Insider threat programs need people, not technology
SAN FRANCISCO — Developing insider threat programs is more about people, policies and planning than technology — this according to an RSA Conference panel Thursday.
The discussion among Dawn Cappelli, Rockwell Automation Inc.’s insider risk management director, Geoff Hancock, Advanced Security Group CEO, and Pat Reidy, CSC’s vice president of cybersecurity focused on five tenets to help enterprises build effective threat-management programs.
Know what you’re fighting for
When it comes to insider threat management, Reidy said, it is critical to understand the first responsibility of the job is to protect both the privacy of employees and confidential corporate data.
After this, Reidy continued, the “sexy” part of the job — catching the bad guys — comes into play. This mindset can also establish an insider threat program as more “palatable” to leadership and employees alike.
Putting together an effective team
All three panelists agreed having the right people involved in insider threat programs is essential. Reidy said stakeholders, human resources members, legal representatives and the security team were all crucial to include in a strategy.
Cappelli recommended forming a “virtual team” — a specialized taskforce from different areas of a company — a strategy she employed when creating an internal threat program at Rockwell. However, she added that a dedicated insider threat management team is not always necessary; in many enterprise scenarios, integrating the task into existing team members’ daily responsibilities is sufficient.
Along with creating the team, the panelists emphasized it’s important to assign the right tasks to the right people. Insider threat detection is often “chucked at the geeks,” Reidy said; but the threats often are 90% nontechnical. Knowing when to contact HR, the legal team or even law enforcement is key.
A people problem doesn’t always have a technology solution
Adopting an insider threat program doesn’t always require a huge — or any — monetary investment, Reidy said. Before purchasing the next hot product touting insider threat detection capabilities, Reidy continued, evaluate what your organization has in house; the products enterprises are already employing often contain necessary insider threat detection features.
Start with developing baseline data, Hancock added. Detail what needs protection, who has access to what and so forth.
Cappelli suggested that nontechnical controls — including limiting USB and cloud service usage — may also prevent a number of insider attacks.
Selling the idea to management
While getting executives on board sounds simple enough, getting insider threat program buy-in can be a lot of work, Cappelli continued.
Insider threat programs are often seen as just another expense. But, Hancock noted, 55% of breaches start with insiders; if the threat can be nipped in the bud, it’s a good investment.
Additionally, Hancock went on to say, building a strong business case for insider threat programs can help executives justify the investment.
While it’s important to tell enterprise leaders the dangers of insider threats, Reidy asserted, scare tactics aren’t the best method and likely won’t work. Instead, Reidy suggested selling insider threat programs by touting their benefits: protecting the people, intellectual property and viability of the company.
Never base insider threat suspicions on personal opinions of employees, Cappelli added; monitoring should spare no one.
“Not all employees [who are insider threats] are ‘disgruntled,'” Cappelli said. “A lot of very nice people try to walk out with information.”
Proactive insider threat detection
A daunting aspect of insider threats, Hancock said, is there’s no way to stop them. Enterprises can, however, take proactive measures to detect the threats before they become a major issue. Creating a baseline measurement of network behavior, Hancock continued, would help companies detect and investigate suspicious anomalies.
Locking common methods used by inside attackers can also prevent attacks, Cappelli noted. Prohibiting USB use and cloud file sharing should be foremost considered, as they are two of the most common ways employees exfiltrate data. If enterprises cannot feasibly control all users by such methods, enforcing controls on select departments and individuals would help reduce the attack surface.
Another part of being proactive, suggested Hancock, involved keeping an ongoing playbook, to which the other panelists agreed writing down all potential insider threats and solutions was critical. Though new, never-before-experienced events will inevitably occur, cataloging these events and learning from them is a huge part of any insider threat program.