Best Practices for Implementing an Insider Threat Program

During the final week of National Insider Threat Awareness month, we’ll talk about best practices for implementing an Insider Threat Program.  An organization can have the most effective strategy for external threats, yet if it’s not giving equal attention to internal threats, it is just as much at risk of a breach or theft.

So, in addition to looking outside, an enterprise also has to look inside for potential threats.  Insider threats can come from a variety of sources, including regular employees, contractors, partners, IT staff, and even executives.  Most if not all already have some level of access, and are at least in theory have the ability to steal data.  That does mean that all or any of them will do so, but awareness and vigilance are the watchwords here.

This means that organizations and cybersecurity staff need a comprehensive strategy for managing the potential for internal threats.  Following are several best practices that organizations can use in order to integrate insider threats into their cybersecurity strategy.

1. Engage Stakeholders

The first step is to initiate your insider threat program by engaging with all stakeholders.  And that’s a very critical step.  You want to make sure that you identify who the stakeholders of this program are.  And you want to make sure that you include all the key stakeholders like HR, Legal, operations, and more.  We see stakeholders being left behind many times, so setting that upfront is going to give you a lot more success keeping and understanding the culture of your organization.

Government agencies and financial companies accept that insider risk is a problem.  They have compliance regulations.  They know they have to monitor this.  The company, as a whole, understands this and that it’s serious.  It’s not a trust issue. It’s a security control.

On the other side of the house, we work with high-tech companies.  We’re talking about insider risk as a trust issue.  It’s about not trusting your employees, not trusting your contractors or other folks you do business with from a third-party perspective.  So that’s a spectrum.  Understand the culture and that the culture is important.

Every organization has an insider risk issue.  The key is to understand how you are you going to communicate this program.  How are you going to manage this?  You don’t want to be Big Brother.  So that communication is super important.

2. Product Selection

The next step is product selection.  Please do not think that traditional approaches can solve the insider threat.  It’s a whole mindset change.  It’s a different way of looking at the problem.  You’re looking at it from an inside-out perspective.  You’re looking at it from a context perspective.  This is not about transactions.  There are many best practices on how you would operationalize.  But even from a product selection perspective, it’s very important that you really look into some key things, and we encourage you not to look at your current platform and say, “I have a legacy platform and I’m just going to use it for insider risk.

It does not work.  It’s been tried tested by many, many organizations who failed.

Key things to think about, from a product selection perspective, is a platform that can really give you a unified security and risk perspective.  Unified is important because you want to bring in different parts and pieces.  You don’t want to be going to a different platform to research behaviors.  You don’t want siloed analytics.  You want one place where you consolidate all this data and run analytics and get actionable results.

When we talk about actionable results, we’re talking about prioritizing risk.  So, you exactly know that if this is the risk and it is a behavior model that got triggered, your insider risk management team knows what to do from there.  More importantly, as you mature, you can automate these controls, which is the end state we’re going after.

3. Define Threat Indicators

Next is to define your threat indicators.  This is very, very important.  Over the last 11 years, we’ve learned a lot about this.  We have best practices on our threat indicators that give you the most value.  And we would say, HR attributes play a key role in that.  It’s important to have that partnership upfront, and, of course, all of the controls so that nobody gets to see any confidential information or have to be built into the platform.

Indicators of insider threats are far different from the indicators of compromise of external cyber-attacks.  In an external attack, you would look for things like communication with known malicious URLs and domain names that were just recently created.  Insiders don’t use those sorts of tactics to execute their bad behavior.  Instead, you might look for behavioral conditions like:

  • Working at odd hours
  • Working from odd locations
  • Logging in from two locations at the same time
  • Frequent failed login attempts
  • Attempting to access systems or data outside the scope of the employee’s job
  • Copying, downloading, deleting, or altering large amounts of data

This is where it’s helpful to work with the various stakeholders to understand what is unusual or unacceptable for employee behavior.  Although threat indicators should be specific to your own business, Gurucul has a list of indicators that can provide you the most value.

The next step in your insider threat program is the linking information across multiple data sources to a single identity.  Building that context together across various systems, looking at a user’s access activity, any alerts, building that holistic view and linking it together is important.  You can’t use correlation rules because they don’t give you the highest efficacy – rules are very basic.  You want to use, and platforms should have, link analysis capability.  You want to see who has link analysis algorithms built-in to give you the most efficacy by linking all this data together and building that context.

5. Establish a Behavior Baseline

Now your insider threat process needs a baseline.  You want to establish behavior baselines for all your users and entities, not just insiders.  You want to look at their peer groups and their machines.  You want to look at other machines in that peer group, anyone, develop baseline behaviors and look for deviations to identify where the anomalies are.  And then it doesn’t stop.  It’s not just about anomalous behavior.  It’s about risky, anomalous behavior; that’s what we’re going after.

6. Monitor and Respond

The next point of insider threat program maturity comes in monitoring and responding to suspicious or disruptive behavior.  This is key.  We’ve seen many companies struggle with this.  Everybody goes into the soft mindset to solve this problem.  This is a this is a lifestyle change from that process.  It’s a different way of looking at it.  You want to set the right response mechanism, build the right playbooks, have the right governance committee set up so you operationalize.  To have an effective working insider threat program, you need to have all of these working, and you must be able to continuously review the results and provide feedback.

With that feedback, Gurucul’s machine learning algorithms can tune themselves, because they’re self-learning, and you get higher efficacy results.  The good news is that a good platform should be giving you very few alerts every day.

If you’re talking about a company of 10,000 employees or insiders, you should get about a hundred alerts a month or about 3 per day.  That’s very few alerts compared with signature-based platforms.  This is the benefit of a machine learning based insider threat product like Gurucul’s.

7. Operationalize

Finally, operationalizing your insider threat program is critical to ensuring the whole program is a success.  You need to have all of the steps above working well and then continuously review the results and provide feedback. The loop around steps “establish baseline, monitor and respond, and operationalize” should be constant and should evolve with your business and risk.

Learn More

Defining and using best practices are necessary to put the entire enterprise into a healthy position to identify and react to internal threats.  Gurucul Analytics-Driven SIEM and UEBA products with advanced analytics and machine learning models can help IT staff develop a comprehensive insider threat identification and protection program.

Additional Resources: