Embed Size (px)
Citation preview
Building A Holistic and Risk-Based Insider Threat Program An Approach to Preventing, Detecting and Responding to Insider Threats
Craig Astrich
March 2015
Insider Threat Defined
- 3 - Insi
der_
Thre
at_P
rese
ntat
ion.
pptx
Insider Threat Types & Drivers Insider threats include a wide rage of acts that can impact an organization's brand, reputation, financial standing, and national security.
Insider Threats
Physical Property Theft Use of insider access to steal material items (e.g., goods,
equipment, badges)
Espionage Use of access to obtain sensitive info for exploitation that impacts
national or corporate security and public safety
Workplace Violence Use of violence or threats of
violence to influence others and impact the health and safety of the
an organization’s workforce
Security Compromise Use of access to facilitate and
override security countermeasures (e.g. drug and contraband
smuggling)
Terrorism Use of access to commit or
facilitate an act of violence as a means of disruption or coercion for
political purposes
Information Theft Use of insider access to steal or
exploit information
Sabotage Intentional destruction of
equipment or IT to direct specific harm (e.g., inserting malicious
code)
Other Captures the evolving threat
landscape including emerging threats not covered in the previous
examples
Ignorance
Lack of awareness of policies and procedures creates risk
• Employees being uninformed of polices and procedures or changes in in protocol is a challenge to CBP particularly when dealing with emerging threats and new employees
• Lack of understanding and experience with security protocols and the potential impact if not followed, further contributes to the likelihood
Complacency
Lax approach to policies, procedures, and potential information security risks
• Over time employees may become more lax about security policies and procedures
• Violators often assume that their specific behavior doesn’t have a noticeable impact or that no one is monitoring their behavior. Includes passive aggressive behavior in the face of work frustration and feeling under valued
Insider Threat Drivers
Malicious Intent
An act that is malicious and intentional and done to cause damage
• Employees that are triggered by a specific work-related or non-work-related incident such as a poor performance review, personal crisis, or shift in ideology or loyalty follow a path of idea to action
• Insiders typically develop a plan in advance that someone within the organization may detect
Building A Holistic and Risk-Based Program
- 5 - Insi
der_
Thre
at_P
rese
ntat
ion.
pptx
Insider Threat – Program Structure The insider threat program structure includes the routine engagement of stakeholders that sit on an insider threat working group, foundational building blocks that are likely in place within the organization and the use of an advanced analytics solution.
Stakeholders • Multidisciplinary groups will coordinate and
provide input and meet on a reoccurring basis
Low
High
Pre-employment Investigations &
Procedures
Security Education and
Awareness
Personnel Management
Security Capabilities
Termination Procedures
Physical Security Access
IT Security Access and Technical
Controls
Non-Virtual Indicators
(Complaints, Investigations, Foreign Travel,
etc.)
Contextual Descriptors
(Access, Security
Clearance)
Virtual Indicators
Data Analysis & Reporting with
Advanced Analytics Tool
Program Foundation • Security policies, procedures and technology
provide the foundation for mitigating insider threat • Vetting, managing, and releasing personnel properly
and safeguarding data and information in systems
Access and Technical Controls • Serve as barriers to entry for personnel and require continued
re-evaluation of necessary access
• In the event of an incident, resilience (e.g., system and data back-up and recovery procedures) is critical
Individual Monitoring • Aggregating data from disparate but related data sources provides
improved insight into the risk profiles of individual employees
• Types of data collected will include PII and must be safeguarded to the fullest extent; access to this security information will be limited
Data Analysis & Reporting • Data from disparate sources is combined to identify individual employees at-risk
• Advanced analytics tool provides automated analysis and reporting based on a risk algorithm that aligns with the organization’s risk tolerance
Active Monitoring* Key
Insider Threat Program Components
Data Elements Monitored
Data Analytics Capability
* Creates proactive awareness and potential for cross-disciplinary coordination, intervention, and resolution.
Human Resources
Policy Coordination
Office of General Counsel
Information Technology
Insider Threat Program Stakeholders
Based on factors such as virtual and non-virtual
actions coupled with contextual descriptors
risk mitigation efforts will focus on individuals
perceived to be at an elevated risk
Finance and Administration
Security Operations
- 6 - Insi
der_
Thre
at_P
rese
ntat
ion.
pptx
Insider Threat Definition and Vulnerability Assessment Framework Four key components provide a framework for evaluating an organization’s overarching ability to prevent, detect, and mitigate Insider Threats. Use of these four components creates a holistic framework to examine Insider Threat vulnerabilities and to prioritize high risk areas.
Employee Lifecycle and Security Management Information Access and Technical Controls
Role-based access, continuous monitoring programs, and Insider Threat-related network controls provide prevention and detection capabilities.
Procedures associated with the recruitment, vetting, hiring, resignation, termination, and transfer procedures throughout the employee lifecycle.
Risk Indicators Policies and Training
Non-technical controls and trainings that govern the mitigation of Insider Threats, set expectations, and ensure consistent enforcement.
Insider Threats are influenced by a combination of virtual, non-virtual, and organizational factors. An individual’s behavior across each landscape must be evaluated and weighted based on the drivers of risk.
The framework provides an approach to evaluate and develop a holistic and risk-based insider threat program that focuses on prevention, detection and response.
- 7 - Insi
der_
Thre
at_P
rese
ntat
ion.
pptx
Insider Threat – Cyber as a tool for detection
- 8 - Insi
der_
Thre
at_P
rese
ntat
ion.
pptx
Common Findings
Insider Threat Program
Foundation
Proactive Threat Detection
Insider Threat Training and Awareness
Data Exfiltration Methods
Insider Threat Controls
The organization does not collect and correlate technical and non-technical PRIs for proactive detection of emerging insider threats.
Monitoring and alerting does not exist for common exfiltration methods [i.e., e-mail, File Transfer Protocol (FTP), transmittal devices, removable media, and cloud storage].
Training and security awareness efforts do not sufficiently address insider threat and opportunities exist to better educate the workforce on their role in reporting suspicious activity. .
Insider threat mitigation tripwires (e.g., excessively large downloads, undue access, altering permission levels) are either infrequently monitored or not adopted into the IT infrastructure.
The organization lacks a risk-based, targeted monitoring strategy for individuals at increased risk for committing an insider act based on their separation status.
The table below captures common vulnerabilities identified through various insider threat engagements. The following areas represent findings for newly established insider threat programs.
Employee Lifecycle Reviews
The organization has not established a clear owner, defined insider threat, developed an insider threat response plan or prioritized insider threat as a critical threat vector.
Increased risk that the organization may fail to stop or disrupt an emerging insider threat due to failure to correlate PRIs.
The organization’s critical assets are exposed to a potential malicious, complacent or ignorant insider threat.
Employees with access can exfiltrate data from the secure environments due to lack of monitoring on exfiltration methods.
Supervisors may not be aware of suspicious behaviors that should be reported and proper mechanisms for reporting.
Tripwires targeted at malicious insiders are largely not adopted into the IT infrastcutre increasing risk exposure.
The organization is vulnerable by not reviewing activity of separating personnel who are more likely to commit an insider act.
Impact
Common Observations
- 9 - Insi
der_
Thre
at_P
rese
ntat
ion.
pptx
Insider Threat – Applying Cyber, Automation, and Analytics
Employee
Normal External Interaction
Normal Activity
Questionable External Interaction
Anomalous Interaction
Common Characteristics
10 Considerations For Building A Program
- 11 - Insi
der_
Thre
at_P
rese
ntat
ion.
pptx
1. Define Your Insider Threats – Don’t be surprised if your organization hasn’t defined what an insider threat is. The reality is few organizations have a specific internal working definition as security and IT budgets have historically prioritized external threats.
2. Define Your Risk Appetite – Define the critical assets (e.g., facilities, source code, IP and R&D, customer information) that must be protected and the organization’s tolerance for loss or damage in those areas.
3. Optimize A Broad Set Of Stakeholders – The program should have one owner but a broad set of invested stakeholders. Establish a cross-disciplinary insider threat working group that can serve as change agents and ensure the proper level of buy-in across departments and stakeholder (e.g., legal, physical security, policy, IT security).
4. Don’t Forget the Fundamentals – The insider threat challenge is not a purely technical one, but rather a people-centric problem that requires a holistic and people centric-solution. Organizations should avoid the common pitfall of focusing solely on a technical solution as the silver bullet.
5. Trust But Verify – Establish routine and random auditing of privileged functions, which is commonly used to identify insider threats across a broad spectrum of threats in a variety of industries.
6. Look For Precursors – Case studies have shown that insider threats are seldom impulsive acts. Rather, insiders move on a continuum of the idea of committing an insider act to the actual act itself.
7. Connect The Dots – By correlating precursors or potential risk indicators captured in virtual and non-virtual arenas, your organization will gain insights into micro and macro trends regarding the high risk behaviors exhibited across the organization.
8. Stay A Step Ahead – Insiders’ methods, tactics and attempts to cover their tracks will constantly evolve, which means that the insider threat program and the precursors that it analyzes should continuously evolve as well.
9. Set Behavioral Expectations – Define the behavioral expectations of your workforce through clear and consistently enforced policies (e.g., social media, removable media, reporting incidents, BYOD, etc.) that define acceptable behavior and communicate consequences for violating policies.
10. One Size Does Not Fit All – Customize training based on the physical and network access levels, privilege rights and job responsibilities.).
Top Ten Considerations
Copyright © 2015 Deloitte & Touche LLP. All rights reserved.
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
