Insider threats do not seem to get the same press as a breach at Target or Sony, but as the Robert Hanssen and Edward Snowden cases demonstrated, they are equally as important. The following are 5 ways organizations can improve upon their insider threat defenses:
- Recognize that insider threats are not hackers.
Often people think of the most dangerous insiders are hackers who are running special technology tools on internal networks. But that simply is not the case. When dealing with the inside threat you are often dealing with users who are authorized to use the system, but are doing so with malicious intent. In fact, most inside attacks do not run hacking tools or escalate their privileges for purposes of espionage. They do simple attacks using the authorization they have. According to the FBI, just less than a quarter of insider incidents tracked on a yearly basis come from accidental insiders. However, the FBI’s insider threat team spends 35 percent of their time dealing with these problems.
- Recognize that insider threat is not a technical or cybersecurity issue alone.
Unlike many other issues in cybersecurity, the risk from insider threat is not a technical problem; it is a people-centric problem requiring a people-centric solution. As people are multidimensional, organizations have to take a multidisciplinary approach to solving the insider threat dilemma. This means that responsible parties within an organization must focus their efforts on examining and monitoring internal people and the data that would be at risk. This entails understanding who the people really are from three important informational aspects: cyber, contextual, and psychosocial. The combination of these three things is what’s most powerful about this methodology. Responsible parties must work with their legal and managerial departments to figure out what works best within the limitations of the organizational environment.
- A good insider threat program should focus on deterrence, not detection.
Organizations need to come up with powerful tools to stop inside threats before they can do damage within the organization. Such measures as better hiring practices may ferret out potential violators, such as Snowden. Rather than getting wrapped up in prediction or detection, organizations should start first with deterrence. This means creating an environment in which it is really difficult or uncomfortable to commit insider attacks. Additionally, organizations must constantly remind users of the policies in place and that their interaction with data is being monitored.
- Detection of insider threats has to use behavioral-based techniques.
The idea behind behavioral-based techniques is to detect insider bad behavior right before a good employee is about to turn bad. This entails observing how employees operate on the network and how they look contextually. By this observation one can build baselines and look for anomalies in employee behavior. It is recommended that a minimum of six months of baseline data is collected prior to attempting any detection analysis.
- The science of insider threat detection and deterrence is in its infancy.
The science of insider detection and deterrence is still in its infancy. One of the issues with its slow growth is that much of the existing research just focuses on looking at data from the bad guys. Organizations must really try to push this diagnostic approach of collecting data from and comparing it between a group of known bad and a group of assumed good (insiders) and try to apply that methodology to those three realms (cyber, contextual and psychosocial).
Organizations can try to elicit this information from other avenues: observation, behavioral manifestations, making supervisors more aware of the insider threat problem, and creating an environment where people may be more willing to report some of these things as they see them.