For every massive data breach… well, honestly there just isn’t a comparable number of incidents that can be traced back to a malicious insider. Regardless, that facet of a security program must not be ignored. Insiders have access, and some have privileged access, which puts a disgruntled or careless person inside the firewall and perilously close to a headline-making incident that shareholders will be asking about.
These rising concerns are again giving birth to discussions about building insider threat programs. The ideal composition of such a program, however, sometimes remains unclear and misunderstood among security practitioners. While there is overlap with the information security team, insider threats cannot be fully handed off to the same analysts and engineers running the network like a hot potato.
There are important differences that gold-standard insider threat programs I’ve had the privilege of working closely with understand in order to keep data safe and infrastructure up and running and available. The best, in fact, share three important characteristics:
1. Information Security Foundational to an ITP
Insider threat programs that succeed understand the nuances between ITP and traditional external threat protection. They also understand the dependencies between the two.
One such dependency lies in the objectives of an ITP, which are to deter, detect, and respond to insider threats. Deterrence rests on the shoulders of the ITP through policy and awareness training, while detection would fall under the information security team through technology implementation and monitoring. Response would be a joint venture between the two entities along with related stakeholders after an investigation and analysis of an incident.
Without these overlaps and dependencies, an organization would be susceptible to what would otherwise be preventable malicious or accidentally harmful behavior from an insider. Working together keeps undue and unproductive burden from landing on the shoulders of the ITP.
2. A Comprehensive Framework
ITPs tend to rely on an operational framework that includes three crucial components:
1. A programmatic function is arguably the most important component. In addition to specifying the objectives, resources, priorities, and roadmap of an ITP, this function ensures all aspects of ITP investigations are clearly documented, repeatable, consistent, and follow all necessary legal and compliance protocol.
Despite its importance, however, the programmatic function is perhaps the most frequently overlooked component of an ITP. Especially for organizations that are eager to get their ITP off the ground as quickly as possible, this function can be perceived as a lower priority. Although this mindset is understandable, it can be problematic. Without an adequate programmatic function, an ITP will lack the direction, prioritization, and processes it needs in order to be effective.
2. ITP resources and tools aim to identify behaviors and events that could potentially signal an existing or imminent insider threat. This component of an ITP requires access to the widest range possible of datasets that offer visibility into employee behaviors across the organization. Suitable examples include VPN, proxy, email, and badge datasets.
ITPs also require tools that can synthesize, discern, and provide notice of pertinent findings from within these datasets. User-behavior analytics (UBA) tools, for example, employ data science techniques to identify user behavior that might warrant further investigation within the context of the ITP, such as if an employee exports larger-than-usual amounts of data or frequently accesses the network outside of normal working hours. ITPs then use these types of outputs to help initiate and inform subsequent investigations and response efforts.
While ITPs tend to rely on numerous, extensive datasets and highly sophisticated tools, they also recognize that these resources comprise only one component of the ITP. A common mistake is perceiving these resources—particularly UBA tools—as “one-and-done solutions” for insider threat. Despite often being marketed as such, no tool or resource can serve as a suitable replacement for the other components of a comprehensive ITP.
3. An investigative function synthesizes and examines the outputs of ITP tools to determine the extent to which they might indicate a potential insider threat. This function is especially important because in most cases, the output of tools does not tell the whole story about a user’s behavior. For example, if an ITP tool reveals that a user has been exchanging emails with a competitor, does it mean that an insider threat is imminent? Not necessarily—there are numerous possible explanations for this behavior, and it’s up to the ITP’s investigative function to dig deeper.
An ITP investigation is an intricate and multi-level process that requires different protocols, types and depths of analysis, and stakeholders depending on the behavior observed and the estimated risk. When the result of such an investigation suggests that an insider attack could be imminent, this function works with the programmatic function—and in many cases also with relevant stakeholders from other departments—to verify and attribute the threat as necessary.
3. Enterprise-wide Integration
One of the most distinguished characteristics of a top-notch ITP is integration across the entire enterprise. Although ITPs often exist as standalone functions, the most effective ITPs rely on datasets and resources from IT, legal, HR, compliance, third-party risk, and numerous other functions. Many ITPs have designated representatives from each business function who serve as liaisons between their teams and the ITP. Having the support and cooperation of decision-makers and stakeholders throughout the organization will not only support the development and operations of an ITP, but it will also help raise widespread awareness of the risks and consequences of insider threat.
As I mentioned, I’ve had the opportunity to work closely with experts from gold standard ITPs over the years. These experiences have helped me recognize that while combating insider threats will likely always be a confusing and challenging area for many organizations, there are steps we can take to more effectively prevent, deter, detect, and respond to these threats.
The above list is meant to serve as a starting point for organizations looking to do so, but it is neither comprehensive nor prescriptive. Higher-level ITPs are dynamic, intricate, and tailored to their organization’s unique needs and challenges, which is why organizations looking to initiate ITPs are encouraged to work with trusted third-parties for additional expertise and support throughout this process.