Adopting Insider Threat Management Best Practices for NIS2 Compliance

Okay, good. Yeah. So my name's Han. I'm with the company Akron system, and I hope today this, this topic will be not so boring because it's partially about NAS two and all the regulations are usually boring.

Oh, where should I point? Yeah, this, this way. So NSS two network inform information security, sorry, sorry. Regulation, which was introduced on January 16, the, this year, and should be implemented by the countries, by European countries on October 17th, 2024, which is not so critical for the Germany, just because Germany has critic gts, but for other countries probably might be very, very interesting.

So the, the main point of it is to protect your critical infrastructure and not complying with this might, might lead you to the fine, like 10 millions or 20 millions in some cases. And how so I'm, I'm, I'm with the company with, with a vendor here, which in, in introduces the insider threat, insider risk management solution. And we are trying to evaluate how insider threat management practices can help to comply with NAS two re requirements. Click. Okay.

So insider risk management or insider threat management are always related to the insiders and insiders are people, basically it's all about people. The security threats are about people, but especially insiders. Insiders are people who have the privileged access to your sensitive information. So in general, you know, it can be your own employee working with C-R-M-E-R-P or you know, whatever data, it can be the third party and especially and says about the third party vendors, subcontractors, fourth party end party.

So all the people who can get an access to your premises, to your sensitive information. And what, what this is all about is human resource. Yeah.

The, the people, they are human resource and what we can do, it's to pre prioritize the human resource security and enforce effective access control policies. That's the, that's the main idea of insider threat management. What on the first, first place, we need to ensure human resources security by detecting and investigating any unauthorized or suspicious activities carried out by, by, by the users. So in the classical privileged access management, it's, it's a discovery. Yeah. Privileged discovery, account discovery, sorry. Then control access to sensitive assets.

So controlling means like privileged access management in very classical way. And what we offer from our side, it's the capturing of the user's activity of privileged user's activity of what exactly these privileged users are doing with within the perimeter with the sensitive information. What are they actually I know performing or it's user behavior analytics. Yeah. Also includes this zero trust security mean, I know that couple of years it was kind of buzz word, but it's all about the access just in time. Just to the place, just for the right person at, at the right time.

So once again, we're coming to identity and access management, privileged access management, least privileged, I know, whatever you call it. Yeah. You just need to grant an access to the right person at the right time and control this access.

So the, I tmm, so inside threat management best practices for the zero trust security is what, what what we think is displaying the wording message. So it's all about human resources teaching these human resources and by, for example, displaying the wording messages, oh, sorry, John Smith, you are an accountant, but you're currently performing the forbidden action at this point. Please stop this if it doesn't help it, we can block the user anytime recording user sessions. It can be used for two purposes.

One purpose of it is basically the reporting functionality reporting we, which will come later on our, on our slides. Reporting is a crucial part of a Nitish two compliance. So you need to report within 24 hours about the, the data breach, let's say. Yeah. And recording user sessions. It's on the other hand we're talking about privileged users. I know that in Germany and in dark region overall, it's very tricky topic about the recording user activity, especially on users, on employees activities.

In some other countries it's less, less sensitive as here, but, but still, yeah, here we're talking about the recording user activities for the analysis, what has been done, run, what has been done, right? So yeah, monitoring user actions during penetration testing.

Well, it's all the same about the monitoring to be honest. Yeah. Mitigate unauthorized access of own employees. So insiders, our third parties by two FA two factor identification Overall, the secure workflow and access request and approval. So once again, this is still the topic of privileged access management, identity access management, gaining the privileged access to, to the sensitive information and approval like the, the whole workflow of the approval and visibility into user behaviors. User behavior analytics is one of the crucial parts of identity.

Sorry, insider threat management. So most of these parts like identity access management, privilege access management, DLP data leakage prevention, user behavioral analytics.

Yeah, user activity monitoring. These are main parts of the, the threat management framework. I know Gartner has managed this to, to create this term. So supply chain security since the main part of NAS two and Dora as well.

Dora is, comes alongside with this, it's supply chain. So your subcontractors third party vendors, fourth party vendors and so on, they need to be controlled.

They, so once again, two factor identification, identity access management, privileged access management and so on. And providing third party vendors with one time passwords is one of the steps, which, which we think is, is very useful. Securing RDP connections to your environment to detect unauthorized data access. Yeah. Detecting unauthorized access and preventing this providing data, sorry, data, sorry. Excess misuse is, is one of the, of the crucial part and it, sorry. Yeah. Okay. Yeah.

