Organizations attempting to implement a world-class insider threat program have learned from experience what doesn't work well (see Part I of this post). As a result, they have a better sense of what they require to prevail in today's evolving insider threat landscape.
There is an emerging consensus that any world-class insider threat program must have the following three core characteristics:
1. Preventive: Organizations want more than just a threat detection system that tells them an attack has already taken place. They need an early-warning system that allows them to prevent insider threat events through a comprehensive threat assessment framework that leverages all available internal and external data and produces far fewer false negatives and positives.
The way to do that is to build an expert model of their specific insider threat challenges, in coordination with their own analysts, and then run that model against all available data sources in real time. Another key to prevention is that the system be able to issue automated alerts as soon as a high-priority risk is detected.
2. Adaptable: The system must be able to evolve as the understanding of the threat improves over time, and it needs to adjust to changing organization-specific needs. It also should be able to integrate with existing enterprise systems that contain potentially valuable intelligence. The capability should additionally be flexible and open enough to provide transparency and traceability in analytic results, and, of course, it must comply with an organization's internal security and technology standards.
3. Scalable: The system must be able to absorb new data loads regardless of format or volume as soon as the data becomes available. More important, as threats spike, the system should be able to handle the load without either bogging down or producing a surge in false positives that overwhelms the existing analyst team. And the system must scale to an organization's national or global footprint as it grows.
An effective operational solution for insider threat will measure and continuously monitor the trustworthiness of all key personnel in an organization regardless of their roles or the level of potential risk they pose. It will blend qualitative model-based expert judgments with quantitative analytic tools to find threat signals buried inside multiple internal and external data sources, prioritizing the riskiest individual behaviors at machine scale and quickly alerting those who need to know.
Unlike conventional big-data technologies, the insider threat program will intelligently correlate information about a person in broader context and find individuals who are still in the earliest stages of becoming a threat. Even better, it must tell the user not just who may be risky, but why. And finally, it must do this without all the time-consuming false positives and "noisiness" that come with traditional network monitoring and other detection tools.
With the recent focus by the U.S. government and much of the private sector on preventing threats from within, this combination of capabilities will produce an insider threat capability that places emphasis on prevention, adaptability and scalability. This is the most effective way to address the insider threat challenges faced by organizations of any size well into the future.