The Cyber5 Podcast

EP81: Leveraging Open Source Intelligence in Insider Threat Programs

Episode 81 | Sept. 14, 2022

In episode 81 of The Cyber5, we are joined by the Head of Insider Threat at Uber and CEO of Vaillance Group Shawnee Delaney.

Episode 81 | Sept. 14, 2022

In episode 81 of The Cyber5, we are joined by the Head of Insider Threat at Uber and CEO of Vaillance Group Shawnee Delaney.

We provide an overview of different functions within an insider threat program. We also discuss the support open source intelligence provides to such programs and how to change company culture to care about insider threats. We also discuss the ROI metrics that are important to different stakeholders when implementing an insider threat program.

 

Here are the 3 Topics We Cover in This Episode:

 

1) Departments and Functions within Insider Threat:

Insider threat programs are relatively new in enterprise security and often change from company to company. Open-source intelligence can be a standalone role or be cross-functional among all departments. Common departments and functions can be:

  • Open-source intelligence
  • Forensics monitoring
  • Training and awareness (steering committees for stakeholders, benchmarking)
  • Technical and behavioral monitoring (UEBA or DLP)
  • Supplier due diligence
  • Global investigations
  • Global intelligence analysis

 

2) Common Problems Faced by Insider Threat Teams:

Common challenges faced by insider threat teams:

  • Privacy to ensure employee confidentiality is not violated.
  • Tooling to have visibility into malicious events from normal behavior.
  • Finding practitioners that can do the technical monitoring and open source intelligence.
  • Shifting culture to be more security conscious.
  • Focus on physical security issues like active shooter just as much as data exfiltration

 

3) Role of Open Source Intelligence in Insider Threat Programs:

An Insider threat program is a key stakeholder for a threat intelligence program, not the individual buyer. Three key areas where open source intelligence (OSINT) supports insider threat programs:

  • Employee lifecycle management: ensuring employees, former employees, and prospects are not an insider threat based on what they post on the internet.
  • Validating red flag indicators with OSINT.
  • Investigations into vendors.

 

Listen to other podcast episodes

 
Read Transcript

SHAWNEE: The cases that we’ve worked or the cases we’ve referred to other teams, when stuff’s walking out the door or someone could potentially be an active shooter or suicidal, that’s all insider threat. How do you do an ROI on life?

LANDON: Shawnee Delaney, welcome to the show.

SHAWNEE: Thank you.

LANDON: Today, we’re gonna be talking about leveraging open source intelligence for insider threat programs. Share a little bit about your background for our listeners please.

SHAWNEE: I was a case officer with the Defense Intelligence Agency for eight and a half years. I conducted operations, clandestine operations, all over the world. Four war zone tours to Iraq and Afghanistan. I worked for the Department of Homeland Security in the Industrial Control System Cyber Emergency Response team. Say that five times fast. I’ve worked for Merck and standing up their insider threat program. Uber I’ve been at for five years leading their Global Insider Threat Program and Global Investigations, and then about three and a half years ago, I started my own consulting company called Vaillance Group, where I do all things insider threat, training and awareness, E-learning, standing up programs and risk assessments.

LANDON: Let’s talk about insider threat programs holistically. When you’re standing up with an insider threat program on day one, what are the different functions? When I think of insider threat programs, I think training and awareness, I think technical analysis, UEBA, investigations, probably some forensics, open source intelligence. Like lay out the different, like the the different departments under an insider threat program.

SHAWNEE: So I think what’s kind of cool about it is that no matter what company or industry you’re working for, you can do it differently than the last place you were at. There are certain nuances to different companies. You have to take culture into consideration, other things like that, but not every program has forensics, not every program has investigations. Oftentimes programs are like a hub. It’s a one-stop shop where they’re ingesting information from investigations teams, from the analytical team or from the technical team and helping form and shape policy. 

They’re doing that training and awareness, like you talked about. Another big one is standing up a working group and/or a steering committee, where you’re bringing in stakeholders from around the enterprise, getting their buy-in. I like to have internal case studies in each meeting, and then with each case study, kind of identify and have talking points, like, all right, what should we have done better or what could we do in the future? And really get the conversation going and get people thinking about stuff like that. 

