The Gold Standard Insider Threat Program
Insider Threat Programs Should be Designed to Deter, Detect, and Respond to Insider Threats
Rising concerns about the prevalence and consequences of insider threat are driving more organizations to establish their own insider threat programs (ITPs). But, as I discussed in my previous column, the ideal composition of an ITP is often unclear and misunderstood among security practitioners. As someone who has had the privilege of working closely with experts from leading ITPs over the years, I’ve observed that the most effective and truly “gold standard” ITPs tend to share the following characteristics:
A Gold Standard InfoSec Program
Behind every gold standard ITP is a gold standard information security (InfoSec) program. Indeed, InfoSec is to an ITP what a foundation is to a house. Just as you would never put up the walls of a house before laying its foundation, you should never start an ITP before attaining an adequate InfoSec program. And similar to how a house with a weak foundation is no match for an earthquake, an ITP with an inadequate InfoSec program is no match for an insider threat.
In other words, an effective ITP requires an effective InfoSec program—and there are two primary reasons for this dependency. First, the objectives of an ITP are to deter, detect, and respond to insider threats. Preventing insider threats, however, is largely the responsibility of an InfoSec program. If an organization’s InfoSec program is unable to uphold the security standards and controls needed to aid in prevention—such as identity and access management (IAM) processes, network usage and device restrictions, and mandated security-awareness trainings, to name a few—then the organization will be more susceptible to otherwise-preventable insider threats, thereby placing an undue and unproductive burden on its ITP.
Second, in many cases an organization’s InfoSec program will need to support its ITP during insider threat investigations. If the InfoSec team lacks the requisite capabilities, bandwidth, and/or resources to do so, it may inhibit the progress and accuracy of the investigation.
A Comprehensive Framework
Gold standard ITPs tend to rely on an operational framework that includes three crucial components. Think of these components as the legs of a three-legged stool; not only must they all exist and function properly, but they also must all work together to support one another—otherwise the stool, or in this case the ITP, will topple over.
1. A programmatic function is arguably the most important component. In addition to specifying the objectives, resources, priorities, and roadmap of an ITP, this function ensures all aspects of ITP investigations are clearly documented, repeatable, consistent, and follow all necessary legal and compliance protocol.
Despite its importance, however, the programmatic function is perhaps the most frequently overlooked component of an ITP. Especially for organizations that are eager to get their ITP off the ground as quickly as possible, this function can be perceived as of lower priority. Although this mindset is understandable, it can be problematic. Without an adequate programmatic function, an ITP will lack the direction, prioritization, and processes it needs in order to be effective.
2. ITP resources & tools aim to identify behaviors and events that could potentially signify an existing or imminent insider threat. This component of an ITP requires access to the widest range possible of datasets that offer visibility into employee behaviors across the entire organization. Suitable examples include VPN, proxy, email, and badge datasets, to name a few.
ITPs also require tools that can synthesize, discern, and provide notice of pertinent findings from within these datasets. User-behavior analytics (UBA) tools, for example, employ data science techniques to identify user behavior that might warrant further investigation within the context of the ITP, such as if an employee exports larger-than-usual amounts of data or frequently accesses the network outside of normal working hours. ITPs then use these types of outputs to help initiate and inform subsequent investigations and response efforts.
While gold standard ITPs tend to rely on numerous, extensive datasets and highly sophisticated tools, they also recognize that these resources comprise only one component of the ITP. A common mistake is perceiving these resources—particularly UBA tools—as “one-and-done solutions” or “silver bullets” for insider threat. Despite often being marketed as such, no tool or resource can serve as a suitable replacement for the other components of a comprehensive ITP.
3. An investigative function synthesizes and examines the outputs of ITP tools to determine the extent to which they might indicate a potential insider threat. This function is especially important because in most cases, the output of tools does not tell the whole story about a user’s behavior. For example, if an ITP tool reveals that a user has been exchanging emails with a competitor, does it mean that an insider threat is imminent? Not necessarily—there are numerous possible explanations for this behavior, and it’s up to the ITP’s investigative function to dig deeper.
A gold standard ITP investigation is an intricate and multi-level process that requires different protocol, types and depths of analysis, and stakeholders depending on the behavior observed and the estimated risk. When the result of such an investigative suggests that an insider attack could be imminent, this function works with the programmatic function—and in many cases also with relevant stakeholders from other departments—to verify and attribute the threat as necessary.
One of the most distinguished characteristics of a gold standard ITP is integration across the entire enterprise. Although ITPs often exist as standalone functions, the most effective ITPs rely on datasets and resources from IT, legal, HR, compliance, third-party risk, and numerous other functions. Many gold standard ITPs have designated representatives from each business function who serve as liaisons between their teams and the ITP. Having the support and cooperation of decision-makers and stakeholders throughout the organization will not only support the development and operations of an ITP, but it will also help raise widespread awareness of the risks and consequences of insider threat.
As I mentioned, I’ve had the opportunity to work closely with experts from gold standard ITPs over the years. These experiences have helped me recognize that while combating insider threats will likely always be a confusing and challenging area for many organizations, there are steps we can take to more effectively prevent, deter, detect, and respond to these threats. The above list is meant to serve as a starting point for organizations looking to do so, but it is neither comprehensive nor prescriptive. Gold standard ITPs are dynamic, intricate, and tailored to their organization’s unique needs and challenges, which is why organizations looking to initiate their own ITPs are encouraged to work with trusted third-parties for additional expertise and support throughout this process.