According to a Cybersecurity Insiders’ 2018 report, 90% of organizations feel vulnerable to insider attacks. Willis Towers Watson’s cyber insurance claims data shows that two-thirds of cyber claims reported to insurers are caused by employee negligence or malfeasance. Every industry is affected by insider incidents, but banking, governments and health care are the top three. The motivation is also different for each industry — fraud is the top motivation for banking, whereas sabotage and IP theft are the ones for IT.
A recent example of an insider attack took place when a Chinese employee for Apple stole crucial data from the company’s self-driving car project. Even Target’s highly publicized 2013 credit card data breach that affected 41 million accounts, was done using credentials stolen from a third-party vendor (a type of insider threat).
Should anyone, employee or otherwise, have access to so much information in the first place? The answer is no, and I believe implementing a zero trust security model along with a comprehensive insider threat programs can prevent such occurrences.
Zero trust is based on the security concept that an organization should never trust and always verify anything inside or outside its perimeters. This has become even more crucial as the perimeter has shifted from network to endpoint because of cloud computing, internet of things (IoT) and mobile devices. So, the zero trust principles of least privilege, multifactor authentication, micro-segmentation and continuous authentication/authorization are the keys to safeguarding the crown jewels of an organization.
But it’s easier said than done. For starters, a lot of crown jewels are legacy systems, which architecturally don’t align with the zero trust concept. In addition, just implementing isolated tools without a comprehensive program would lead to cracks in security, thus leading to potential breaches. Let’s look at components for successful implementation of the comprehensive solution.
• Formal insider program: The information handled by your insider threat team should be considered sensitive, requiring individuals to handle cases with the utmost discretion and due diligence. Also, an insider program must be lawful and compliant with organization policies. Be especially mindful of local laws if you are a global organization.
• Organizational structure: Executive management, IT, HR, legal, physical security and business owners have parts to play in implementing a successful program. The organizational structure should include an executive council and a working group. The executive council should consist of C-level executives and general counsel. The working group should also consist of working members from IT, HR, CISO, physical security and legal. It’s best to create a responsibility assignment metrics (aka RACI) with clearly defined roles and responsibilities.
• Information security policies: Review current policies to ensure that they regulate, monitor and enforce applicable aspects of an insider threat program. Create new policies if needed. Ensure that the policies are uniformly applied, widely distributed and formally agreed to by users.
• External dependency management: Even though business functions are outsourced to a third party, the risk can never be outsourced. Obvious external dependencies are on customers, external services and suppliers, but your company should also plan for public services that are sometimes taken for granted. It’s especially important to build relations with FBI and local law enforcement before the actual incident happens. Data breach liability can become a contentious issue in outsourcing, and providers are looking to significantly limit liability. So it’s best to explicitly call out risk allocation, security processes, SLAs, recovery damages and fourth-party (subcontractors) requirements in the contracts. It’s also best to cover right-to-audit and continuous-monitoring for compliance of contractual obligations.
• Employee training and awareness: The key to successful training is appropriate design and delivery, taking into account workforce (education level, industry, diversity), applicable regulations and company culture. Be mindful that there may be training fatigue, so make it fun and pace the delivery at appropriate intervals. Complement formal training with an on-going insider threat strategic communications campaign by making it part of webcasts and email campaigns. Foster a sense of community by promoting employee well-being and risk assurance.
• Valuable and quantitative metrics: You can’t manage (and improve) what you can’t measure, so ensure you identify KPIs and KRIs for the initiative. But it can be hard to come up with quantitative indicators representing sometimes conflicting goals. Consider using GQIM (goal, question, indicator and metrics) or NIST SP 800-55 to develop, select and implement the metrics that deliver success. I would also recommend reading (or listening to) How to Measure Anything in Cybersecurity Risk.
• Minimize false positives: SOC teams today have too much on their plates to go on wild goose chases and pursue dead ends. A significant portion of data scientist’s time is spent gathering, labeling and organizing data. Yet poor training data and disparate data sets can cause false positives. In order to combat these, it’s best to reduce reliance on just rules and thresholds.
• COTS tools: I’ve referenced tools in the last bullet point here because I think we as an industry focus way too much on tools and not enough on the structural aspects covered above. Also, no one tool can provide end-to-end protection. Below you’ll find some tools that can help implement parts of the program:
• User behavior tools: user activity monitoring (UAM), user behavior analytics (UBA/UEBA)
• Security information and event management system (SIEM)
• Privileged access management (PAM)
• Data loss prevention (DLP)
• Network segmentation tools
• Cloud security and configuration monitoring tools
• Digital forensics tools
Employees are an organization’s most important asset, but one bad insider can potentially create a culture of distrust and stifle innovation. A good insider threat program with recommended detection and response controls not only catches the bad actors but also protects the good ones. And zero trust complements with preventive measures to ensure good cyber hygiene. An organization may never be able to completely eliminate the threats, but the tips and tools mentioned here can significantly reduce the risk of an insider attack.