And then another big part is benchmarking. So reaching out to your peers. It doesn’t matter what the industry is, even competitors, and getting those NDAs in place and then benchmarking. How do you do things? If we’re having hurdles with X, are you having the same problems? And what I find really maybe unique about this is that no matter what the company is that I’m working with, everybody in this industry is suffering the same hurdles and roadblocks and challenges, so it’s really unique.

LANDON: What are those hurdles when you, that are very common within different industries? Because when I, I hear a lot of folks say we’re just staying inside a threat program. We have a lot of problems, but then of course they’re like, who can help us? And then I think that it’s probably, when I hear insider threat, I mean, that inherently is a service. How can that service, before a service can scale, there’s gotta be an inherent set of problems that are common. What are some–

SHAWNEE: Right.

LANDON: Of the most common problems?

SHAWNEE: I think it’s not necessarily what the common problems are for that industry. I think it’s identifying the trends and looking at the metrics. And so one of the hurdles for any program standing up is proving your ROI and proving what the problem is. So for example, with COVID, data exfiltration and fraud have really significantly increased. We have organized criminal groups and nation states, we have people who think they’re gonna lose their job so they’re pocketing stuff. So identifying, okay, I know we’ve got a lot of these types of cases, but what are those metrics?So you take those metrics, and usually you’re pulling from a bunch of different sources and different teams, so that’s a challenge. 

Also, privacy. Privacy will always be a challenge. You wanna protect your information and protect your employees’ privacy, but at the same time, you have to balance that with if they’re doing stupid things on their company-issued laptop or machine, what are we allowed to see and how could we investigate that? 

Also, tools and budgets are common challenges. I would say 99.99% of organizations suffer that, where they know they need a DLP, a data loss prevention, or they know they need user behavior analytics or something like that, but they either can’t afford it, there’s no budget, or there’s no buy-in, where someone at the top or someone in tech thinks, yeah, we don’t need it, or we can build it in-house. A lot of tech companies think they can do that. So those are challenges. 

And then another unique challenge to this arena, if you will, is just finding practitioners, finding people who understand insider threat, insider risk, the nuances of it, how to build a program, how to work with all of these different teams, because it’s not new. It’s been around for a while, but I feel like lately in the past couple years, people are finally talking about it and organizations are finally saying and realizing that they need it. And so identifying talent. Like, there’s no degree program you can go get in insider threat right now, so how do you become an expert and how do you become a leader in this? That’s a big challenge.

LANDON: Let’s focus on the open source intelligence portion of these programs. How does open source intelligence, how is that helpful to an insider threat program?

SHAWNEE: I think probably three key areas. The first would be employment life cycle management. So when I say that, I mean advertising for positions, recruiting, interviewing, onboarding, their whole employment career with you and then offboarding. So if you don’t leverage good open source intelligence, you are not truly able to say that you’re bringing someone on with the right cultural fit. And I mean, if someone looks great on paper and maybe they interview great, how do you know that they’re not gonna be a potential insider threat? There are a lot of cases actually lately that I’ve heard of from colleagues in the industry where companies are not doing solid background investigations or even checking open source social media, right? I’m not saying pretend to be, create a fake account and check on people, but if it’s open source and publicly available, I think you should look at it. So making sure that you’re getting the right people, the right butts in the right seats. 

Also, concern. So when an employee, when anybody raises a concern, say there’s red flag indicators for whatever scenario, someone’s walking down that critical pathway, what is the organization able to do legally, talking to privacy legal. And a lot of times that’s doing like a threat assessment, looking at open source information. I had a case where there were people who were concerned that someone was gonna be an active shooter, and they had legitimate concerns in doing an investigation. And it turns out that in doing the open source investigation, the guy had a profile picture that was like a suicide bomber, and there were just a lot of red flags. And we wouldn’t have had that whole picture had we not been able to do that. 

And then just to kind of piggyback on that, just investigations in general. So when you have a confirmed issue, being able to look again at full picture. So you might have HR information, you might have manager feedback, but if you don’t have what the person is putting out in the public, you’re not getting that full scope.

LANDON: Going down that path a little bit with regard to employment verification, how do you do that? I can see that for a company that’s 100 people. What about for a company that’s 5,000, 10,000, 100,000 people?

SHAWNEE: Yeah.

LANDON: How… Can that be done at scale? Is that rational?

SHAWNEE: Yeah, I believe–

LANDON: Can it be uniform, I’m just curious?

