Compliance as a Way to Reduce the Risk of Insider Threats
Several key resources and controls can help reduce overall risk by providing guidance on proper control implementation, preventative measures to deploy, and an emphasis on organizationwide training.
Insider threats have continued to be a major factor in data breaches over the last year. According to the "2019 Verizon Data Breach Investigations Report," 34% of data breaches involved internal actors. On top of this elusive threat, business environments are growing more complex and data is becoming a more lucrative target. Bring-your-own-device (BYOD) polices and remote working have presented challenges that extend far beyond the traditional environment seen just a few years ago. However, everything isn't all doom and gloom, and there are several steps to consider that enable organizations to begin mitigating this risk factor.
But what if I said that compliance could be a risk-reducing factor? That might seem incredible, but there are several key resources and controls that help reduce overall risk by providing guidance on proper control implementation, preventative measures to deploy, and an emphasis on organizationwide training.
Leverage Governance, Risk, and Compliance (GRC) Resources and Check Your Compliance Maturity
One solution for detecting and ideally thwarting insider threats is knowing your users and what their normal activities are. This is not easily accomplished and can quickly exhaust resources. Additionally, there are potential privacy violations that could occur if the increased monitoring is not properly disclosed. Have no fear, your friendly GRC folks are here! There are several key resources that are typically maintained by GRC, and they often expand and cover various compliance and regulatory requirements. These resources can help your SOC teams prioritize higher-risk environments, data, and users.
Preparation Is Key
Risk assessments and the overall risk management process can help provide guidance when the company recognizes increased risks or areas of high business criticality. Further, organizations that are more mature in their compliance positioning will also have system and communication classifications, data and privacy classifications, and classification around various accounts or groups within the environment.
Focusing on higher-risk factors and normalizing activities within these environments will provide a better vantage point into anomalous or potentially malicious activity, without exhausting resources or time. These resources identify the most likely targets, based on higher risk and business prioritization. Therefore, you can focus more robust control implementation based on objective prioritization. Depending on the incident, you can also have playbooks determine if, when, and where increased monitoring needs to be automatically applied.
Training and Awareness
These phases have become a standard control objective in most compliance frameworks. General training around cybersecurity best practices and recognition of potential attacks is crucial across the organization. You will recognize the most benefit by considering training and exercises specific to those teams that would typically respond and report on an insider threat. This additional and specific training can provide many valuable lessons and enable SOC teams to respond, investigate, and integrate with other teams around insider threats.
The overall goal is to build situational awareness across the organization and empower employees to identify situations of concern and report on suspicious activities. Additional training should be catered specifically to the SOC team's operations and users who are likely to or may already be interacting with high-risk data or systems.
SOC + GRC + Legal: The Powers Combined
Although each of the groups function individually around their own objectives, if an insider threat occurs, these three groups' paths will quickly converge. Understanding the compliance and legal requirements surrounding incident response is crucial to proper planning. After-incident reports provide essential lessons that enable each group to learn and adapt.
Because SOC teams are the primary users of security orchestration, automation, and response tools, their focus typically has been automation and streamlining. However, the SOC team can also work with GRC and legal teams to not only facilitate better incident response and case management, but also to help empower continual adherence to any obligations set forth by various regulations and compliance requirements. Imagine the time saved if audit requests or even controls can be automated, all while maintaining a fully complaint audit trail.
As a compliance- and risk-minded professional starting to dive into security and automation, I see tremendous potential ahead. The combination of integrations, automated workflow, hybrid playbooks, and reporting capabilities may just alleviate some of the pain points surrounding compliance. These combinations might even allow compliance to empower SOC teams, and vice versa. One can dream, right?
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."
About the Author
You May Also Like