In prior ProTips we have explored discovering sensitive data throughout the environment, managing access to that data and monitoring it. Today’s ProTip focuses on adding an additional layer of protection that protects sensitive data in the event of a Ransomware outbreak, or compromised credentials being used to steal data.
Creating the Investigation
First, we create an investigation that looks for users accessing sensitive data. There are several things that happen behind the scenes – first data is discovered, classified and tagged. We could scope this investigation to just PCI data, or GDPR data, etc., however, for the purpose of this ProTip we have simply tagged all of the PII as “Sensitive Data” and will be triggering the rule when anyone attempts to read the data.
In the investigations tab, we scope the users that we want to apply the rule to, the location(s) of the sensitive data, and the data type(s).
The great thing about investigations is that they are not only reusable but can be saved as alerts and will trigger anytime the condition is met. These alerts sit alongside the more sophisticated machine learning-generated alerts and give analysts another tool for identifying insider threats.
Action Groups & Playbooks
Now that we have the threat configured we need to create the automated response and assign it to the threat.
Navigate to the Actions Engine and configure your Multi-Factor Authentication (MFA) solution. Here additional actions can be grouped, such as e-mailing additional notifications, alerting the SOC, etc. Any number of services can be integrated into threat responses and several are already configured out of the box.
Actions can be grouped to create playbooks, and just like the threat we created earlier, can be reused and applied to other threats.
Threat Response Configuration
We have configured our threat to trigger when sensitive data is accessed, as well as the action we want to execute when the threat is triggered–in this case prompting the user for additional authentication–now we need to tie the two together by navigating to the Threat Configuration page and choosing the Threat Response that we want.
That’s it! You have just created a custom threat and response that will prompt a user for additional authentication when attempting to access sensitive data. Again, we could have scoped this threat in many different ways – narrowed to just one sensitive data type, just a particular file or folders, or added exceptions for specific users or groups. Additionally, we had the option of linking multiple actions into a Playbook that would execute a series of responses which could have included locking the user out if they failed the step-up authentication check.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Gabriel Gumbs is the VP of Product Strategy at STEALTHbits Technologies responsible for end-to-end product vision and innovation. With a 16 year tenure in CyberSecurity, he has spent most of that time as a security practitioner, aligning security innovations with business objectives for Fortune 100 organizations. Gabriel is an information security thought leader, privacy advocate and public speaker.