SHAWNEE: Yeah, I think so. And companies at size usually leverage vendors. The problem that I see, and I used to be a background investigator for police and fire service in California, so maybe I’m a little biased, but the problem I see with a lot of the vendors is that they’re checking boxes and they’re not doing big picture. So maybe they’re doing a criminal background check for the state the person lives in currently, and this goes mostly to foreign countries. 

Like, if you’re looking at Brazil, for example, you’re hiring someone in Brazil, legally they’re only allowed to look in the state that that person lives in. They can’t look at anywhere else. So if they committed murder in the state next door, it is not gonna pop up. So if you have vendors who are able to do that, that’s great, but I think ensuring that they are doing a comprehensive search is much more important than checking a box.

LANDON: Okay. Vendors, very helpful to understand from that perspective, and I think that that probably ties in nicely to the next portion of this, which is gathering the appropriate open source intelligence coverage for the use case, right? There’s social media data. There is press, there’s foreign press. There’s no shortage of people databases, there’s business databases, there’s technical telemetry, there’s passive DNS, there’s net flow, there’s mobile data. 

For kind of the use cases you’re talking about, walk through how you, and of course this is probably gonna be very vendor-centric, but I’m kind of curious, what’s the right mix between vendors and staff on-site? How do you gather that appropriate open source coverage?

SHAWNEE: So I think first is just when you’re vetting the vendor and hiring the vendor, making sure that they’re ticking the boxes you want them and need them to tick. That’s fine for large scale. You wanna make sure people aren’t criminals or murderers or whatever you’re looking for, but I think when you’re hiring for high risk positions, and when I say that, I mean people who are gonna have access to extremely sensitive information, people who are be in the public eye, let’s say it’s a CEO or a vice president. If they go rogue, there’s a lot of blow back that could come, fall on your company. 

And so I think those higher risk individuals and positions probably need an additional look. I’d argue, even for some of those positions, there’s psychological exams that would benefit organizations in determining if that person is the right cultural fit. Because remember, if someone’s not a good cultural fit for the company, and vice-a-versa, they’re gonna get disgruntled. Something’s gonna happen, ’cause that’s not what they’re looking for and that’s where they start walking down that critical pathway.

LANDON: So, which what I’m hearing there is you’re almost entirely dependent on vendors and their coverage to ultimately feed your team where you then can find the actual outcomes and answers. Is that a fair model to think through?

SHAWNEE: I think working with the correct HR onboarding team, yeah, but I think what’s also important is to make sure that that team, whoever they are in your organization, does work and coordinate with the insider threat team so that that team can let them know these are potential background red flag indicators that maybe an HR person might not consider. And I think having people come from law enforcement or intelligence, all of us are trained to think a certain way, whereas HR business partners typically probably aren’t. 

And so working in partnership to understand what you’re looking for, what you’re not looking for, helping to vet those vendors. I can’t think of a company that has the ability to do their own in-house background investigations. I’ve never met one. Maybe there are.

LANDON: Would you agree that they also can’t do their own open source intelligence collection as well?

SHAWNEE: I disagree. I think there should be and there are a lot that have very small teams that specialize in that. So you’ve got analysts out there. You’ve got some really smart people who are very, very good at it. So when you’ve got those sensitive investigations or concerns or high risk backgrounds, that all of that I think should feed into that team, and that team should work very closely with those relevant stakeholders.

LANDON: So an insider threat program wouldn’t necessarily be the buyer of a vendor. You’d be a stakeholder, right?

SHAWNEE: Correct.

LANDON: Whether you have a threat intelligence team, a cyber threat intelligence team, a corporate intelligence team, the GSOC, that would be the buyer of that data and then they circle it out to the stakeholders, of which insider threat is a part of that?

SHAWNEE: Correct. I think a good insider threat program, like I said earlier, is like a hub, where all of these stakeholders can always come for advice, for training. I’ve had people come to me, they had someone who was acting really strange they needed to terminate, and they were like, what do I do? How do I handle this? So anything like that, you should be able to reach out to that team and get advice, best practices from them. They’re kind of a, they help anybody and everybody.

LANDON: Well, you just mentioned when there’s a potential hot button issue with an insider threat, somebody brings something to your attention, it’s part of that training and awareness, kind of making your employee base their own sensor network. What does success look like when considering enterprise cultural sensitivities? I’m sure you’ve been in environments when they hear insider threat and they think big brother?

