Establishing a brand new process, function or program can be daunting. Some of the challenges include determining where to start, researching whether it has been done successfully in the past and, if it has, discovering the best practices and frameworks that can be used as a starting point.
The concept of insider threat is not new, and it is highly likely that many of the core capabilities that constitute an insider threat program may already be implemented within most organizations. However, it is beneficial for IT professionals to understand how to take a methodical approach to establish an insider threat program in their organization.
Program Component Research and Capability Maturity Analysis
The first step is determining what constitutes a mature insider threat program and what a successful program would look like. By combing through industry frameworks and best practices,1, 2, 3 more than 50 controls and components spanning program, technical and process topics can be identified (figure 1). A maturity analysis can show which processes and capabilities might already exist that can be tapped into as part of a cohesive insider threat program. Combined with the definition of a successful program, this research provides the appropriate starting point. Understanding an organization’s current coverage can serve as a strategy road map, highlighting the program, process and technical capabilities that may require further development. Understanding the capabilities that already exist and those that are missing will also highlight the key functions that need to be actively involved when shaping this program.
Defining Insider Threats
Before proceeding with any new process or control implementation based on the maturity analysis, insider threat, as it pertains to a particular organization, needs to be defined. This requires crafting a solid definition and soliciting program stakeholders’ thoughts on scope and priority risk. These components are crucial to steer the program in the correct direction. It is also important to identify insider threat program capabilities and controls and research industry frameworks and publications for common insider threat definitions. These definitions can be customized to fit different business models and unique risk.
One example definition of insider threat is any intentional, negligent or accidental action by an employee or subcontractor that may be detrimental to the organization and its clients. These threats include, but are not limited to, fraud, theft of confidential organization or client information, theft of intellectual or physical property, sabotage of computer systems, and unauthorized disclosure of information resulting in damage to brand or reputation.
ULTIMATELY, INSIDER THREAT MANAGEMENT IS OWNED ACROSS THE ORGANIZATION AT LARGE.
A supplemental classification scheme, driven by insider intent with characteristics and examples, is also valuable to standardize the understanding of insider threat across your stakeholder group (figure 2).
Executive Stakeholder
Senior leadership must be involved in the program design. Ultimately, insider threat management is owned across the organization at large. Each stakeholder may have different concerns or may own different pieces of the puzzle. Various business functions need to have an active voice in shaping the program and ownership of the relevant processes that will be relied on or modified to address insider threats. Implementing a program with key leadership supporting the direction is critical to success. Key representatives will likely come from functions such as human resources (HR), legal, data privacy, investigations, information security, IT operations, enterprise risk management, internal audit and physical security.
Each of these functions have different concerns and are impacted by the program’s decisions in different ways. For example, HR and information security leadership may be eager to enhance security protocols around individuals leaving the organization; however, legal and data privacy stakeholders may be aware of country-specific considerations that need to be addressed before controls can be implemented across the organization. Likewise, with a return to working from offices, physical security leadership may have a legitimate concern about office-related threats and thefts. A different set of safeguards may be warranted as the post-COVID-19 world returns to travel and office-centric working models. Having key cross-representative stakeholders at the table to discuss these concerns and consider downstream impacts across the various functions and processes is imperative to moving tactical decisions forward.
ANOTHER IMPORTANT STEP IN SUPPORTING AND DEFINING THE INTENT OF THE INSIDER THREAT PROGRAM IS TO ESTABLISH TOP-DOWN GOVERNANCE.
In addition to having the right members at the table, it is important that one group leads the charge as committee chair, but active participation from all teams is necessary to steer the program.
Governance
Another important step in supporting and defining the intent of the insider threat program is to establish top-down governance. This can be done in the following ways:
- Establishing or enhancing existing policies to stipulate acceptable behaviors, monitor activities and enforce ramifications of noncompliance pertaining to insider threat
- Documenting a charter outlining the executive steering committee’s roles, responsibilities, expected output and overall program scope
- Developing a tactical insider threat plan that outlines the life cycle of an insider incident, from discovery through analysis, triage, investigation and forensics, potential legal and HR actions, and root cause analysis
These documents serve to outline the specific purpose of the committee and program to ensure that all parties are working toward a common and defined goal and that the organization at large is aware of the program and what may be considered a violation of acceptable behavior. Increased knowledge of acceptable behavior and enhanced security measures can be a powerful deterrent against negligent and accidental insider threats.
It is also beneficial to determine how this program will measure success. Leveraging current metrics and analyzing existing incident and activity trends will help to identify any targeted actions that may be warranted. This trend and mitigation approach should be shared with the stakeholder committee for consideration.
