The fifth annual National Insider Threat Awareness Month (NITAM) is underway. Created to emphasize the importance of detecting, deterring, and reporting Insider Threats, the initiative is a collaborative effort between the National Counterintelligence and Security Center (NCSC), National Insider Threat Task Force (NITTF), Office of the Under Secretary of Defense Intelligence and Security (USD (I&S)), Department of Homeland Security (DHS), and Defense Counterintelligence and Security Agency (DCSA).
2023 Theme: Bystander Engagement
The theme of this year’s NITAM is Bystander Engagement, referring to the important role every individual has in the efforts to defend against insider threats. It combines the concept of “see something, say something” with “there’s strength in numbers.”
As the office of the Director of National Intelligence said, “insiders who misuse their authorized to share and publicize classified information continue to cause great harm to our national security and diplomatic relations.” Insider Threat concerns are certainly not limited to government entities or to physical incidents alone, they also pose a serious risk to the private sector.
When it comes to cybersecurity, Insider Threats can cause more damage to enterprises than external threats because they are harder to find. A quick retrospective of Famous Insider Threat breaches from the past decade underscores the risk.
Why is Detection of Insider Threats in Cybersecurity so Hard?
Detecting insider threats requires security specialists to distinguish between acceptable activities and those that put the organization at risk or are outright malicious. Many organizations simply don’t have the systems and solutions in place to identify such threats quickly and precisely. Additionally, traditional security solutions weren’t built to recognize the tactics, techniques, and procedures (TTPs) and indicators of compromise (IoCs) associated with insider threats because an ‘insider’ is someone who already has the necessary privileges to access resources.
Four Key Steps to Detecting Insider Threats
Finding Insider Threats requires careful orchestration of multiple factors. Organizations must be able to:
- Customize a solution to fit their program, processes and organizational requirements
- Get contextual evidence to confirm threats
- Collaborate with cross-functional stakeholders with a case of evidence prioritized by risk
To do that, there are four necessary steps:
- Unify Visibility – A strong insider threat program starts with the right visibility into all relevant data. Without it, you have blind spots. You must be able to easily gather the necessary data via direct API integrations from wherever it is stored. That includes a data lake, SIEM or other enterprise system.
- Review what matters – Analysts are already deluged with unsubstantiated alerts. More data won’t make finding insiders any easier without the ability to separate the noise and focus on indicators of behavior. We recommend combining advanced Identity and Access Analytics, User & Behavior Analytics (UEBA), and peer group analysis. It’s essential to monitor each user’s role, access, entitlements, and activities around critical data using purpose-built machine learning algorithms. With the right analytics, you can identify and investigate when user access patterns deviate from normal behaviors and validate the risk with identity analytics for accurate detections.
- Understand the risk – Organizations know that they are at risk; prioritizing risk with context is the only way to stay ahead of the threats. Pulling in context from siloed systems like firewalls, network, and endpoint telemetry is essential. We also suggest combining different categories of machine learning models together to strengthen and prioritize what matters with model chaining. Correlating risk between identity, user, network, and security alerts helps to prioritize real threats.
- Respond with confidence – Responding to alerts for every anomalous event wastes valuable time. Analysts need a definitive case of evidence to confirm a real insider threat. Attacks span multiple events, so we recommend linking all evidence from one user or identity into a single case prioritized based on risk to the business.
Year-Round Awareness
While September is National Insider Threat Awareness Month, an effective Insider Threat program requires 24×365 vigilance. Implementing a program that is customized to your organization, provides rich context, and enables collaboration across the business can elevate your organization’s effectiveness.
Gurucul Insider Threat Resources
Take a moment to review Gurucul’s Insider Threat resources this National Insider Threat Awareness Month:
- Customer Webinar: “Lessons Learned from Operational Insider Threat Programs” featuring customer speaker – Michael Williams, Director of Technology & Insider Risk, Edward Jones
- Blog: How Dominion Energy Built a Successful Insider Threat Program
- Report: 2023 Insider Threat Report
- Whitepaper: Best Practices for Implementing an Insider Threat Program
Of course, you can also find plenty of insider threat mitigation resources on the Gurucul insider threat solution page, so spend some time exploring what we have to offer.