Home Science & Technology How to set up a powerful insider threat program

How to set up a powerful insider threat program


Security expenditures continue to focus on external threats, despite threats that often emanate from within the organization. The recent Imperva report (according to Forrester Research) found that only 18 percent of priority expenditures on the Special Program for Insider Threats (ITP) compared to 25 percent for external threat intelligence.

And it’s not just an employee with resentment, you have to worry – most insider incidents not harmful in nature. In his Global report on the cost of insider threats for 2022Proofpoint and the Ponemon Institute found that careless or careless behavior accounted for 56 percent of all incidents, and they are also typically the most costly: the average cleanup operation costs $ 6.6 million.

Unsuccessful fixes

Part of the problem lies in perception: a Forrester report found that nearly a third of respondents do not view employees as a threat. But it is also known that it is difficult to prevent such incidents because you are essentially trying to control lawful access to data. Reducing these threats is not only to increase security, but also to identify potential signs of compromise (IoC) in user behavior, and for this reason most businesses rely on staff training to address this issue. However, as the figures show, one training is often not enough.

In the same Forrester report, it was found that while 65 percent use staff training to ensure compliance with data protection policies, 55 percent said their users have found ways to circumvent the same policy. Others said they were counting on targeted solutions to prevent incidents, with 43 percent using data loss prevention (DLP) to block actions and 29 percent monitoring through SIEM (although data can still be extracted without detection by these systems). The problem is that network security and employee monitoring do not take into account stressors that can push resourceful employees to use workarounds.

Although prevention is always better than cure, the current approach to insider threats is too serious in its approach. Therefore, there is not enough attention to what to do if an insider threat, malicious or not, is realized. So while training and monitoring network security have a role to play, both need to be part of something much broader: ITP.

ITP aligns policies, procedures, and processes across business departments to combat insider threats. It is widely believed that this is important for mitigating insider threats, but only 28 percent of Forrester respondents say they are. The reason for this is that many organizations find it difficult to create one. In addition to bringing people on board and implementing policies, the company will need to inventory its data and find data sources, determine how it will monitor behavior, adapt the training program and conduct investigations, and how ITP itself will be evaluated on a regular basis.

The beginning

To begin with, a manager and a dedicated working group are needed to help manage the ITP. Participants must have clear roles and responsibilities, and agree to an established code of ethics and / or sign an NDA. This is because there are many laws related to employee confidentiality and monitoring, as well as legal considerations and issues that need to be considered when writing and enforcing policies. The first task of the working group will be to create an operational plan and a version of a high-level insider threat policy.

They will then need to consider how to conduct an inventory and access internal and external data sources, and to do this the working group will need to familiarize themselves with record processing and use procedures specific to specific data sets. Once the processes and procedures required for data collection, integration and analysis are established, the data should be labeled according to their use and thus may be related to the privacy investigation. (Interestingly, according to Forrester, nearly 58 percent of incidents affect confidential data caused by insider threats.)

Consider whether you will use technology to monitor end-user devices, logins, etc. and document this through signed information system security agreements. Potential compromise indicators (IoCs) may include forging a database, improperly sharing confidential company information, deleting files, or viewing inappropriate content. If such behavior is detected, discretion is crucial, and any investigation should be waterproof and reasonable, as it may lead to litigation.

Digital forensics for defense

How the company responds to incidents and investigates them should also be described in detail in the ITP. Think about whether the investigation will be internal and at what point you will need to involve external agents and who you need to report. Where will the data be stored for the investigation? How long will the information be stored? While it’s important to keep relevant information, you don’t want to be trapped if you store more than you need, as this increases the risk, which means ITP should also coincide with data minimization policies.

Digital forensics tools should be used to ensure ITP performance. You will need to decide how you actively manage insider threats and whether these tools will only be used after analysis or covertly. For example, some businesses with high-value assets will conduct an audit to determine if data has been stolen when an employee leaves the organization. You should also make sure that these tools can remotely target endpoints and cloud sources, even if they are not connected, and should be OS-independent so that you can receive data on both Macs and PCs.

Digital forensics ensures that businesses can quickly detect and investigate any cases of wrongdoing. For example, it can determine the date, time, and path used to extract data from corporate information real estate to any device, endpoint, online storage service such as Google Drive or Dropbox, or even publish through a social networking platform. Once the data is tracked, it is possible to narrow the circle of probable suspects until the team receives incontrovertible evidence.

Both the manner of the investigation and the evidence itself must be impeccable and legally sound, because such incidents can lead to dismissal or even prosecution. If this is challenged in court, the company will have to prove due diligence, so there must be a court-ordered and retrial and a proper chain of custody when it comes to protecting the processing of evidence.

Keep employees aside

Engaging employees is also important for success. Policies need to communicate the risks of compromise in terms of privacy, financial and even physical consequences of the breach so that the workforce is aware of the risks. But processes must also be created that allow users to report behavioral IoCs. The guidelines should stipulate how and when to report IoC through certain channels, i.e. via phone line, email, DropBox, etc. Completion of awareness-raising training should also be documented.

The ITP will need to be verified, but preferably not with a real incident. Instead, an insider threat risk assessment should be performed to identify gaps in security controls and business processes or to assess the ease with which data can be stolen and how well the digital forensics processes are performed. Think about how you can incorporate insider threat management into other security policies, such as those covering BYOD, and make sure that reliable business partners and subcontractors are also exposed to insider threat risk.

Finally, keep in mind that the strategy will need to be adapted and changed as new processes are introduced online and data sources are added. The key to this is to maintain an accurate data inventory and ensure that your digital forensics tools offer you enough range to work with new technologies and / or exfoliation pathways, but you can also compare your program to other companies in your sector.

The goal of the insider threat program is to provide protection against harm not only to the business, its data or processes, but also to its employees. Covert monitoring of work processes can allow more accurate labeling of the IoC, which helps prevent escalation of incidents. But when the unthinkable happens and the unsuspecting officer exposes confidential data, having credible defenses that have already documented the incident, it is much easier to conduct a digital forensic investigation and bring any legal case that leads to a speedy conclusion.

Previous articleTesla suspends production at Shanghai plant due to supply chain problems: report
Next articleA pair of twins grew up in different countries, then scientists compared them