This document discusses managing insider threats and building a successful audit program. It emphasizes the importance of educating users about insider threats, as employees are often the biggest security risk. It outlines the key components of an insider threat program, including policies, processes, access controls, risk management, and auditing. It also provides tips for tool selection, governance, documentation, and implementation. Throughout, it stresses that insider threats are difficult to detect but can be mitigated through visibility and understanding risky behaviors.
True story – when I was the “IT Guy” at a Records Management firm in Northern, New Jersey, I had to deploy a crude Content Management system as part of a Firewall rollout for 90 users in total. I asked one of the Owners if we should notify the Users that they were being monitored and he said, “No, let it run for 2 weeks and we’ll see what people are looking at. THEN send out your email to let them know that Net access is a privilege, etc. and they’re being monitored.” I did just that, and the only one who had a beef was a Warehouse manager who spent every afternoon hunched over his desktop in his office…
Galen Marsh – pleaded guilty in Sept. to taking account data for hundreds of thousands of private wealth clients - http://www.reuters.com/article/us-morgan-stanley-breach-plea-idUSKCN0RL22920150921
http://abcnews.go.com/Business/us-software-developer-busted-employer-outsourcing-job-china/story?id=18230346
The whole point is that he was caught by an anomaly – someone in China using Bob’s RSA token from China while he sat at his desk in the USA…
The actions of insiders are among the most difficult to detect and the discovery
timeline (Figure 30) illustrates this point. In our graphic we show the majority
of these incidents are taking months or longer to discover. In fact, when we
looked at the overall DBIR dataset, we found that the incidents that take the
longest to discover were these inside jobs. The shift from days to months led
us to look at what was different. We found that there were more cases where
bank employees provided info that was used for fraud—and was discovered
quicker—in years prior. For organizations that will not have fraud detection in
their arsenal, the shift is likely more representative of their world.
Recommended controls
The evil within
So love your employees, bond at the company retreat, bring in bagels on Friday,
but monitor the heck out of their authorized daily activity, especially ones
with access to monetizable data (financial account information, personally
identifiable information (PII), payment cards, medical records).
USB wary
Our dataset included numerous instances of audits being performed after an
employee had left, which uncovered evidence of a USB drive used to transfer
data prior to their departure. It makes sense to take measures to identify use of
these portable drives sooner rather than later.
Keep one eye on your data and the other on your employees!
You cannot effectively protect your data if you do not know where it resides.
Likewise, it does you little good to know where it is but then pay no attention to
who has access to it. Make sure that you are aware of exactly where your data
is and be careful who you give privileges to and to what degree. It makes sense
to give the valet attendant your keys to park your car, but not to hand over your
credit cards as well.
So it seems like a no-brainer to have an insider threat program.
Why don’t companies implement them?
CIOs, Boards no longer have plausible deniability.
Budgets are starting to open up to address new (and old) threats.
Seasoned security skills take 10 years to build.
Forcepoint has its own Threat Report with a lot of data on Insider Threats
Don’t even talk about vendors or products until stage 8.
Executive sponsor – Top-down direction and advocacy
Establish the vision – Why are we doing this?
Put someone in charge – Single point of accountability
Clearly define roles and responsibilities
If you can’t clearly state WHY you’re doing this, STOP and go back to step 1.
Business case will change as your business and technologies change. It should be a living business case.
Staff MUST have strong knowledge of daily procedures and work processes.
Training department needs to educate everyone.
Need broad range of stakeholders because each have their own perspective on what data and processes are critical.
Some will assist with organizational or regulatory challenges (e.g. data protection laws)
Have to understand
The threats to your organization
The greatest areas of risk
Education is about changing culture and behavior, not checking the box.
Make identifying malicious emails a game – “Catch of the Day”
Phishing is a major threat today.
Intentionally phishing your own staff can also be a good measure of behavior change
Predisposition: Does the person regularly violate company policy?
Unmet expectations: Is the person upset because they didn’t get a raise/promotion, or were put on a performance improvement plan?
Precursors:
Do they demonstrate disruptive behavior?
Did they give 2 weeks notice (and do we have history of transactions and activity prior)?
The Acts:
Are they logging in after hours when they normally do not? Or working much more or less?
Are they accessing resources they normally do not?
Has their online or email traffic increased or decreased?
Theft/Damage: Have they repeatedly tripped DLP rules?
All these indicators and observed behaviors form audit rules to guide monitoring activity.
Must know your super users, as they pose greatest risk (have the most access, or most privileged access).
Need appropriate governance.
Worse thing you can do is rollout a program with all the right intentions, but violates EU policies or some other law.
Want to document everything, particularly:
Who’s signing off on audit rules?
Who’s signing off on risk?
Who’s providing oversight of the program?
How are investigations initiated and documented?
Vendor solution must be able to
Incorporate and correlate ALL the sources of data that is important to me
Must be able to establish baseline activities for the company, for teams and for individuals
Must be able to identify changes in behavior – doesn’t mean it’s wrong, but abnormal
Must retain appropriate history
Want simple interface to identify highest risks RIGHT NOW, and see what’s making them high.
Need ability to perform video playback to confirm attribution.
Tool should provide answers, not generate more questions.
Organizational Risk Dashboard
Individual User Dashboard
It’s all about having context with your auditing data to determine intent and whether an event is an incident.
Example of video replay capability for context and evidence.
In a 2014 Ponemon study 88% of orgs recognized insider threat as a cause for alarm, but they did not feel like they had effective solutions. 69% felt they did not have enough contextual information to determine if an alert was a threat and 56% said their tools yielded too many false positives. 42% said they didn’t have enterprise wide visibility. Even though they recognized the insider threat problem less than 40% had dedicated budget for an insider threat program. Most had to rely on existing tools, not suited to solve the problem.
Source: Privileged User Abuse & The Insider Threat, Ponemon 2014 study conducted among IT professionals.
How effective are your controls?
Make sure they are effective and working as intended. Make sure they are reducing effort, not increasing it.
In old days, everything happened on site. Managers could see what was happening with machines and with people.
Today, with cloud providers, remote workers and automated data feeds, it’s so much more difficult to maintain visibility of your information. It’s difficult to determine what data was accessed by whom, when, and what data went where at any given time.
What an insider threat program can do is restore the visibility so an organization can understand and address their most pressing risks.