Hot Topics
Cybersecurity Featured Incident Response Security Awareness Security Boulevard (Original) Spotlight 

Demystifying Insider Threats

Avatar photo by Kacy Zurkus on August 23, 2018

Insider threats are a growing concern for many organizations in large part because there is so much confusion around how they are defined. Security experts across all sectors interpret insider threats differently, thus assigning them different levels of risk.

Accidents happen, and there certainly will be times when an email that was intended for one internal recipient mistakenly is sent to someone else within the company. Then there are the times when perhaps a user meant to send an email to the boss, but the message accidentally went to The Boston Globe. These are insider threat problems, but their intent was by no means malicious. And beyond the accidental exists a range of additional scenarios that may be intentional but not damaging.

For example, an employee needs to get a deliverable to a customer but is locked out of the system. To meet the deadline for the deliverable, the employee borrows the login credentials of a colleague. That could be considered intentional infringement of company policy, perhaps, but by no means was the action malicious in its intent.

Because the way to handle and respond to insider threats varies on the intent, there is a lack of clarity about which tools should be implemented to best combat insider threats and how such threats should be reported and managed.

According to Flashpoint CEO Josh Lefkowitz, the gold standard insider threat program encompasses a mix of tools, datasets, expertise and cross-function collaboration, as well as comprehensive and integrative programmatic and investigative functions.

First, though, security practitioners need to recognize an insider threat program can’t be created in a vacuum. In fact, it can’t be created at all without an information security program. A strong InfoSec program is the foundation, the fundamental layer on which an insider threat program needs to be built.

As organizations are becoming more mature in their security posture, they encounter a range of issues, and developing insider threat programs in the environment remains a relatively new corporate pursuit. “It’s critical to understand the ‘why’ behind insider threat programs. The goal is to deter, detect and respond to insider threats, which requires a range of data sets and technologies that are linked to the organization’s information security program,” Lefkowitz said.

Information security, insider threat programs, security awareness training and all the other facets of the overall cybersecurity strategy go hand in glove. The response component will inherently rely on and leverage the capabilities of those overarching programs to undergo a wholesome, contextualized, end-to-end investigation.

Building a Tried-and-Tested Insider Threat Program

Once an organization has established a strong InfoSec program, it can move forward with building an insider threat program. Lefkowitz offered the following steps to help companies build a tried and tested program to better detect, deter and respond to insider threats:

  1. Establish Objectives. Ensure that there are clear objectives and priorities defied in a road map. Make certain that the necessary legal and compliance protocols are broadly understood and documented.
  2. Create Playbooks. Insider threats are multi-variable and fast moving, so you need to have run books to effectively navigate them. Insider threat mitigation is an companywide responsibility, and you need to know your third-party risks.
  3. Allocate Resources and Tools. The pipes and plumbing of an insider threat program are reliant on robust data that span many different types of user behavior. These data include everything from VPN and Proxy logs to email and login datasets. Use the right tools that will help you make sense of that data so you are able to synthesize, discern and analyze all of it. When the data is more coherent and digestible, you are able to identify the problems and kick off the investigation.
  4. Investigate. Tools alone will never give the full answer. What you learn from the tools should trigger further investigation that helps you to understand the why. Given that a large percentage of behaviors might be explained as non-malicious, it’s important to attach context to the alerts. Triggers and alerts are complemented by investigative function.
  5. Enterprisewide Integration. A top-notch process is multi-leveled and requires coordination, so look at protocols and stakeholders to build the narrative around. These include legal, human resources, compliance, InfoSec and IT teams. Get everyone involved.

Kacy Zurkus

Recent Articles By Author
Avatar photo More from Kacy Zurkus
Kacy Zurkus , , ,
Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus