1 / 54

Privacy in the Workplace and Threat Monitoring

This presentation delves into the evolving landscape of workplace privacy and the crucial need for threat monitoring in today's digitized world. It covers the risks, security measures, and legal aspects surrounding employee privacy. Key topics include Verizon Data Breach Report, Mitre ATT&CK framework, and strategies for differentiation between legitimate users and compromised accounts. The discussion extends to privacy laws in the USA and Canada, employee monitoring practices, and the establishment of Security Operations Centers. Learn about global perspectives on privacy expectations and best practices for balancing security and privacy at work.

vernap
Download Presentation

Privacy in the Workplace and Threat Monitoring

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Privacy in the Workplace and Threat Monitoring By Marc-Andre Frigon

  2. This disclaimer informs you that the views, thoughts, and opinions expressed in this presentation belong solely to the author, and not necessarily to the author’s employer, organization, committee or other group or individual. Disclaimer #2- I’m making shortcut in the presentation to keep the flow.

  3. Who Am I? • About 20 years of passion for Information Security • Practitioner, from the trenches, in various roles and industries • GRC • Architecture • Operations • Privacy interest for more then 10 years • About the same period of interest for privacy in the workplace • Involvement in global organizations • Canada, USA, Europe (France, Germany, Switzerland, Finland, UK, etc.), India, China, …

  4. Agenda • The risks • Security measures • Privacy in the workplace • Conclusions

  5. The risk(s)

  6. Verizon Data Breach Investigation ReportAnalysis by Thycotic Top Breaches: • Phishing • Use of Stolen Credentials • Backdoors or C2 (Command and Control) Email is still the top delivery method of cyber attacks and Office Documents are the top file types used to infect systems. Phishing is the most common technique used to gain trust. The human is the top target as so many are likely to click on the links or unknowingly give over their credentials—including their password.

  7. Mitre ATT&CK • Adversarial Tactics Techniques and Common Knowledge framework available from MITRE. • It is a curated knowledge base of 11 tactics and hundreds of techniques that attackers can leverage when compromising enterprises. • 11 tactics  • Initial Access • Execution • Persistence • Privilege Escalation • Defense Evasion • Credential Access • Discovery • Lateral Movement • Collection • Exfiltration • Command and Control

  8. Threat landscape has change Hacker don’t break in anymore, they login (I think it is a Cisco guy quote)

  9. The risk is real. • Threat is real • Known tactics and technics • Attacker are fast • Vulnerability is real • People are abusable • People give away their credentials • Impact is real

  10. Counter measures

  11. “Prevention is Ideal, but Detection is a MUST” • Dr. Eric Cole • Prevent, Detect, Respond • Allocate resources wisely • Breach are inevitable, but DETECTION TIME & response is what makes the differences

  12. Prevent?

  13. Detection is a MUST … log everything! • Endpoint protection + EDR, sysmon, Osquery, UBA, etc. • Network traffic capture (netflow, pcap, etc.) • Egress traffic monitoring (including https inspection) • Authentication attempts • Critical Servers and services logs • DNS • …

  14. Detection is a MUST -> log everything!

  15. Detection is a MUST How do you differentiate legatine users from a compromised account?

  16. Security Operation Center (SOC) armed with Mitre ATT&CK • SIEM - automated log analysis • Skills people looking for hints of attack • Blue team • Playbook

  17. Privacy in the workplace

  18. Privacy Law (USA) Laws basically allow employers to monitor employees except in changing rooms or bathrooms, employees are starting to question the methods that employers are using to monitor employees.

  19. In the Privacy Law class (in USA) Students over the years have been surprised that there are so few laws that govern employees’ privacy in the work place, and in general believe that workers have an expectation of privacy. The law doesn’t really reflect this assumption.

  20. Privacy at work in Canada • Shortcut -> pretty much the same as USA

  21. WORKPLACE PRIVACY AND EMPLOYEE MONITORING • Computers and Workstations • Email and Instant Messaging • Telephones • Mobile Devices • Audio and Video Recording • Location (GPS) Tracking • U.S. Postal Mail • Social Media

  22. Legally acceptable How to it without demoralizing the employees?

  23. My first experience with privacy in the workplace Creation of a Security Operation Center • Late 2008 (more than a year of effort & $) • SIEM gathering logs for perimeter technologies & DMZ systems • NIPS/HIPS • FW • Web proxies • … • SOC main objective: detect external attacks NOTE: Unionized environment

  24. The union representative came to meet us … because they felt we were snooping on the employees

  25. European countries (shortcut) • Strong expectations of privacy in the workplace • Inalienable right under some conditions • Less liability on the enterprise if security incident occur

  26. Switzerland = FULL PRIVACY if you allow personal use

  27. Published in 2005

  28. Global vs local

  29. But monitoring is needed. Now how to make it good?

  30. The world is flat, take a global approach • Transparency & openness • Keep in mind the bigger goal (support an organisational objective) • Hidden vs accepted (communication & change management) • Invasive (intrusive) vs respectful • Machine inspection (less) vs human analysis (more sensitive) • Anomaly detection • Eavesdropping vs traffic analysis • Don’t decrypt everything (hidden gardens – banking, medical, etc.) • Account vs person

  31. If it a good idea, you should be able to speak it in front of everyone

  32. Work with employees • Monitor accounts not employees • Insider threat (malicious or error) is out of scope • Explain the why & how • Explain the why & how • Explain the why & how • Explain the why & how • …

  33. At the moment you think you have done too much communication; is when you start having done enough.

  34. “Prevention is Ideal, but Detection is a MUST”

  35. Focus all effort on raising attacker costs • Ref: https://www.slideshare.net/PlatformSecurityManagement/asmc-2017-martin-vliem-security-lt-productivity-lt-security-syntax-error

  36. Zero trust model – CORE CONCEPTS

  37. Key takeaways 1. Privacy in workplace matters – review your practices • The world is not that flat, but make your program • Trust your people, but focus on account compromised • Be more respectful then invasive (intrusive) 2. Integrate new approaches reconciling privacy with corporate security “Freedom and democracy cannot exist without privacy” (Daniel Therrien is the Privacy Commissioner of Canada)

  38. Security risks to organizations are pretty common, but privacy expectations in the workplace vary across the globe. The challenge is how to properly secure a global organization while not crossing the thin line between protecting the organization while not demoralizing employees. Not only would some expect a form of privacy at work, but things like end-to-end encryption have led to new methods that will ensure that security incidents are promptly detected.

  39. Key takeaways • The world is not that flat • Trust your people, but focus on account compromised • Be more respectful then invasive (intrusive) • Lookout for new approaches reconciling privacy and security “Freedom and democracy cannot exist without privacy” (Daniel Therrien is the Privacy Commissioner of Canada)

More Related