Vulnerabilities / Threats

6/1/2015
10:30 AM
Scott Weber
Scott Weber
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Todays Requirements To Defend Against Tomorrows Insider Threats

At its most basic, a consistent and meaningful insider threat detection program has two components: data and people. Here's how to put them together.

It’s no secret that your organization – like any other -- has data that can help reveal when an employee could be at risk and potentially pose an inside threat.  Getting the right information and forming the right working group of professionals to evaluate it is something that is sometimes overlooked, but is a very critical component of an insider threat detection program.

Individuals who have been given access to a company's networks and facilities, including employees, are in the best position to bring serious damage to the organization. Unlike a distant hacker plotting an attack from the other side of the world, insiders likely have much easier access to your firm, other employees and sensitive information. The diverse risks they pose include: espionage and IP theft, sexual misconduct, sabotage, and workplace violence. Edward Snowden is just one example, albeit perhaps the most notorious.

The statistics are quite disconcerting. Ninety-three percent of U.S. organizations believe that they are vulnerable to insider threats, according to Vormetric’s 2015 Insider Threat Report, and in fact 60% of polled companies have reported some type of attempt to steal proprietary information. Further, theft of trade secrets has cost businesses $250 billion per year, a figure that is expected to double in the next decade.

The breadth and severity of this threat, and a company’s responsibility to contain it, is unmatched. Board members and CEOs, through their CISOs, CIOs, CSOs, HR executives, and compliance professionals, all are obligated to maintain control of their organization -- even when employees number in the tens of thousands around the world.

But what many companies don’t realize is that they already have much of the information they need to do this. With the right insider threat detection and prevention programs, organizations can not only minimize risks, they can pre-emptively prevent many insider attacks.

At its most basic, a consistent and meaningful program has two parts: data and people.

The data portion begins with technical risk indicators, the most common form of enhanced insider threat tracking in use today. These traditional tools, such as data loss prevention and security information and event management (SIEM) software, spot potentially illicit activities in progress and in the recent past by identifying anomalies in a person’s use of technology. For example, those tools will detect and provide an alert if a person is copying numerous files through remote access at 3:00 a.m. Specialized forms of these tools also exist for tracking specific types of misconduct, such as fraud or insider trading.

Less common in the infosec toolkit are non-network, personal behavioral risk indicators. These are forward-looking metrics that track and assess an individual’s psychological propensity to carry out an attack. Exploration into the psychology of language, known as psycholinguistic analysis, has been used for decades to reveal a person’s motivation, his or her stressors and his or her propensity to act.  Today, psycholinguistic analysis can be used to identify indicators in digital communications. Emails and chats do not have to be poured over one by one. Rather the analysis can happen in bulk. Word choice and the frequency of word-use can be analyzed across a body of communications to statistically track dozens of behavioral risk indicators at once. Analysts can then detect shifts in behavior, alerting them when someone might be a risk.

A multidisciplinary team

The people are the second critical piece of the program. Executives from IT, information security, physical security, human resources, and legal should meet regularly, as a multidisciplinary insider threat review team, to examine the various risk indicators and any relevant anecdotal evidence. Information security can detect any concerning data behavior and anomalous activity on the network. HR can report if anyone has voiced recent complaints or concerns about an individual or social group. Physical security can check building access logs and refresh pre-employment background checks.  It’s also appropriate to involve someone directly responsible for supervision of the individuals in question.

Further analysis of the various data and information collected can assist the team in their efforts to make sense of the internal risk landscape. The Critical Pathway to Insider Risk, developed by researchers and investigators sponsored by the Department of Defense, Defense Personnel Security Research Center, Carnegie Mellon’s Insider Threat Team, and affiliated behavioral scientists, can assign a risk score to an individual in question based on the behavioral data. Over time, a person’s score on this scale can be compared to him/herself, their department, or the company average on a global, regional or local scale--as well as against insiders that have acted out in the past.

Using the Critical Pathway, the team can determine the organization’s best response to a potential threat; how an organization reacts to an insider threat can either prevent an attack or provoke one. Often, a high-risk individual will be on the brink of attack, but will only launch into action after an ill-planned intervention, such as an abrupt firing. This kind of “maladaptive organizational response” can be avoided when the multidisciplinary group carefully considers all of the sensitivities of a high-risk case. The goal is not just mitigation, but prevention.

Cyber security specialists often say attacks are unavoidable; it’s “when, not if.” But most insider threats are different. Organizations have the data and the management expertise to catch many attacks before they occur or escalate. And, with this ability comes the responsibility to use it wisely. Harm to the organization is harm to everybody who derives their living from it, shareholders and the public at large.

Scott Weber is a Stroz Friedberg Managing Director based in the New York office. He is responsible for the firm's technology and advisory services involving the application of advanced psycholinguistic algorithms to Big Data. Mr. Weber assists clients in extracting value ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Pair of Reports Paint Picture of Enterprise Security Struggling to Keep Up
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/11/2018
New Domains: A Wide-Open Playing Field for Cybercrime
Ben April, CTO, Farsight Security,  10/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18315
PUBLISHED: 2018-10-15
com/mossle/cdn/CdnController.java in lemon 1.9.0 allows attackers to upload arbitrary files because the copyMultipartFileToFile method in CdnUtils only checks for a ../ substring, and does not validate the file type and spaceName parameter.
CVE-2018-18316
PUBLISHED: 2018-10-15
emlog v6.0.0 has CSRF via the admin/user.php?action=new URI.
CVE-2018-18317
PUBLISHED: 2018-10-15
DESHANG DSCMS 1.1 has CSRF via the public/index.php/admin/admin/add.html URI.
CVE-2018-18296
PUBLISHED: 2018-10-15
MetInfo 6.1.2 has XSS via the /admin/index.php bigclass parameter in an n=column&a=doadd action.
CVE-2018-18309
PUBLISHED: 2018-10-15
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service,...