SHAWNEE: Yeah.

LANDON: And not the case, right? You know, how do you get enterprise comfortable of what the work that you’re doing, where you don’t look like, you know–

SHAWNEE: You’re spying on everyone, yeah.

LANDON: When you’re spying on everybody, right? That’s inappropriate, but you gotta have success metrics. I think that’s important in any type of risk admin function, which oftentimes security usually falls.

SHAWNEE: Yep.

LANDON: Particularly with B2C companies, where your customers are your consumers. What’s success look like from that perspective?

SHAWNEE: I think a few things. I think, first of all, are you able to shift culture? I can guarantee you pretty much almost every organization needs to shift their culture towards being a little more security conscious. I mean, let’s face it, insider threat, it’s a human problem. This is not a cyber problem. These are humans who are clicking the links. These are humans making mistakes. These are humans who are disgruntled and do something malicious. So having your whole enterprise understand what to look for, understand and be okay with reporting concerns, having confidential reporting. If you don’t have that, you’re missing a ton of stuff, by the way. 

And then getting buy-in from the top. That’s one of the biggest challenges to your earlier question, too, is making sure that the top understands that this is a priority. It should be a priority. While I cannot tell you how much money I saved you specifically last year, I can tell you that the cases that we’ve worked or the cases we’ve referred to other teams, when stuff’s walking out the door or someone could potentially be an active shooter or suicidal, that’s all insider threat. How do you do an ROI on life? So it’s not just theft of IP or data exfiltration. There’s a lot more. 

And then as far as metrics, I think when you have an established program, one thing to keep in mind is looking at those metrics in the beginning, like I mentioned, so how many investigations and what kind do you have? What are the trends? Roll out that training, roll out that awareness program where insider threat doesn’t become, it’s not a dirty word. It’s not scary. I’m an insider, you’re an insider, we’re all insiders. We’re a family. We wanna take care of this organization. Roll that out. You should start to see an increase in reporting because people are now aware. They understand they need to report concerns, so that should peak. After some time it should drop off, where people realize, and they stop themselves, they’re questioning and they’re thinking before they click that link, before they do something stupid, so hopefully it drops off. So for me, when you kind of see that pattern, that’s success.

LANDON: A couple parts to dive down that. I can’t think of many organizations or many employees that just get excited about culture shift, but it’s important. Yeah.

LANDON: It’s very important as companies grow in scale. That certainly leads to some changes in turnover and turnover in employees sometimes. I can’t think of many business leaders that want to sacrifice employee culture for security, but it’s important and I think it needs to, there’s some adaptation there that is critical. How do you tackle that part of it first? Let’s talk through that.

SHAWNEE: Case studies, honestly. So the people, be it leadership or employees, that are not comfortable with shifting culture, and this doesn’t have to be a heavy lift. It doesn’t have to be uncomfortable. We’re not saying we wanna watch you while you sleep. We’re saying, we want you to report things, we want you to make smarter decisions. 

Having people understand why it’s important. Again, this is your job, this is your livelihood, this is your colleagues’ livelihood. You should be invested in the success of your company. Therefore, we are all responsible for making sure that things are on the straight and narrow, that everybody’s okay. So I think shifting that culture to be more inclusive. And again, with that awareness campaign. You know, if people are not thinking about suicidal ideation, that’s a huge problem lately. I’ve seen a lot of cases with organizations. 

If people are, you know, when I do keynotes and I talk to people and I tell ’em that, I get a lot of like, oh, I didn’t even realize that. So doing that culture shift where it’s family-friendly. Hey, we’re giving you tips. It’s not ’cause we’re telling you to. It’s because we wanna help you and your family. Share this with your friends, share this with your family, these good cyber hygiene practices, for example. 

Elicitation. So if you’re traveling and let’s say you’re a scientist or a researcher and you’re traveling, teach them what elicitation is. Teach them how they’re vulnerable to different human intelligence attempts. Make it sexy, make it interesting. Bring in speakers to share the war stories and the case studies. Within organizations, though, I find that internal case studies from their organization are really, really eyeopening and that’s what gets leadership’s attention and employees’ attention. 