A DEDICATED OPERATIONS TEAM MAY BE NEEDED TO MONITOR THE NEW TOOLS AND INCIDENTS RESULTING FROM THE IMPLEMENTATION OF TACTICAL CONTROLS.
Building a metrics program also necessitates establishing a baseline. Depending on the maturity of the investigation and incident management processes, insights can be gleaned from existing data points. For example, to determine which tactical controls to apply, decisions should be informed with common data exfiltration methods and end points. The common activity and incident rates of an organization serve as the baseline to inform decisions and actions and drive success measurements. If the investigations team identifies that based on the past year of security incidents, a large majority of incidents that resulted in data loss were through external media or data being transmitted to personal cloud storage sites, the organization then has two very specific areas to which enhanced controls can be applied. It is necessary to continue to monitor incident trends to determine how successful the tactical actions are. If the incident trend line drops, then the insider threat program and tactical controls implemented are addressing the identified risk of data loss. Depending on the technologies employed and controls implemented, insider threat program metrics can continue to evolve.
Key Risk Scenarios and Program Focus
Once a program establishes its maturity level, has executive alignment and an agreed-on definition, implementation can begin. A key guiding principle to creating a tactical and risk-based program deployment methodology is to start small.
On one hand, an organization can focus on implementing technical controls or operational processes to shore up the biggest gaps in the maturity analysis. On the other hand, if the stakeholder group is comfortable with the level of maturity, a risk-based approach with a focus on key risk indicators (KRIs) or specific business scenarios is appropriate. Concerns that executive stakeholders might want to act on include:
- Enterprise intellectual property or physical assets leaving the environment, regardless of the intent of the insider
- Individuals leaving the organization and their motivation or intention to do the organization harm
- Enhanced security and monitoring of critical IP or unique assets, especially the access and activity of those individuals with higher privileges to that information or asset
- Unique business scenarios and strategies that may necessitate proactive and tactical actions
- Workplace violence, with returning to work on the horizon
Each organization is different, levels of maturity vary and the issues needing active attention are up to the executive stakeholder committee to define. There is not a cookie-cutter solution for an insider threat program. It must be tailored and remain agile as business and risk landscapes change.
Regardless of the approach, after the immediate road map is defined, stakeholder meetings should continue to be held regularly to discuss ongoing and emerging risk scenarios, prioritize actions, and confirm tactical implementation plans.
Once critical risk cases are addressed and stakeholders are comfortable with the foundation and maturity of the program, the next evolution is proactive monitoring for behavior anomalies and insider alerts, based on defined thresholds. For example, if an employee is suddenly accessing highly restrictive business applications that do not relate to their role and responsibilities or is downloading extremely large amounts of data from knowledge databases within a short period of time, this may be a threshold that could trigger an alert within an insider threat management tool. These thresholds and scenarios require vetting with the executive steering committee, and downstream impacts to investigation teams need to be evaluated before implementation. A dedicated operations team may be needed to monitor the new tools and incidents resulting from the implementation of tactical controls. An increased number of reported incidents and generated alerts will have a downstream impact on the escalation and investigations that are needed.
Conclusion
It is an arduous task to establish an insider threat program. It is prudent to start small, remain agile and prioritize actions based on risk. Most organizations have siloed functions that all are working toward a common goal of protecting the organization, employees and key assets. An insider threat program is only successful if it works at the intersection of all these functions. An organization’s program can be expansive or lean, mature or elementary, and proactive or reactive, but it cannot operate in a vacuum. The priorities, tactical actions to take and strategic direction to work toward all need the input, oversight, support and accountability of cross-organization leadership. There is much to do in this space, but every step forward is a step in the right direction.
Endnotes
1 National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-53 Revision 5 Security and Privacy Controls for Information Systems and Organizations, USA, 2020, http://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
2 CERT National Insider Threat Center, Common Sense Guide to Mitigating Insider Threats, 6th Edition, Carnegie Mellon University, Software Engineering Institute, Pittsburgh, Pennsylvania, USA, 2018, http://resources.sei.cmu.edu/asset_files/TechnicalReport/2019_005_001_540647.pdf
3 National Insider Threat Task Force, Insider Threat Program Maturity Framework, USA, 2018, http://www.dni.gov/files/NCSC/documents/nittf/20181024_NITTF_MaturityFramework_web.pdf
Kara Nagel, CISA, CRISC, CISSP
Has more than 15 years of experience helping organizations identify emerging security and technology risk, define mitigation strategies and implement tactical solutions. Nagel has held audit, advisory and governance positions at Protiviti, United Airlines, Accenture and PlayStation. In a recent role, she was part of the core team developing and mitigating insider risk through program formation and strategic control deployments.