Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

12/7/2018
10:30 AM
Richard Ford
Richard Ford
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Insider Threats & Insider Objections

The 'tyranny of the urgent' and three other reasons why it's hard for CISOs to establish a robust insider threat prevention program.

There’s no shortage of good coverage in the media on the important topic of insider threats.  Yet despite the headlines, according to a 2018 report by CA , only 36% of companies surveyed say they had what they considered a mature insider threat program in place. So where is the disconnect? Based on my own experience and that of my CISO friends and colleagues, there are several factors that blunt attempts at establishing a robust insider threat program, among them: long “to do” lists, optics, privacy, mindshare and culture.

The never-ending "to do" list. If it’s not multifactor authentication (MFA), it’s endpoint detection and response (EDR). If it’s not EDR, it’s identity and access management (IAM). If it’s not IAM, it’s BYOD. You get the idea – every new threat (or acronym!) requires a custom-tailored solution, and the list of things to address keeps growing. Thus, CISOs, often caught by the tyranny of the urgent, are forced to make mindful but difficult tradeoffs regarding priorities. In that calculation, insider threat often doesn’t make the cut.

The problem of optics. Maybe you’ve taken a long look at your business and decided that the lack of an insider threat program is significant enough that you should address it. Good for you. Now you’ve got to get past the set of objections I file under the broad heading of "optics." Insider threat just sounds negative. For what it’s worth, I absolutely hate the name because it conjures up visions of shady characters skulking around the water cooler planning dark deeds, and that’s absolutely not how we want to view our coworkers.

While there are plenty of documented examples of employees "going to the dark side," the most effective insider threat programs are focused on protecting employees from themselves, each other, and attackers. The intent of the program is almost wholly positive … but the name is most definitely a negative.

It’s made worse by cultural issues. While I wish it were otherwise, it’s also best to admit that there are a lot of different relationships and dynamics that exist between employee and employer. Trust can be an issue, and in many companies, there exists a distinct sense of "them" and "us" that separates executive management from the workforce – something that acts to the detriment of trust. On top of that, you may have additional challenges from diverse cultural norms if you are a global company operating in different parts of the world. What’s okay in America may be anathema in Zimbabwe, and vice versa, ranging from muddled privacy regulations and employment laws to multi-department, multi-national tensions. Do you really want to jump into that?

The employee privacy issues. Users have legitimate concerns about how much they reveal of themselves to their employers. Not only are there ethical questions, but there are a mish-mash of laws that dictate what a company can and cannot do with respect to employee privacy. This becomes a really tough issue for CISOs.

Mindshare – or making the boss happy. The job of the CISO is not as simple as just protecting the company; it’s about making the boss happy – and that boss is ultimately the CEO or the board of directors. If the risks posed by insiders aren’t part of his or her mindshare, insider threat programs won’t look like a good investment. You can do some work to educate, but too often we find that we are faced with people whose minds are already made up.

Those are the objections. It’s your job to figure how to overcome them. But here are two suggestions:  

First, be clear about the facts that justify the cost of an insider threat. The news is full of stories that chill to the bone with respect to misbehaving insiders. No company can afford to ignore these real-world incidents, and you can make the case about the damage they cause with hard numbers.

Second, take the optics issue head on. Start by having a real dialogue within the company about how programs like this are a force for good not evil. But make sure that your actions match your words. For example, a well-implemented program doesn’t actually have a negative impact on privacy. It’s all a matter of how you structure it. Yes, there is more up-front work required to do it right. But by putting in the effort, you can also make adoption of the program a way to meaningfully increase employee privacy as well as safety and security.

Related Content:

Dr. Richard Ford is the chief scientist for Forcepoint, overseeing technical direction and innovation throughout the business. He brings over 25 years' experience in computer security, with knowledge in both offensive and defensive technology solutions. During his career, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RFordOnSecurity
50%
50%
RFordOnSecurity,
User Rank: Author
1/15/2019 | 8:18:28 AM
Re: No end
Definitely agree that looking at the problem from many sides is critical - it's fatal when we take a single perspective and don't look at it from the different stakeholders are coming from. 
michaelmaloney
50%
50%
michaelmaloney,
User Rank: Apprentice
1/15/2019 | 1:55:07 AM
No end
There is no end when we discuss about the insider status of living. It needs to be viewed from different angles in order for us to grasp what the whole idea basically stands upon. It might not even make a huge difference at the very beginning but as soon as we see progress, it would most certainly be of a huge scale.
RFordOnSecurity
50%
50%
RFordOnSecurity,
User Rank: Author
1/3/2019 | 8:27:38 AM
Re: At the end of the day
Hi Cameron. Yes, I think that's right - and in fact, the breakdown of employee/employer trust is a major challenge that companies need to get past. It has to be a relationship; a lot of security goodness happens when there are strong relationships between the senior leadership and broader employee base. Without that, it becomes a zero sum game, and the imbalance can really cause some challenges. 
CameronRobertson
100%
0%
CameronRobertson,
User Rank: Moderator
1/3/2019 | 7:13:05 AM
At the end of the day
At the end of the day, I reckon that your employees need to have a certain trust in your company or loyalty, if you're expecting them to do something for the safety and security of your company, then you also have to make sure that you reward that service to the company somehow too right?
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.