So I’m doing a campaign right now for someone, and with the case studies, I’ve also brought in a bunch of speakers, really cool people to talk about various insider threat aspects, and I’ve gotten a ton of feedback from people where they’re like, I am psyched to see this. This is so interesting. If you think about what inside insider threat touches on, fraud, sabotage, espionage, that’s cool stuff. It’s interesting. There’s a lot of good news stories out there.

LANDON: So what I’m hearing is a level of transparency also has to, is pretty important. How do you bring that transparency around an inherently sensitive issue to every single case that you deal with?

SHAWNEE: Yeah, because this is not something that should be secret or hidden or spooky, right? This should be fun and exciting. So for example, setting up a working group or a steering committee, you’re bringing in important people at a certain level. You’re teaching them what insider threat is. You’re teaching what insider risk is, you know, that left of boom, is the proactive instead of the reactive. You’re teaching them why it’s important so you get them excited about it, and then that rolls down. 

We actually have some issues where our working group is growing so much because people really enjoy it. It’s become like the cool kids club, like everybody wants to be a part and people are really participating. So it’s building that awareness campaign, thinking of it like that. Again, like I said, me, you, all of us, we’re all insiders. And it doesn’t mean you’re gonna screw up or I screw up. We just need to be aware of how we could screw up and how we can protect other people that we work with.

LANDON: When you talk about other people that you work with, let’s dive into the stakeholders. Who are the stakeholders of this program?

SHAWNEE: Everyone.

LANDON: Fair, and then ultimately to bring back transparency, what are some of the blocking and tackling? What are the key databases? What are the key reporting systems? You know, there’s a difference between an alert triage, actual insider threat.

SHAWNEE: Yeah.

LANDON: There’s probably reporting systems for all of those. And then what are those reporting systems? How transparent do you make those?

SHAWNEE:  Yeah, that’s a good question, and that’s gonna be an it depends answer. So it depends on the organization. Everybody has done it completely different. Some people have central case management systems. A lot of times it’s just relationship building, where that hub, that insider threat group reaches out and builds those relationships with each stakeholder. Legal, every legal, employment legal, privacy legal, et cetera, HR, ER, investigations. I mean, you name it, physical security, everybody is going to be a stakeholder, so getting them involved is really key to that.

LANDON:  But like, when you say different stakeholders, and you say everybody’s a stakeholder, fair. That’s probably not gonna get a program approved, so when you’re going to pitch your program to the CFO, who are you kind of demonstrating are your stakeholders?

SHAWNEE: So I think most important would be business, lines of business. So you focus on the different types of insider threat. For lines of business, I would focus on fraud, data exfiltration, theft of intellectual property and trade secrets. So pitching to them, here are the statistics, here’s the concern, here’s what we’re seeing in our company, getting their buy-in. This is what I’ve done. 

Then you go to the next. Pitch the same thing. When you go to investigations, you’re pitching, okay, we’re seeing these trends. Are you seeing these trends? Yes, we are. Great, we would like to support you. Some companies there’s toe-stepping concerns, right? This program will never step on toes. It serves to support and augment and help the other teams. 

For legal, I just got reached out to from an organization to help with a document on privacy issues and privacy concerns related to tools. So there’s a lot of different nuances within the programs, but everything I’m pitching and I’m selling and I’m doing is, how can I help you? Let me help you do your job. Let’s make sure that this company is safer together.

LANDON: Final discussion point, and this is just my own interest, right? Like, you’ve had, managed services in the cyber and investigation space. You know, you’ve seen it evolve from MSSP to MDR, and these are just various managed services for how you monitor endpoint and monitor user activity at a very basic level. You know, NISOS, we’re looking to make managed services out of intelligence, so outside the firewall. Do you see a future in managed services for insider threat or are we still real early days on from that perspective, and it’s still more of a consulting engagement that you’re seeing?

SHAWNEE: I’ve never been asked that question. That’s actually a really great question. I think we’re still in early days. There are huge organizations, Fortune 50 organizations that don’t even have a program yet, so until I think organizations can wrap their mind around why it’s necessary and they get burned enough times, then I think there is potential to have that managed service opportunity. I think it’s only gonna proliferate, really. I mean, you read the news. Look at LinkedIn articles. It’s constant. There’s a constant flow of insider threat type articles out there.

LANDON: Fascinating, fascinating. Shawnee, always a pleasure to chat. Thank you very much for your time and expertise.

SHAWNEE: Thank you.

LANDON: And please come back to the show anytime.