You can find the complete Insider Threat Protection Framework here.
You wake up on Monday morning, get ready, pour yourself a cup of coffee and sit at the kitchen table for your daily dive into your work phone to see what sort of meetings you have planned for the day. The number of notifications on your lock screen instantly alerts your senses. Reading the top email, you find out that full account details for many of your customers have been leaked on the dark web and that you have additional emails and missed calls from members of the Department of Homeland Security. You rush to work, talking to members of your team during the entire commute.
How could a hacker have gotten in? You immediately enact your incident response plan, with a focus on finding out where the attack originated from and how it can be contained. Days go by and you’ve spent long days and longer nights looking through logs before discovering that everything points to a single workstation – yours. You suddenly remember a vendor invoice attachment from the week before that wouldn’t open, even after saving it to your desktop. The cause of those late nights, endless stress, and the loss of your company’s reputation, was one seemingly insignificant moment of inattention.
We’ve heard about similar situations and some of us have even experienced it ourselves. What could have been done differently? How can your organization ensure that something like this doesn’t happen? Insider threat is something that many organizations are worried about today. Studies have shown that it is the cause for the majority of security breaches and according to several surveys, business and IT executives count it among their top concerns.
Insider threat protection consists of four primary pillars – technology, policy, training, and culture. Keep reading to learn more about how to improve these pillars and help to keep the ceiling from falling in on you.
There are several existing and emerging technical controls and tools specifically aimed at addressing insider threat concerns. The most common technical solutions mentioned today are for monitoring user behavior and creating actionable security intelligence. These can be categorized in two different ways. Some solutions simply record user actions through logs to make it easier to audit them, while others analyze the data to establish baseline behavior models and notify the security department when behavior becomes anomalous. Finally, some user monitoring solutions also record screenshots or video of user workstations, keystrokes, and mouse clicks in an attempt to make it easier to view user behavior both in real-time and in the course of incident response. These solutions do well for detecting and responding to malicious insiders.
Another type of technical solution is those that provide isolation in some way. They create sandbox environments where user actions cannot have a negative impact on the system they are using or other network devices. I covered one of those in a guest interview on the podcast recently, but I am going to try to keep this as vendor agnostic as possible. The idea is that when users click on links or open attachments, as well as when they just browse the web in the course of their job, they operate in a completely isolated environment that either simply separates their session from the workstation they are working on or the solution takes the website and translates it to a version that essentially makes any malicious code or scripts ineffective. A longtime existing and ever-growing concern is that advertisements on legitimate websites have the ability to compromise systems or even scam users into thinking they have malware on their workstations and trick them into paying for unneeded products and services.
A more costly solution that addresses phishing campaigns is to automatically append text to links in emails or subject lines for messages coming from external sources. This can be accomplished through both home-grown and commercial solutions and applied to the email server. If a user can see that an email came from outside the organization, they might be more aware of potential phishing. If they are forced to copy and paste a URL into their browser because links have been disabled through appended text, they could more readily notice that something in the path is suspicious. The drawback from these solutions when compared to commercial isolation methodologies is that by themselves they do not protect users from malicious email attachments, other than a potential notification that it came from an external source.
Finally, traditional security controls that are part of typical security hygiene or best practices can go a long way in protecting against insider threat. Role-based access controls can help to reduce a malicious insider’s ability to compromise production systems or exfiltrate sensitive data. Logs associated with user accounts can be gathered, then sent to a Security Incident and Event Management solution to allow administrators to have a better idea of what is happening in their systems. Events like security group changes and failed logins can be good indicators of abnormal or malicious activity. Identity management solutions or methodologies can be used to ensure that users are authorized to access data and applications, while also preventing former employees from being able to gain access after they have left.
Any security policy serves multiple purposes. First, it can be used to communicate acceptable use and restrictions to the users so they are not caught unaware in cases where the security rules in an organization are broken. Security policy also serves to bridge any gaps between technical controls and solutions. These are called policy controls and although they only exist on paper, they can be very effective. When it comes to insider threat policy, there are several key elements to keep in mind.
You should begin with a definition of the threat, as well as by defining the policy. Through these definitions, when properly coordinated, the organization can ensure that everyone is on the same page. One person’s idea of insider threat may well differ from another’s, but it is important that the policy offers standardization. After defining the threat and the policy, the actual rules must be provided. Most of these will be covered already in your Acceptable Use Policy, Mobile Device Policy, Access Control Policy, or others. To save time and effort for both the author and the reader, it is a good idea to only provide general overviews of these rules, then point to the specific policy that provides more detail.
When providing the “what” and “how” in policy, it is also important to explain the “why”. Security policy does not only exist for the security department, legal, or management. These are used to inform the employee-base and will be more effective if they understand the reason behind the rules. Explain how the restrictions will help them to accomplish their job tasks more effectively and efficiently.
