Building an insider threat program from the inside-out, not outside-in

I know, I know. How to build an insider threat program is a dead horse beaten time and time again. Yet, no matter how many experts write, present, and talk about it, insider threat attacks still run rampant.

A recent Forrester report revealed more than half of global network security decision makers whose firms had suffered a data breach in the past 12 months said they had experienced at least one insider incident. And after big breaches like Equifax, Anthem, eBay, Target, Yahoo! and so many more, we should expect to see more insider attacks as criminals leverage stolen, personal information to masquerade as legitimate employees.

Since expert commentary in the past has mainly focused on who, which technologies and processes should be involved in building an insider threat program, I am going to take a different angle on this topic.

First, let’s set the stage. As 2018 begins, you may be looking at your budget, deciding what to cut and what to invest in regarding insider threat mitigation. Some of you may already have a program in place, while others are starting from scratch. Either way, an insider threat program should begin and end with two questions – What do we care about most? How is it being protected?

A good place to start to answer those questions is with your company’s business continuity team. Ask them if a natural disaster struck tomorrow, which assets would they protect first? Chances are the assets they would want to protect in a natural disaster will be the same ones the company would want to protect from a cyber incident.

The business continuity team understands which assets, if compromised, would cause minimal and maximum damage. For example, you as a cyber security professional may be worried about an employee, who’s about to leave the company, breaching the confidentiality of a certain application. However, the business continuity team may tell you that the business would have a more difficult time surviving an availability problem if disgruntled insiders took down another application.

The availability problem is a bigger threat to the bottom line than a confidentiality problem and thus, applications that cannot go down should be prioritized. The key is to find out which assets you have from a business continuity perspective, and put insider threats in the context of what you have to lose. It’s nearly impossible to build an insider threat program without knowing what you must protect.

From there, you should focus on two dynamics. First, you want to stop sensitive data from leaving the company, which is where technology comes into play. Explore technologies that prevent sensitive data from getting into the wrong hands. Data loss prevention (DLP) is a traditional technology that has gone from hero to goat, and back to hero again due to new compliance mandates like the GDPR, string of high profile breaches, and the explosion of cloud application usage and remote connectivity. Data loss prevention technologies of the past buried analysts in alerts, many of which were false positives, to the point where they would turn off DLP policies to avoid hindering the business.

Today’s DLP tools no longer create that alert mess because they are being integrated with technologies such as user and entity behavior analytics. UEBA pares down the mountain of DLP alerts into a prioritized list of the riskiest insider activity needing immediate investigation, which brings me to the second dynamic. You must understand how people are interacting with your company’s sensitive data assets, including who and how they are accessing them, where they typically send information they access, and why they need access to those assets. UEBA technology monitors and analyzes who interacts with sensitive data, how they interact with it, and detects if a user behaves in way that’s unusual for them, their peers and overall team.

The third leg of the strategy is around communication, which entails communicating threats up, down and across the organization. Once you have identified a threat, who should the information go to first and how? To reduce noise in the Security Operations Center, security teams should engage line of business application owners who govern the assets under attack to confirm if the unusual activity is indeed unusual or if it was business justified. If the owner deems the behavior unusual, then the alert should go to SOC analysts in charge of investigating.

Again, technology comes into play here with the key word being Automation. Use analytics platforms to automate the communication process so that security teams are not scrambling trying to locate who owns the application, the best way to contact those owners, and ask them to provide the information. Analytics platforms also automate the process of sending the alert to analysts, again avoiding manual labor headaches, and saving significant time.

Finally, board members today more so than ever before are tasking cyber security professionals to present the state of the company’s cyber risk posture. To effectively communicate your insider threat strategy and progress, you must speak in the board’s language – impact. They will want to know if you have aligned the impact of insider threats to the company’s risk management program. Have you identified the crowned jewels of the business and what happens if they are compromised? Have you aligned your insider threat program to the company’s business continuity efforts (the answer is “yes” if you followed my steps above)? The board will also want to know about any active threats that could potentially hurt the company and what you have done to mitigate them.

Before I conclude, here is a top 10 list of questions you should ask when building an insider threat program:

1. What are our crowned jewels, those that if compromised, would impact the business the most?
2. Have I aligned those crowned jewels with our business continuity team’s priorities?
3. Which protections do I have around those crowned jewels?
4. How do we identify insider and external threats?
5. Who are the threat actors that put those crowned jewels at risk?
6. What is the probability of them to act?
7. What’s the impact if they act?
8. What’s the likelihood of them doing damage?
9. How will we respond once we detect a critical threat against a crowned jewel?
10. If we lost sensitive data, how would we respond and minimize risk?