Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

5/14/2020
02:00 PM
Bob Swanson
Bob Swanson
Commentary
50%
50%

Compliance as a Way to Reduce the Risk of Insider Threats

Several key resources and controls can help reduce overall risk by providing guidance on proper control implementation, preventative measures to deploy, and an emphasis on organizationwide training.

Insider threats have continued to be a major factor in data breaches over the last year. According to the "2019 Verizon Data Breach Investigations Report," 34% of data breaches involved internal actors. On top of this elusive threat, business environments are growing more complex and data is becoming a more lucrative target. Bring-your-own-device (BYOD) polices and remote working have presented challenges that extend far beyond the traditional environment seen just a few years ago. However, everything isn't all doom and gloom, and there are several steps to consider that enable organizations to begin mitigating this risk factor.

But what if I said that compliance could be a risk-reducing factor? That might seem incredible, but there are several key resources and controls that help reduce overall risk by providing guidance on proper control implementation, preventative measures to deploy, and an emphasis on organizationwide training.

Leverage Governance, Risk, and Compliance (GRC) Resources and Check Your Compliance Maturity
One solution for detecting and ideally thwarting insider threats is knowing your users and what their normal activities are. This is not easily accomplished and can quickly exhaust resources. Additionally, there are potential privacy violations that could occur if the increased monitoring is not properly disclosed. Have no fear, your friendly GRC folks are here! There are several key resources that are typically maintained by GRC, and they often expand and cover various compliance and regulatory requirements. These resources can help your SOC teams prioritize higher-risk environments, data, and users.

Preparation Is Key
Risk assessments and the overall risk management process can help provide guidance when the company recognizes increased risks or areas of high business criticality. Further, organizations that are more mature in their compliance positioning will also have system and communication classifications, data and privacy classifications, and classification around various accounts or groups within the environment.

Focusing on higher-risk factors and normalizing activities within these environments will provide a better vantage point into anomalous or potentially malicious activity, without exhausting resources or time. These resources identify the most likely targets, based on higher risk and business prioritization. Therefore, you can focus more robust control implementation based on objective prioritization. Depending on the incident, you can also have playbooks determine if, when, and where increased monitoring needs to be automatically applied.

Training and Awareness
These phases have become a standard control objective in most compliance frameworks. General training around cybersecurity best practices and recognition of potential attacks is crucial across the organization. You will recognize the most benefit by considering training and exercises specific to those teams that would typically respond and report on an insider threat. This additional and specific training can provide many valuable lessons and enable SOC teams to respond, investigate, and integrate with other teams around insider threats.

The overall goal is to build situational awareness across the organization and empower employees to identify situations of concern and report on suspicious activities. Additional training should be catered specifically to the SOC team's operations and users who are likely to or may already be interacting with high-risk data or systems.

SOC + GRC + Legal: The Powers Combined
Although each of the groups function individually around their own objectives, if an insider threat occurs, these three groups' paths will quickly converge. Understanding the compliance and legal requirements surrounding incident response is crucial to proper planning. After-incident reports provide essential lessons that enable each group to learn and adapt.

Because SOC teams are the primary users of security orchestration, automation, and response tools, their focus typically has been automation and streamlining. However, the SOC team can also work with GRC and legal teams to not only facilitate better incident response and case management, but also to help empower continual adherence to any obligations set forth by various regulations and compliance requirements. Imagine the time saved if audit requests or even controls can be automated, all while maintaining a fully complaint audit trail.

As a compliance- and risk-minded professional starting to dive into security and automation, I see tremendous potential ahead. The combination of integrations, automated workflow, hybrid playbooks, and reporting capabilities may just alleviate some of the pain points surrounding compliance. These combinations might even allow compliance to empower SOC teams, and vice versa. One can dream, right?

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

Bob Swanson specializes in compliance and privacy and has spent more than 10 years within the governance, risk, and compliance (GRC) space from the vantage points of internal/external audit, developing compliance programs as an internal advocate for companies, and in ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...