Use frameworks to develop insider threat policy

Considerations security newbs need to take into account when dealing with malicious insiders and security policy

analytics network monitoring
Credit: Thinkstock

The typical employee at your enterprise works 8-5. They login, access the server, access the intranet, maybe login to Facebook once or twice. Pretty routine behaviors.

What do you do, though, when those behaviors start to deviate just a little bit?

Dave Barton, CISO at Forcepoint said, "Security is driven by the ability to determine what normal user behavior looks like. When that behavior starts to deviate, they should start questioning, 'Why are they looking there? Why are they downloading source code?'"

A strong insider threat program encompasses a couple of things, one of which is behavior analytics. "Being able to detect when there is a deviation and how to respond to that deviation," said Barton.

Take the example of your bosses account. He normally works in Austin, but his account is suddenly being logged into in the Middle East. A definite behavior change, but not necessarily evidence of a malicious actor. Perhaps he's traveling, right?

[ MORE INSIDERS: Do you actually understand what insider risk really is? ]

What is important to monitor in this situation is the future insider threat activity. Is the account trying to get into where it doesn't usually go? The goal of behavior analytics is to detect anomalies and move toward automating responses based on risk levels, Barton said.

One issue for many security teams is the shortage of practitioners because folks are now being tasked to do more with fewer people. Sophisticated tools are able to evaluate multiple data points from multiple threat vectors, Barton said, "So that if an account is compromised as a smoke screen, when they use that other account as deviation analytics can detect that."

For sure there are bad guys posing as insiders who have bad intentions, but there are also malicious insiders, like disgruntled employees who will take all the source code or attempt to get the salary scale. These are all intentional behaviors.

Then there are the unintentionally 'bad' insiders who simply make mistakes. These are the targets of social engineering tactics that prey on people's trust. "Somebody spoofs an email from the CFO, and finance people want to respond to it. They might unintentionally click, which brings a virus, and now you have an insider threat," said Barton.

"Insider threat is wherever you have data that can be accessed through negligence, and the end goal is taking of the data that isn’t theirs," said Barton.

Automation is one way to address the security risks of insider threats. "Through automation you can talk to data loss prevention (DLP). Automation is demonstrating behavior that is not consistent, so you use DLP to configure in a manner that is for perhaps 24 hours or the weekend," Barton said.

Most security companies are either offering an automation or DLP, but according to Barton, "Without combining the two, insider detection is great, but if you don’t have a DLP tool, then a lot of your work is reactive. When you integrated a security platform, you reduce risk."

Fundamentally, Barton said, a good security policy is based off a standard. "If there is a framework behind it, then you are fairly confident that you are covering all the bases. If you understand the business requirements and protection," he continued.

For those who are new to security, Barton said, "A good security program does annual changes. If new to security, looking at the other frameworks out there NIS80053, PCI, ISO 20,0001, and understanding those frameworks and how they apply to your current policy often identifies gaps that the current policy doesn’t cover."

[ MORE: User Behavior Analytics: A complement to baseline hygiene ]

Using a framework to continuously evaluate policy is not only good security practice, but it is essential for cyber insurers to see this practice. "Insurers are expecting your organization to have some semblance of coherence with these frameworks. They are asking harder questions and looking to see how policies deviate from these frameworks," Barton said.

A strong insider threat policy has to have tools to detect behavior and respond to changes.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.