Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Insider Threats

5/14/2020
02:00 PM
Bob Swanson
Bob Swanson
Commentary
50%
50%

Compliance as a Way to Reduce the Risk of Insider Threats

Several key resources and controls can help reduce overall risk by providing guidance on proper control implementation, preventative measures to deploy, and an emphasis on organizationwide training.

Insider threats have continued to be a major factor in data breaches over the last year. According to the "2019 Verizon Data Breach Investigations Report," 34% of data breaches involved internal actors. On top of this elusive threat, business environments are growing more complex and data is becoming a more lucrative target. Bring-your-own-device (BYOD) polices and remote working have presented challenges that extend far beyond the traditional environment seen just a few years ago. However, everything isn't all doom and gloom, and there are several steps to consider that enable organizations to begin mitigating this risk factor.

But what if I said that compliance could be a risk-reducing factor? That might seem incredible, but there are several key resources and controls that help reduce overall risk by providing guidance on proper control implementation, preventative measures to deploy, and an emphasis on organizationwide training.

Leverage Governance, Risk, and Compliance (GRC) Resources and Check Your Compliance Maturity
One solution for detecting and ideally thwarting insider threats is knowing your users and what their normal activities are. This is not easily accomplished and can quickly exhaust resources. Additionally, there are potential privacy violations that could occur if the increased monitoring is not properly disclosed. Have no fear, your friendly GRC folks are here! There are several key resources that are typically maintained by GRC, and they often expand and cover various compliance and regulatory requirements. These resources can help your SOC teams prioritize higher-risk environments, data, and users.

Preparation Is Key
Risk assessments and the overall risk management process can help provide guidance when the company recognizes increased risks or areas of high business criticality. Further, organizations that are more mature in their compliance positioning will also have system and communication classifications, data and privacy classifications, and classification around various accounts or groups within the environment.

Focusing on higher-risk factors and normalizing activities within these environments will provide a better vantage point into anomalous or potentially malicious activity, without exhausting resources or time. These resources identify the most likely targets, based on higher risk and business prioritization. Therefore, you can focus more robust control implementation based on objective prioritization. Depending on the incident, you can also have playbooks determine if, when, and where increased monitoring needs to be automatically applied.

Training and Awareness
These phases have become a standard control objective in most compliance frameworks. General training around cybersecurity best practices and recognition of potential attacks is crucial across the organization. You will recognize the most benefit by considering training and exercises specific to those teams that would typically respond and report on an insider threat. This additional and specific training can provide many valuable lessons and enable SOC teams to respond, investigate, and integrate with other teams around insider threats.

The overall goal is to build situational awareness across the organization and empower employees to identify situations of concern and report on suspicious activities. Additional training should be catered specifically to the SOC team's operations and users who are likely to or may already be interacting with high-risk data or systems.

SOC + GRC + Legal: The Powers Combined
Although each of the groups function individually around their own objectives, if an insider threat occurs, these three groups' paths will quickly converge. Understanding the compliance and legal requirements surrounding incident response is crucial to proper planning. After-incident reports provide essential lessons that enable each group to learn and adapt.

Because SOC teams are the primary users of security orchestration, automation, and response tools, their focus typically has been automation and streamlining. However, the SOC team can also work with GRC and legal teams to not only facilitate better incident response and case management, but also to help empower continual adherence to any obligations set forth by various regulations and compliance requirements. Imagine the time saved if audit requests or even controls can be automated, all while maintaining a fully complaint audit trail.

As a compliance- and risk-minded professional starting to dive into security and automation, I see tremendous potential ahead. The combination of integrations, automated workflow, hybrid playbooks, and reporting capabilities may just alleviate some of the pain points surrounding compliance. These combinations might even allow compliance to empower SOC teams, and vice versa. One can dream, right?

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "How InfoSec Pros Can Help Healthcare During the Coronavirus Pandemic."

Bob Swanson specializes in compliance and privacy and has spent more than 10 years within the governance, risk, and compliance (GRC) space from the vantage points of internal/external audit, developing compliance programs as an internal advocate for companies, and in ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
GDPR Enforcement Loosens Amid Pandemic
Seth Rosenblatt, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4306
PUBLISHED: 2020-05-29
IBM Planning Analytics Local 2.0.0 through 2.0.9 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 17...
CVE-2020-4352
PUBLISHED: 2020-05-29
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when running in restricted mode. IBM X-Force ID: 178427.
CVE-2020-4490
PUBLISHED: 2020-05-29
IBM Business Automation Workflow 18 and 19, and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site. IBM X-Force ID: 18...
CVE-2020-5572
PUBLISHED: 2020-05-29
Android App 'Mailwise for Android' 1.0.0 to 1.0.1 allows an attacker to obtain credential information registered in the product via unspecified vectors.
CVE-2020-5573
PUBLISHED: 2020-05-29
Android App 'kintone mobile for Android' 1.0.0 to 2.5 allows an attacker to obtain credential information registered in the product via unspecified vectors.