Author: Adam Blake
Instead of doing Wikipedia-esque overview of what Insider Threat is and how much it costs industry every year, I am going to assume you can infer what it is and acknowledge that there are likely pissed off and oblivious people in your workplace that can negatively affect the company.
Insider threat can express itself in many forms: willfully malicious and due to poor business practices and security standards. In my experience, it is always: easy to catch stupid actions, difficult to catch malicious, and impossible to save the company from its workers 100% of the time. This is not unique to insider threat or computers of course as there are still people who will let their kid jump in the gorilla enclosure at the zoo, but it is our mission to make that as difficult as possible and attempt to address the risk before the user sits on the zoo fence and pulls out the selfie stick.
More after the break...
Insider threat can express itself in many forms: willfully malicious and due to poor business practices and security standards. In my experience, it is always: easy to catch stupid actions, difficult to catch malicious, and impossible to save the company from its workers 100% of the time. This is not unique to insider threat or computers of course as there are still people who will let their kid jump in the gorilla enclosure at the zoo, but it is our mission to make that as difficult as possible and attempt to address the risk before the user sits on the zoo fence and pulls out the selfie stick.
More after the break...
As with all crimes, there are three main aspects to a crime: means, motive, and opportunity. Unfortunately, most corporate external threat focused blue teams rely on “means” in the form of blocking, and “opportunity” in the form of asset and tool access permissions. It is incumbent on the Insider Threat to understand the users enough to attempt to identify motives, and ideally tailor controls to the user via document and employee categorizations. Government leaks and document dumps occur even in the most secure environments, and it should be expected that an Insider Threat team will impact business as little as possible through computer, access rights and physical security, but the most stringent email monitoring are all confounded by paper and pencil or a cell phone camera. Through detailed analysis of users and actions surrounding the event, we can often glean some insight into which users merit stricter controls, elevated severity of events and deeper scrutiny of vulnerable document access.
I am planning to cover multiple major factors to evaluate insider threat including techniques and detection methods in depth with future articles but below are my initial article topics. If one is of more interest than the others please leave a comment and I will prioritize.
We'll take a deeper look at each of topics listed below, including example use cases and pseudo detection logic:
I am planning to cover multiple major factors to evaluate insider threat including techniques and detection methods in depth with future articles but below are my initial article topics. If one is of more interest than the others please leave a comment and I will prioritize.
We'll take a deeper look at each of topics listed below, including example use cases and pseudo detection logic:
- Reputational Risk/Media Leaks
- Insider Specific Data Loss Prevention
- Technical Insiders
- Privileged Access Users
- Repeat Offenders
- Executive Monitoring
- Flight Risk Identification
- Control Avoidance Identification
- GDPR and how that affects insider threat monitoring
- PCR (Producer Consumer Ratio)
- Blocking a door, opening a window concept of proactive monitoring when a block is planned
- User Categorization
- User baseball card concept also known as “Magical Christmas Land” of Insider Threat