Managing the risk from insiders, commonly referred to as the insider threat is in many ways more challenging than dealing with the more frequently discussed threat from external hackers. This is because we are dealing with users / user contexts that already have authorised access to systems and data.
For clarity when I talk about the ‘insider threat’ I am not just referring to malicious insiders. This also covers coerced / blackmailed insiders, and compromised accounts e.g. via social engineering where an attacker is able to act as a legitimate user on the network.
Technically a compromised insider account is not necessarily an ‘insider threat’. However as the appearance will be the same, and the majority of the tools and processes to detect and prevent it will be the same, it makes sense to cover this in the same work. Indeed without the correct capabilities in place, a compromised user account could well cast suspicion on a completely innocent colleague.
The above is the reason for the slightly long winded title of this post. I’m not a fan of the term insider threat as it is pretty emotive and can lead to a sense of distrust. We need a better name that conveys the fact we want to protect our colleagues as much as protecting our data.
When discussing this I often refer to ‘user context’ as in the predominantly logical world many of us live in it will be the users account that is misused in order to steal or change data. Whether the account is being used by a malicious insider, or whether it has been compromised in some way, it is the misuse of the logical account that will lead to the data loss or corruption.
To the last point from the previous paragraph, when looking at the insider threat don’t forget it is about more than just data theft. Consider all areas of insider misuse or compromise;
- Could they affect availability?
- Could they affect data integrity?
What makes this such an interesting as well as challenging area of security is that it you really have to bring together all aspects of security in order to manage the risk. This includes physical, logical, HR policy and even broader topics such as corporate culture.
Just how do we deal with this complex issue? One thing is for certain, despite my love for technology and innovation, this is not something that can be solved just with technical solutions! You should not even start with these, without first covering considerable non technical work.
One of the first things to do is decide how to describe ‘insider risk’, and how to communicate this meaning to the wider organisation. I would recommend using one of the many publically available descriptions as a basis, a good example being the US-CERT (www.cert.org/insider-threat) definition;
An insider threat is generally defined as a current or former employee, contractor, or other business partner who has or had authorized access to an organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems
As with all security programmes, once you have defined the programme at a high level, understanding the assets and their value will define the types of controls and how much effort / budget should be expended on protecting them. Identifying your assets – likely systems and data / information, will not only ensure you understand the value, but help ensure you are protecting the right things!
It is then important to understand both what you and do not want to do, along with what you are allowed to do. Both and corporate culture and the legal environments you operate in will impact how intrusive any Insider threat programme can and should be. Remember, if you are a global company this may mean you have to have some different policies in different regions, for example Germany is much much stronger on individual rights and privacy than the US for instance.
We then need to consider the various ways that we can manage the risk. Many organisations have created programmes to manage this, from the Gartner 5 step basics;
- Build a Team, Identify a Champion.
- Identify Threats, War Game and Establish Goals.
- Achieve Stakeholder Buy-In.
- Establish Policies, Governance and Processes (Tech. Agnostic):
- Education and Deterrence Programs and Policies.
- Select and Implement Technology.
Or EY’s (quite American in focus, but still a relevant guide) 8 steps;
- Gain senior leadership endorsement, develop policies that have buy-in from key stakeholders and take into account organizational culture
- Develop repeatable processes to achieve consistency in how insider threats are monitored and mitigated
- Leverage information security and corporate security programs, coupled with information governance, to identify and understand critical assets
- Use analytics to strengthen the program backbone, but remember implementing an analytical platform does not create an insider threat detection program in and of itself
- Coordinate with legal counsel early and often to address privacy, data protection and cross-border data transfer concerns
- Screen employees and vendors regularly, especially personnel who hold high-risk positions or have access to critical assets
- Implement clearly defined consequence management processes so that all incidents are handled following uniform standards, involving the right stakeholders
- Create training curriculum to generate awareness about insider threats and their related risks
To US CERT and the Software Engineering Institute who have 18 and 19 step processes respectively!
I’d recommend reviewing various documents on this topic and tailoring the list to that which is most appropriate to your organisation.
In addition to the different ways we can mitigate the risk it can be useful to apply the ‘kill chain’ approach. Much like the well understood cyber kill chain, there are similar ‘insider threat kill chains’. By using these it is possible to demonstrate how the different steps can be applied to prevent the risk and different stages of the planning and implementation.
I’ll follow this post with some more detailed ones covering the various steps that can be taken to implement and run a comprehensive inside threat programme. On final, and critical thought, for this to be successful, and for to ensure a positive corporate culture, the messaging and intent is critical;
‘we want to enable you to work securely’
‘we want to protect you should your account be compromise or misused’
‘we want to monitor you in case you steal data’!
As always it would be great to hear your thoughts.
References I would recommend for further reading include;
- https://www.cert.org/insider-threat/best-practices/ – the CERT insider threat site has a lot of excellent content!
- http://www.sei.cmu.edu/reports/12tr012.pdf – Software Engineering Institute – Common Sense Guide to Mitigating Insider Threats
- https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/Mitigating%20insider%20threat%20Exec%20Sum%20-%20for%20NCSC%20website.pdf – CPNI – Mitigating Insider Risks with IT Security
- http://www.ey.com/Publication/vwLUAssets/EY-managing-inside-threat/$FILE/EY-managing-inside-threat.pdf – EY approach to managing the insider threat
- https://www.ca.com/content/dam/ca/us/files/white-paper/dealing-with-insider-threats-to-cyber-security.pdf – CA guide to dealing with insider threats