Speaking at the Spotlight18 conference in Las Vegas today, Deloitte experts weighed in on how to build an insider threat program during a round table discussion. Participating in the keynote discussion were Linda Walsh, managing director, Cyber Risk Services; Peter Hodge, senior manager, Cyber Risk Services; and Naj Adib, senior manger, cybersecurity advisor.
The success of Deloitte’s user entity and behavior analytics (UEBA) projects stems directly from the fact that they are built within the framework of an overarching risk-program approach, and the Deloitte team said its three key pillars of a successful insider threat program include people, process and technology.
“Scaring people doesn’t work well,” said Walsh, who spent 21 years working on insider threats for the FBI. A common problem that Walsh has seen throughout her career is with system admins who leave access open to be able to perform tasks or with admins who have turned into disgruntled employees and maliciously leave access open in order to steal user credentials. “That type of problem, that lateral movement is a hard thing to solve for,” she said.
Developing an insider threat program requires that organizations first define who and what insider threats actually are. “There are not a lot of organizations that have not defined what insider threat means to them. Insiders can be current employees, privileged IT users/admins, contractors/service providers, customers/clients, and their behaviors can be malevolent or unintentional,” said Adib. "Defining insiders and understanding the motivational factors of their behaviors is foundational to building your program."
Because all organizations are different, insider threat programs will vary from company to company, but regardless of size or risk, every organization should develop an insider threat working group. A working group is the first step and a key answer to the often-asked question of how to get mobilized.
Running simulation attacks, such as a Phishme (now Cofense) campaign, can be enlightening. “Now they get it,” said Walsh, “and it oftentimes works so well that they are not opening things they should. That’s the type of awareness you can start. Those are your quick wins.”
The key guiding principles of building a successful insider threat program are that it must be holistic, coordinated, proactive and risk based. “It’s about setting the right policies and standards so that users understand the expectations. We don’t want to go out and have policies and standards that are shelf-ware. Security awareness training within organizations is out there, so add in concepts of what constitutes an insider. Train people to become your frontline,” Abid said.
The goal is to reduce the number of false positives, which comes back to the insider threat working group, said Walsh. "Once you've found all the meaningful data and you can correlate it – which is a challenge that takes a lot of work – you can start prioritizing to reduce false positives to come out with some meaningful, actionable data. A lot of people are hesitant to start turning out that data because there is so much noise, but ignorance is not a security strategy anymore."