Good security policy should also explain the ways that it will be enforced. Outline the tools and methodologies that are in use in your organization to detect and respond to deviant behavior. Doing this will make users more aware as well as provide deterrence. If they know that you are watching and have a general idea of how you are doing so, they might think again before accidentally or intentionally violating the policy. Outline the reporting procedures for anyone who suspects malicious or negligent behavior. They might not remember those procedures after first reading the policy, but they will know where to go if the situation arises.
To conclude the policy discussion, it must have support from executive management. When executives reference the policy, that means they understand the impacts of information security risk and its relationship to business risk. Subordinates will understand the importance of the policy and the effect will trickle down the reporting chain. On the other hand, if executive management ignores or speaks against the policy, it will be completely ineffective in its goal of reducing insider threat risk.
Security awareness training impacts the likelihood of insider threat in two primary ways, which include educating users on acceptable behavior in the environment as well as teaching them how to recognize and report suspected incidents. Effective awareness training can help to prevent accidental or negligent insiders, while also improving response efforts for malicious insiders. There are five elements of effective security awareness training: Purpose, Rules, Description of the Threat, Examples of the Threat, and Responding to Incidents. Some things to keep in mind with regards to the purpose are the reason that the organization is conducting the training, any compliance requirements, and the highlighting of key business functions and their associated systems that need to be protected.
The rules are concrete and should be detailed. They should reference the organization’s Acceptable Use Policy, Account Management or Provisioning Policy, Data Retention or Encryption Policies, and others that might be better related to the audience. This is where the bulk of the education should take place and employees should leave the training with a solid understanding of what they are and aren’t allowed to do on organizational systems and applications from a security perspective.
As with the policy section, you have to give the audience the “why” behind the training. This can be best accomplished through a detailed explanation of the threat as it pertains to them individually as well as the organization as a whole. Mention key business functions that impact the audience, like payroll, benefits, timekeeping, shipping, estimating, email, and other communications that the organization relies on for continued operation. The loss of those systems defines the threat, from stopping a single employee from being able to do their work to the entire organization being unable to accomplish its mission. To add to the threat explanation, examples can help to gain better understanding from the audience. These might contain any stories that the trainer or audience can share, real world incidents, and security incidents that could impact the audience’s personal lives. By relating the threat to the individual, there is a higher likelihood that they will understand and care about information security.
Another key element of security awareness training, as with policy, is to provide the audience with ways to detect negligent or malicious behavior, as well as the steps for reporting anything suspicious. This can be accomplished through Q&A, role-playing, or other methods that engage the audience and ensure understanding.
Some additional characteristics to keep in mind when planning and conducting awareness training are relevance to the audience, engagement, timeliness, and support. The training should be current and related to both the organization and the specific members of the audience. For example, it might not be effective to talk at length about the protection of financial information if the audience consists of shop floor workers. As soon as they realize that the information does not pertain to them or their role in the organization, they will stop paying attention. Audience participation is key and serves many purposes. It keep them awake and allows for group-think, as well as provides a method for the instructor to gauge understanding. Breaking the audience into groups for role play, quizzes, or games can have a dramatic effect on information retention.
Timeliness is another factor that should be taken into consideration when planning the information security awareness program. Some organizations have compliance requirements that stipulate the minimum frequency of training. Most of these are annual. The key when defining the frequency of training is to get the members of the organization to be thinking about security at all times, not just the 20 minutes each year that they are taking a test or sitting in a classroom. Another tip might be to have someone from executive management stop by at the beginning of the class and offer endorsement. This simple act shows that they support the program and that it is important to the entire organization.
Security culture is the culmination of the other three pillars and represents the actual effectiveness of your organization’s insider threat protection program. It consists of the technological investments that have been implemented in the operating environment. It uses policy to inform the users of what actions are and aren’t allowed to take place on organizational assets, as well as fills any holes that cannot be filled by technology. Training is also used to communicate the rules of behavior and engage users in a more social setting. While some employees may choose not to read the policy, they will still get the information from mandatory training. There are additional ways that security culture can be improved outside of those highlighted in the other pillars, however.
Employees should feel comfortable and obligated to report suspected insider threat incidents. Management should try to encourage such reports and offer praise or reward for accomplishment. An email going out to the entire firm thanking an employee for their report can have lasting effects. Not only will that particular person feel appreciated for their efforts, but every other employee will see the importance of constant vigilance. Corporate newsletters can contain a section on information security, which includes warnings about current attach methods and techniques, reporting procedures, and examples of other organizations in the same industry that were compromised.
Bring the topic of information security into everyday business conversation. Managers at the lowest level can send out a daily or weekly question to their teams related to the discussion and grade their subordinates on both their participation and correctness. It doesn’t matter if coworkers work together or otherwise “cheat” to get their answers. The point is that they are talking or reading about information security.
Finally, the success of the insider threat protection program can be measured and the results can communicated for further improvement. The organization can measure the number of insider threat incidents, as well as the number of reports. The scoring method for this measurement will be unique to the organization, but shouldn’t be dependent upon the number of incidents as those will remain in a constant state of flux.
Through proper use of the four pillars of insider threat protection, its associated risk can be managed and reduced.
You can find the complete Insider Threat Protection Framework here.