

Slide12

“Prevention is Ideal, but Detection is a MUST”Dr. Eric ColePrevent, Detect, Respond Allocate resources wiselyBreach are inevitable, but DETECTION TIME & response is what makes the differences

Slide13

Prevent?

Slide14

Detection is a MUST … log everything!

Endpoint

protection + EDR,

sysmon

,

Osquery

, UBA, etc.

Network

traffic capture (

netflow

,

pcap

, etc.)

Egress traffic monitoring

(including

https inspection

)

Authentication

attempts

Critical Servers and services logs

DNS

…

Slide15

Detection is a MUST -> log everything!

Slide16

Detection is a MUST

How do you differentiate legatine users from a compromised account?

Slide17

Slide18

Security Operation Center (SOC) armed with Mitre ATT&CK

SIEM - automated log analysisSkills people looking for hints of attackBlue teamPlaybook

Slide19

Privacy in the workplace

Slide20

Privacy Law (

USA)

Laws basically allow employers to monitor employees except in changing rooms or bathrooms

, employees are starting to question the methods that employers are using to monitor employees.

Slide21

Slide22

In the Privacy Law class (in USA)

Students over the years have been surprised that there are so few laws that govern employees’ privacy in the work place, and in general believe that workers have an expectation of privacy. The law doesn’t really reflect this assumption.

Slide23

Slide24

Privacy at work in Canada

Shortcut -> pretty much the same as USA

Slide25

WORKPLACE PRIVACY AND EMPLOYEE MONITORING

Computers and Workstations

Email and Instant Messaging

Telephones

Mobile Devices

Audio and Video Recording

Location (GPS) Tracking

U.S. Postal Mail

Social Media

Slide26

Legally acceptable

How to it without

demoralizing the employees?

Slide27

My first experience with privacy in the workplace

Creation of a Security Operation Center

Late 2008 (more than a year of effort & $)

SIEM gathering logs for perimeter technologies & DMZ systems

NIPS/HIPS

FW

Web proxies

…

SOC main objective: detect external attacks

NOTE: Unionized environment

Slide28

Slide29

Slide30

The union representative came to meet us … because they felt we were snooping on the employees

Slide31

Slide32

European countries (shortcut)

Strong expectations of privacy in the workplaceInalienable right under some conditionsLess liability on the enterprise if security incident occur

Slide33

Switzerland

= FULL PRIVACY if you allow personal use

Slide34

Published in 2005

Slide35

Slide36

Global vs local

Slide37

But monitoring is needed.

Now how to make it good?

Slide38

The world is flat, take a global approach

Transparency & openness

Keep in mind the bigger goal (support an organisational objective)

Hidden vs accepted (communication & change management)

Invasive (intrusive) vs respectful

Machine inspection (less) vs human analysis (more sensitive)

Anomaly detection

Eavesdropping vs traffic analysis

Don’t decrypt everything (hidden gardens – banking, medical, etc.)

Account vs person

Slide39

If it a good idea, you should be able to speak it in front of everyone

Slide40

Work with employees

Monitor accounts not employeesInsider threat (malicious or error) is out of scopeExplain the why & howExplain the why & howExplain the why & howExplain the why & how…

Slide41

At the moment you think you have done too much communication;

is when you start having done enough.

Slide42

“Prevention is Ideal, but Detection is a MUST”

Slide43

Focus all effort on raising attacker costs

Ref: https://www.slideshare.net/PlatformSecurityManagement/asmc-2017-martin-vliem-security-lt-productivity-lt-security-syntax-error

Slide44

Zero trust model – CORE CONCEPTS

Slide45

Key takeaways

1. Privacy in workplace matters – review your practicesThe world is not that flat, but make your programTrust your people, but focus on account compromisedBe more respectful then invasive (intrusive)2. Integrate new approaches reconciling privacy with corporate security

“Freedom and democracy cannot exist without privacy”

(Daniel Therrien is the Privacy Commissioner of Canada)

Slide46

Slide47

Slide48

Security risks

to organizations are pretty

common

, but

privacy expectations in the workplace vary across the globe

. The challenge is how to properly secure a global organization while not crossing the

thin line between protecting the organization while not demoralizing employees

. Not only would some expect a form of privacy at work, but things like

end-to-end encryption

have led to

new methods

that will ensure that security incidents are promptly detected.

Slide49

Key takeaways

The world is not that flatTrust your people, but focus on account compromisedBe more respectful then invasive (intrusive)Lookout for new approaches reconciling privacy and security

“Freedom and democracy cannot exist without privacy”

(Daniel Therrien is the Privacy Commissioner of Canada)

Slide50

Slide51

“Breakout time” (by CrowdStrike)

“Breakout time” is the time that it takes an intruder to begin moving laterally outside of the initial beachhead to other systems in the network.

The current average breakout time is

1 hour and 58 minutes

(oct 2018), which means that if defenders are able to detect, investigate and remediate the intrusion within 2 hours, they can stop the adversary before they can cause serious damage.

Slide52

16 Worst and Most Extreme Ways Employers are Spying on Their People (2017)by Aigerim Berzinya - Dec 20, 2017

1. Taking screenshots of employees’ screens, making video recordings, and offering live video feeds2. Invisible installs and stealth monitoring features3. Keyloggers4. Instant Messaging app monitoring5. Remote desktop control6. Spying on employees’ mobile devices7. Complete communication logs8. VOIP calls spying

9. Internet monitoring10. Keylogger11. Geofencing alerts12. GPS tracking14. Access to calendar, notes, and reminders15. Surroundings audio recording capability16. Taking over phone’s camera, making screenshots, and the ability to see all multimedia content on the infected

Extreme tracking features offered by classic employee monitoring solutions:

Slide53

Global vs local

Threat is globalVulnerability is global Impact is global

Global solution

Slide54

Technologies makes distances shrinking