Lessons learned from the front lines of insider threat risk management Most public agencies and private enterprises have a large and growing digital footprint, increasing their vulnerability to theft, sabotage and other malicious threats from trusted personnel. This underscores the urgent need for more effective management of both information security and risk from insiders.The consequences of failure range from failed security audits and interruptions of service or product deliveries to more significant degradation of ongoing operations, monetary losses and lasting reputational damage. In extreme scenarios, there is even the potential for bodily injury and loss of life.+ Read Part 2 of Building an insider threat program that works + In response, many corporate and government leaders have invested heavily over the past few years in controls designed to mitigate the likelihood and consequences of a damaging insider event. Policy and procedural controls naturally have played a big part in these nascent insider threat programs, but so have a number of emerging technologies grouped under the umbrella of Security Analytics. Given the high capital and personnel costs of such technology investments, the central question is whether they are having a significant positive impact. Based on my experience the answer is mostly “No.”Lessons learnedPublic- and private-sector organizations I have spoken with zero in on the following lessons learned: Big-data solutions are inadequate on their ownAn insider threat program will fail if it is based solely on the outputs of rules-based or machine-learning systems monitoring network activity. Outputs from rules-based systems do well at flagging anomalies based on known behavior but also tend to be too coarse-grained for the threats they are trying to detect, leading to a proliferation of red flags (most of them false positives) that overwhelm analysts.As more rules are manually added to manage emerging exceptions, these too become unwieldy over time. Machine learning systems work better with unstructured data—and they can ease workloads by building libraries of rules on the fly—but the systems have to be constantly trained and retrained by experts and don’t work well on weak signals, in black-swan scenarios or with many of the latest wave of emerging asymmetric threats. As the volume, velocity and variety of threats has increased, the limitations of these data-driven systems have become all too apparent: by the time a threat is detected, the attack often has already occurred.The analyst reasoning process must be automatedWhat all big-data systems lack is expert human judgment. To be truly effective, security analytics solutions must “reason” the way the best analysts do—by assembling many pieces of disparate information and fusing them into a composite risk picture. Given the scale and speed of the incoming data being analyzed, insider threat analytics obviously must be able to automate much of this reasoning process, allowing the system to scale to process millions of events continuously as though they’d been individually evaluated by a team of experts.Cast a wider net for threat signalsExisting enterprise systems contain a wealth of data that can provide key insights and indicators to enhance the overall signal. That means taking advantage of internal sources like badge scans and HR records, in addition to existing network monitoring and detection tools. Even external and third-party sources – for example, bankruptcy, divorce and arrest records, as well as open-source data from social media and news outlets – should be tapped for evidence that bolsters sometimes weak internal signals.Scalability is more than a matter of computing capacityIt is easy to say a modern analytic system must be designed for scale. But for insider threat and network and corporate security programs, the system also must be designed to minimize the number of analysts required to investigate alerts and mitigate risks.Reducing false positives and focusing analysts on the most important risks, while absorbing an ever-increasing amount of data, requires sophisticated reasoning algorithms. These can fuse a wide variety of data types to provide the context needed to rapidly identify serious threats without generating high volumes of nuisance alerts. Avoid black boxes and walled gardensMany of the big data systems being deployed today are closed-loop or black box solutions, meaning the underlying analytic processes and algorithms remain unknown to the user. Insider threat cases are sensitive personnel and corporate security issues, and any deployed system must provide transparency into what factors raised an individual’s risk profile, and when.Organizations that take proactive steps to mitigate risks must be able to explain and defend how and why they arrived at their decision. Likewise, in order to tap into multiple data sources, the solution should provide API access not just to bring data in, but to provide a means for sharing the solution’s risk insights with other enterprise systems.In Part 2 of this post, I examine three key “must-haves” for a successful insider threat program. Related content opinion Is the 'right to explanation' in Europe’s GDPR a game-changer for security analytics? Making major adjustments in the types of software solutions they use to analyze personal data in the wake of the General Data Protection Regulation (GDPR). By Bryan Ware Jan 29, 2018 5 mins Regulation Privacy Analytics opinion Why Bayesian models excel at finding rogue insiders One case often looks very different from the next, and it is precisely this complexity and behavioral variability that makes finding insider threats so tricky. By Bryan Ware Nov 20, 2017 5 mins Technology Industry Cybercrime Data and Information Security opinion User behavior analytics: separating hype from reality UBA has already produced successes against some of the security community’s toughest challenges, and will continue to evolve as time goes by. By Bryan Ware Sep 26, 2017 5 mins DLP Software Big Data Data and Information Security opinion Why we need more shades of gray Security challenges we face now and in the future will rely on actionable intelligence that is to be found mostly in the gray areas. By Bryan Ware May 24, 2017 5 mins Big Data Network Security Analytics Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe