Insider threats are always of interest to security professionals because they involve authenticated and authorized users of information, leveraging that information in a manner for which it was not indicated. This can be (and often is in practice) by accident – spear phishing campaigns that mule executives into providing information, that appears to have come from the executive upon initial investigation, or a misconfigured service that is running under the context of a specific user.
The impetus may however, be far more sinister – cyber espionage or cyber sabotage, depending on the actor and his/her motives. The answer to managing insider threats (there is a no firm way of preventing them outright because no one can completely predict the motives of individuals) lies in the tried and true adage of people, process, and technology – where each leg of the triad is managed as part of a complete program aimed at addressing insider threat.
The Weakest Link: People
The psychology and sociology behind insider threat can be challenging, as the individual motives or actions of those with access to information cannot always be known. Some industries rely on behavioral heuristics to determine which employees are more likely than not to attempt to steal information; however, these models as well are highly subjective based on criteria often set by the institution and have little basis in actual science.
Access Creep: Technology
In my experience, organizations leverage technology (where possible) to supplement their view of users with access to information they would be concerned about using – such as rights management or DLP and the like. Additionally, many of the organizations that I’ve helped always looked at how access is managed holistically to defend against phenomena such as “access creep”. This may work to give malicious insiders a foothold where otherwise their access wouldn’t allow it.
The Bane of Organizational Existence: Process
The last component of the approach, which is often the most difficult, is the process management effort. This is where organizations improve how information is managed and stored. Process management often requires some form of data classification or prioritization –an exercise most organizations do not look forward to embarking upon.
It is the combination and balancing of these three areas that generally fuel a successful insider threat program, and organizations must invest in all three to be successful. The extent they invest will largely depend on what information they are attempting to protect and the potential risks and costs associated were that information to be stolen.
The descriptions above are meant to give you a flavor for how I would approach the topic. Keep in mind that this is a complicated subject with a lot of implications that organizations must consider, and weighing those implications against the costs associated with implementing and managing controls cannot be underestimated.
Thank you for the opportunity to answer your question. I enjoy sharing insights that benefit current and future professionals in the discipline.
About the Author:
On Twitter: @ProfBrager
Paul Brager, Jr has been a contributing member of the cyber security community for over 20 years, covering the spectrum of the discipline from security architecture and defensive design to security operations and incident response. He has extensive cyber experience in oil and gas, manufacturing, chemical, and telecommunications sectors, having held various leadership, up to and including CSO of an emergency management and incident response organization. In his current capacity as a Cyber Security Architect, ICS/SCADA/EA SME for Energy and Manufacturing with a major defense firm, Mr. Brager works closely with energy, chemical and manufacturing clients to transform and mature their critical manufacturing and operating infrastructure against cyber-attack, and provide actionable and timely telemetry to assist in incident response and postmortem forensics, against some of the world’s most complex adversaries.
Paul holds a Bachelor of Science degree from Texas A&M University in Political Science, with a minor in Business, a Master’s of Science in Administration of Justice and Security (Criminal Justice/Cyber fusion) from the University of Phoenix, and is an Alpha Phi Sigma inductee since 2009. Additionally, Mr. Brager is CISSP, GICSP and CISM certified, and is currently pursuing his TOGAF and OSCP certifications, in addition to serving as an adjunct professor with the University of Phoenix, teaching cyber security courses within the IS&T program. He is currently involved as a non-voting board member of ISSA (South Houston Chapter), ISA-99 Working Committee member, ICSJWG committee member and contributor, InfraGard, OWASP, ISACA, ISC2, NSBE and various other focus groups and cyber-focused organizations, and regularly has speaking engagements with industry groups and peer collaborations. He is passionate about the security profession and looks forward to moving the needle in cyber, and helping others do the same.