Six Ways To Build An Effective Insider Threat ProgramSeptember 23, 2020
Saryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.
According to a Cybersecurity Insiders survey of its 400,000-member community, almost 70% of respondents said they feel vulnerable to insider threats, with 21% reporting they are very or extremely vulnerable.
During Covid-19, this has definitely increased. This is especially true with off-site or offshore organizations that may not be operating in as secure an environment as they previously were. The additional risks brought about by the fully remote workforce are also high on the agenda for organizations.
When asked which type of insiders pose the biggest security risk, the respondents to the Cybersecurity Insiders survey cited privileged users or admins. This is surprising since these individuals are responsible for making sure things operate as they should. They should be protecting an organization’s systems.
In addition, these users have the keys to the kingdom and are therefore able to do the most damage if they decide to. This can take many forms, such as accessing data they shouldn’t, changing passwords to block access, even shutting down whole portions of infrastructure when they leave the organization or opening back doors to allow for external access.
Contractors and service providers are other areas of concern, with many breaches in the recent past exploiting third-party organizations.
So how are organizations addressing insider threat management? Most focus on deterrence and detection. This makes sense since the ultimate goal is to identify the risky and anomalous behavior and stop it before any data can be exfiltrated.
Let’s take a look at some of the best practices for building an effective insider threat program.
1. The first phase is the most important. Ensure that all parts of the organization are engaged, including human resources. Culture is also a very important component since it enables an organization to amplify its message about the program to achieve employee buy-in. Engaging users in the program is the most effective way to avoid the Big Brother syndrome.
2. Next, don’t forget the identity side of the house. This is crucial since identity is one of the leading indicators for profiling risky insider behavior and determining what is normal for each user as well as their peer group. This helps to drive down false positives. Both activity and identity are central to mitigating insider risk.
3. On the technology front, product selection requires a completely different way of looking at information. Detecting insider threats requires the ability to consolidate data from disparate sources and perform the analysis needed to get actionable results. Where’s the risk, what are the behaviors and what should be done in response? This is difficult to achieve with siloed systems and analytics.
4. Linking is another key attribute since it provides context across many different systems, users and entities. Correlation rules do not provide the level of efficacy needed. Link analysis establishes baseline behavior for users and their peer groups, which can be used to identify anomalous and risky activity.
5. Sentiment is also a very important part of the insider threat equation. With employees being furloughed and the potential for disgruntled users, there is a greater risk that they may do something they shouldn’t such as exfiltrating data. Sentiment analysis is critical for understanding this and building the narrative of what has happened and why. We know that working from home is going to be here for some time. And this will need to be catered for in any insider threat program that you’re looking to build.
6. Monitor and respond. Many companies struggle with this since they typically use the same approach implemented in their security operation center (SoC), which focuses on looking for IOCs (indicators of compromise) and signatures/rules. Insider threat detection requires a different way of looking at things that is oriented to identify anomalous and risky behavior. This approach involves implementing responses based on signals of suspicious activity from many different categories, such as building playbooks that can restrict risky users by changing DLP policy, restricting accounts and introducing other protection mechanisms to stop data being exfiltrated.
Finally, operationalization is critical to ensuring the success of any insider threat program. It demands a continuous loop of establishing baselines for behavior, monitoring activity for anomalies and responding to suspicious events, all of which should evolve with changing business processes and risk factors.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?