The first time a security operations team may learn of an insider threat incident is when they’re told there’s been an error in a client account, and they need to freeze logins, trace recent account activity and try to build a forensic timeline of how harm occurred. Unfortunately, this is all reactive.
Chief information security officers (CISOs) all over the world are getting a mandate from boards to become more proactive and take steps to reduce harm earlier. “Shift left of the boom!” is rapidly becoming an industry mantra. However, once we work out how we can detect high-risk activity earlier in the cycle, we then need to understand the potential range of organizational responses.
What strategies are effective in an insider risk situation, and why should we as security practitioners be thinking about not only cybersecurity risks, but also the wider organizational risk? Security practitioners are being encouraged to contextualize their risk mitigation strategies in light of the larger corporate risk program. While many security incidents are hard to quantify in terms of acceptable loss, we can certainly apply this concept to managing insider threats and risk.
The traders who went nonlinear
We all know the stories of the traders who catapulted their bank into a crisis through overtrading. If we look at the taxonomies of their behavior, the common thread that binds them all is that once they got into financial deep water through overtrading, they overstep acceptable boundaries and legal limits through their increasingly desperate attempts to trade their way out of trouble. In a recent conversation, the CISO at one of the big international investment banks pointed out another commonality that had escaped many industry practitioners (and analysts) searching for understanding of this issue.
“All of the traders started out overtrading to address a personal financial situation,” the CISO explained. “Either they owed money on a debt, or lived beyond their means, and so [they] extended their risk beyond what the bank would consider normal, prudent limits. Eventually, of course, they were so hopelessly overextended that they started borrowing from one client account to service another. And at that point, they’d irrevocably crossed the line where there was no option other than to involve law enforcement.”
Bad behavior by rogue investment bankers aside, the reality is that the opportunity to misuse job role privileges can be found in any organization in any sector, both private and public. It extends not just to IT power users and administrators, but to payroll clerks, invoice accounts teams, healthcare professionals and many others. In fact, it’s hard to think of any role which doesn’t carry some kind of privilege that must be executed responsibly.
An important differentiator between an insider event and an external attack is that while the external attacker will use various tools and weaponized exploits to gain and maintain access, elevate privilege, and then exfiltrate assets, the internal adversary can simply misuse the privileges they already have to perform their job.
Early detection gives CISOs choices in response and intervention
Proofpoint is encouraging CISOs to think differently about the insider problem. It’s a mistake to treat insider and external incidents the same. Indeed, there is an argument to use a separate team for insider-related investigations, leaving the security operations center (SOC) oriented toward identifying, containing and eradicating attacks with an external origin.
As we’ve already seen, insider threat incidents are far more nuanced, and the complex issue of intent adds additional shades of gray to the picture. Broadly speaking, insider threat incidents can be categorized as:
- Benign user errors (careless user) where an associate simply makes a bad decision or is seeking to shortcut security controls in an attempt to complete a task.
- Deliberate malfeasance (malicious user) where an associate is deliberately attempting to evade security controls for their own benefit.
- Credential misuse (compromised user) where an actor is using credentials not issued to them to perform a task that would normally be outside of their responsibilities.
As we’ve discovered, there are many nuances and overlaps. A group acting in concert may exploit benign user errors in a hapless colleague, obtain credentials, and receive support or influence from an outside source. So, what can we do about it?
Build executive sponsorship from key stakeholder groups
One thing is very clear: Insider risk management is a team sport. And CISOs need to build alliances with others who have a stake in the process. For example, human resources (HR) is widely seen to be the place where responsibility falls for any associate-related risk. Finance is responsible for accounting for losses and identifying root causes (especially those showing up on the P&L). The wise CISO builds strong executive sponsorship from these groups.
And since this blog post is about buying choices, what we’ve bought here is choice in interventions. Line managers are appropriate for informal formative feedback, whereas the more formal processes are executed (and I use that word advisedly) by HR. In Europe, workers councils are key stakeholders in this process and observed to be far more receptive and cooperative when they’re involved as stakeholders.
Insider risk management: behavioral change, analytical insight and precise interventions
Proofpoint believes that the earlier some kind of intervention is applied, the more options organizational leaders have in choosing the appropriate insider threat intervention. As the CISO from the investment bank case quoted earlier states, “If we can discover this overtrading problem before we have customer harm to undo, it is in the interests of the bank to offer the trader a low-cost loan to resolve the personal stressors that are causing this behavior.”
Similarly, if we discover that someone is storing information in a personal cloud account, an early intervention of a bite-sized training segment may affect the behavioral change we seek.
In short, the earlier we can detect a problem, the earlier we can take an explicit decision on how to handle the risk, and from a management perspective, the less impact the issue is likely to have on our balance sheet and reputation. Therefore, taking a risk management approach to insiders is effective.
Since we’re examining risk, it’s appropriate to consider the entire employee population in the scope of our risk assessment. It follows analytics which can determine and prioritize high-risk behaviors, which are an important tool for the cybersecurity team, allowing it to focus on high-risk behaviors and the actors behind them. Proofpoint is confident that this approach will reduce risk and provide a tangible and measurable difference to the bottom line.
This Insider Threat Awareness Month, learn more about taking a proactive approach to managing the insider problem in a webinar featuring Forrester, where we discussed mitigating risk from insider threats. Be sure to register for an upcoming webinar on October 12 on how to tackle insider threats in financial services.
Visit the Insider Threat Management hub to help you get started on your insider threat journey.
To hear more perspectives from the author, listen to this podcast episode.