Building an insider threat program can be a cultural shift for an organization that values transparency and openness with its workforce. Below are some considerations for demonstrating results with limited resources and showing value to executive leadership without disgruntling the workforce, as discussed with Charles Finfrock from Tesla.
Consider Backgrounds of the People Starting the Insider Threat Program
Generally, backgrounds of personnel composing insider threat programs come from three areas: law enforcement, commercial IT and security, or the intelligence community with a counter intelligence background.
Managers with law enforcement backgrounds will likely be more comfortable with legal aspects of dealing with insider threats and find a natural fit coordinating with law enforcement. Intelligence community backgrounds may prefer to use the workforce as a human sensor network, and corporate IT/security will likely be stronger at bringing technical monitoring solutions to the table.
Ideally, a strong insider threat program will have a mix of all three backgrounds that bring diverse methodologies and viewpoints for deterring, detecting, and responding to insider threats.
While all three have very different mentalities and tradecraft approaches for dealing with potential malicious insider threats, it’s critical to align with human resources and legal functions to determine what monitoring and employee engagement approaches are acceptable within the culture of the organization.
Look to Disrupt the Lowest Common Denominator
Many security professionals think to have an effective insider threat program, a complex network monitoring solution should be able to “boil the ocean” and find the needle in the haystack. However, according to Finfrock, “the highest return on investment starting out is to turn a workforce into a sensor network through rigorous training and building rapport so the workforce is comfortable bringing anomalies to the security team. While there is a place for DLP, UEBA, and technical monitoring, people understand more than anything what does not look right.”
While there are a lot of advances in technical monitoring and new datasets that provide a pattern of life on potential insider threats and malicious leakers, the basics of understanding data exfiltration are the most important.
Being able to monitor who is sending emails to personal email (particularly in the last 45 days of employment), loading sensitive information to unauthorized cloud storage providers, or monitoring individuals trying to gain access to areas of a certain network they don’t need to be viewing are considered “the meat and potatoes” of conducting insider threat investigations, according to Finfrock.
Provide the Right Metrics
It is critical for insider threat professionals to have working groups with senior members of the organization to have alignment on how invasive the security team wants to be in human and technical monitoring efforts. In these working groups, the appropriate metrics can be set forth which generally revolve around deterring, detecting, and responding to incidents quickly before they become bigger problems.
For example, if a security team decided to work with company leadership to educate the workforce and create its own human sensor network, the team can likely detect and resolve an incident quicker before it becomes a bigger problem. Some measurable results of a program like this would be information re-collected, deleted, or destroyed before falling into the wrong hands, providing more granular measurement and results than simply tracking administrative terminations.