Barriers to effective insider threat monitoring
- By Michael Daly
- Sep 17, 2018
The August headlines surrounding General Electric Co. read like something out of an action film. An engineer accused of stealing intellectual property was arrested, and the FBI is investigating whether the theft compromised any of the company's trade secrets. Unfortunately, these types of incidents have become all too familiar as employees, contractors and anyone with intimate knowledge of a company's business practices, systems and applications -- also known as "insiders" – continue to present some of the biggest security risks today.
In fact, according to the 2018 Study on Global Megatrends in Cybersecurity, 36 percent of senior IT and cyber professionals identified malicious or criminal insiders as a top cyber threat. Yet many organizations still lack insider threat policies and policy enforcement tools, and they struggle to align security and IT responsibilities to tackle the threat effectively.
Without proper support in all three areas -- people (IT and security team collaboration, as well as end-user education), process and technology -- organizations are leaving their critical information, trade secrets and customer data vulnerable and accessible to hackers.
It's not my job
The biggest barrier to effective insider threat monitoring programs today involves responsibility, or more specifically, the lack thereof. Traditionally, IT teams have worried about viruses and system access. However, monitoring for insider threats involves personnel activities, a role most often assigned to human resource teams.
So who should be responsible? The answer is both teams, and it's up to an organization's chief information security officer to clarify roles and responsibilities, not just for insider threats, but for all security risk. The CISO must actively work on building a relationship between the two departments, so that when a crisis does hit -- and it will -- the two teams know how to work together to solve the problem efficiently and respectfully, while also keeping some aspects deliberately separate.
But we already have threat monitoring tools
Another reason why organizations might be hesitant to adopt insider threat monitoring tools most likely comes down to spend. The security stack is not only fragmented, but complex, making it one of the factors that led companies to spend $89.1 billion last year on enterprise security solutions, which Gartner predicts will reach $96.3 billion by the end of this year.
In this environment, it's easy to understand the IT managers' hesitation to add one more tool or technology to the stack. If they have an IT monitoring tool like data-leak prevention that also promises some insider threat-related features, why purchase and maintain another tool?
Because data-leak prevention is not the only insider-threat behavior organizations must monitor. It's like using a butter knife as a screwdriver; it may work for some jobs, but it won't keep a car running. A comprehensive insider threat monitoring program combines policies, tools and measurement with operational processes to monitor and detect a wide range of user actions across the span of employee interactions. From IT-centric indicators like account use and data access to behavioral indicators including counterproductive work behaviors and organizational factors, monitoring programs create a full picture of what actors are doing -- and what they're not.
The solution isn't strictly data-centric
Perhaps the biggest misconception about insider threat monitoring programs is that they are only about monitoring data. While the data is important, the solution is a user-centric one, not data-centric. A user-centric approach looks at behavior and spots trends so an analyst can cut through the cacophony of individual actions to identify the threat so that action can be taken. A data-centric approach simply ensures only authorized persons can access, view, edit or download sensitive pieces of information. A user-centric focus also alerts security and IT teams if authorized users are handling sensitive data outside the organization's acceptable-use policies or if they start snooping in areas they shouldn't have access to.
Regardless of the reason organizations haven't yet adopted an insider threat monitoring program, the reality is insider threats will continue to present some of the costliest and dangerous risks. We've recently seen breaches where a disgruntled current or former employee steals company data, trade secrets or employee information to sell to third parties. The reality is there will be more incidents like this, and organizations must be ready for them.
To better protect themselves, organizations should update insider threat monitoring as new systems are deployed and business processes are updated. Vigilant monitoring across the enterprise for leading indicators of threats -- whether on the network or individual desktops or in the conduct of other business activities like travel, building access, phone access and other communications -- will help identify minor issues before they grow to become catastrophic failures.
Michael Daly is CTO, Raytheon Cyber.