Verifying managing identities, managing distance of supply chain members is one of the important things here, which we offer also in our approach. So coming back to what exactly we should do in case of the data breach. Yeah. NIS two requires 24 hours for reporting. A prompt notification about the issue, 72 hours about the initial assessment of the incident. What has happened. So first of all, if this happened, you have 24 hours to, to, to tell, sorry.

Our, our banking database was, was broken. After that you have 72 hours to identify what exactly has happened and one month to submit a final report within. If you don't comply with this, no, the fines are coming later. Yeah. You have fines, I think 10 millions and in very severe cases you have fines for about 20 millions or for percent of the revenue.

So in our, in our case, if you have the user activity monitoring tools of tools that actually monitors, you have the visually structured evidence additionally to all the other things or all the other tools we have, which you have implemented. You have the visually structured evidence, all the checkable that you can pro provide as the, as the evidence in, in the us They use it for the FBI reports, so everything works great. Yeah. So incident handling and respo reporting. Yeah. Reporting define and reporting to security incidents in real time. That's the one of the key features.

What what we, we have, you see in the real time what is happening. You can log the user, you can, I know, kill the application and so on.

Also, you have the audit trail and detailed reports, so logs, metadata, keystrokes in case you, you might need it for, for your internal investigation or external things. And also review the detailed user session recordings just to identify who, whose fault was this, what was it exactly. Yeah. Okay.

Real case, unfortunately under NDA, it's European manufacturer, well, it has 10 production plants with active within 100. I mean selling their production within 100 count more than 100 countries. And one of the key things was for them, okay, compliance with NIS two came a bit later, but still they have covered it with us. Zero trust principles, implementation, supply chain security. Because of course if you're in production, you have thousands and thousands suppliers and you need to control their access to your premises.

Comply with different regulations like NIS 2, 3 4, 2 4, I think it's automotive cybersecurity compliance for, for automotive companies. And it's, it's very precise, very specific. For example, for the server, which is a jump server for the, for the inventory, if I'm not mistaken. And of course tracking employees and third party users actions, which is also important when you have access to, for, for, for the external subcontractor, like for example, managed service providers who are managing your internal systems.

And you need to understand what is actually happening on the, on the server when, when they manage this. When they maintain this. Okay.

So the, one of the challenges was to get a granular control, our access permissions and auditing privilege sessions. This is all about the user activity monitoring. As a result, we have the human resource security. The second challenge already, the second challenge. So the second challenge was to manage user privileges within the help of lightweight privileged access management. Sometimes you don't need like something like CyberArk, which dives deeper into your system, which is heavy to implement, heavy to maintain.

Sometimes they need to very lightweight solution, which actually Akron can offer in this case. And as a result, yes. Yeah. As a result you have the zero zero trust security supply chain security and incident handling and reporting in this case. Yeah. Here comes the slide with a, with a non-compliance. So 10 minute the million or two, minimum 2% of, of your revenue on in severe cases you have 20 million fines of non-compliance.

So it, I know if you don't report within 70 hour, two hours or one month, might you have this fine or not, but still, why? Why should you pay? It's all about money. Yeah. Here's the slide about our system and what actually we cover within ITM. Yeah. So managing privileges, accountants, so privileged success management. Yes. Very lightweight, classical privileged access management solution, detect and disrupt this insider threat.

On top of this we have the incident response functionality, which is based on the predefined rules and user behavior analytics, which can block the user, kill the application, kill the session, and notify the system administrator notifying the user as well. Yeah. One of the financial sites is avoiding fines and lawsuits, which is very useful when you have 20 million fines and securing control and access to sensitive information.

Of course, it's one of the most important parts. If you are working in a production environment with, with 33rd party contractors, which can just steal the data. In most cases, like I know, I don't remember like 46% of the data breaches. They might come from the subcontractors data leakage promptly responding to incidents. So you have the visually structured evidence, you have all the information on, on your screen, what has happened, whose fault was this? Yeah. And get full visibility within track of users actions.

So that means that you have logs, you have the metadata, you have the screen capture, and in this case you just see what, what has happened. Yeah. A few words about tech run. We are 10 years on the market, started with privilege, lightweight privilege, success management. Now we are in this kind of insider threat management field and active in four countries with headquarters in the United States, in Massachusetts, more than 2,500 customers and 300 partners globally.

mo, most of our verticals, BFSI. So banking and financial services, insurances, government, telecom, and so on and so forth. Some of the customers are mostly from financial segment, but we can start small.

We, we don't need to, I know 10,000 users to implement our solution. We can start with 10 users. Thank you. Just in time.