do you feel smarter? Because I feel smarter. We covered a lot of material and talkto all sorts of experts, getting their insight on building a modern insider threat program.
And while we focus mostly on data protection for our examples, the steps we covered can easily be applied to other segments of your insider threat charter.
Now, if you're the type of person who likes to jump to the end of the course and skipped over all the previous videos to get to this one, well, first of all,
Second, How could you everyone else put in the time?
But seeing as we're all together now, let's summarize what we've learned
in building a modern insider threat program. Just follow these simple steps
identify what's most valuable.
There's probably not one single person in the organization that can identify and locate all of your most valuable data.
We need to talk to data owners and line of business stakeholders. Ask them what data is most important
and where it's located.
Next. Assemble the insider Threat Working group.
Think about who has the most to lose from an insider incident.
Think about who will be involved in investigating and responding When an incident occurs,
identify engaged line of business leaders HR Legal and other I T leaders as key stakeholders. Among other things, they will help to find policy and procedures.
Getting executive buy in leads to quicker stand up time and lower costs for the program by streamlining operations and getting cross functional collaboration.
The leadership stakeholders you have on your team can assist with this by promoting the project upward to their leadership.
One of the biggest steps in building an insider threat program is defining the insider triggers. This includes when an insider does, namely the observable actions that indicate a risk, as well as the events or situations that motivates an insider to commit their act.
Because the intent behind insider actions fall on a spectrum.
Your insider threat program should account not only for the oblivious and accidental but for the malicious as well. Use the 80 20 rule to identify the most common methods of ex filtration and prioritize these factors
well. The details for each organization will be different. Consistent work flows with clearly defined steps and rolls will ensure program that is up to the task of dealing with insider threats
your work clothes need to monitor for give visibility to activities and events that relate to your insider triggers.
Once you start investigating your security, analysts will need to identify the cause, collect evidence and determine if the activity was accidental or militias.
When it comes time to engage the insider to remediate the risk, analysts should follow your rules of engagement. Clear steps of the stakeholders from human re sources and legal should have input on.
You'll want a leverage, as many existing resource is as possible for your insider threat program. You can determine the validity of existing security tools and utilize ambassadors to support your program.
Your stakeholders will need training and what is being monitored. The specific use case triggers the investigation, work flows, the rules of engagement and the tools used to accomplish all of this. This training should clearly define their roles and responsibilities so they're ready to jump in when an incident response workflow is triggered
by creating a healthy security culture and openly communicating what is being watched for and why
everyone is on the same page.
This will make your program easier to manage and overall, be more effective. However, your insider threat program should be tailored to your company's needs, which includes the culture.
And then you need to implement true monitoring, detection and response. Technology
you're monitoring needs to be constant and consistent for all users and start long before a trigger occurs with Proactiv data collection.
Additionally, your detection methods must weed out the false posits.
So is not to overburden the security teams with too much data that they don't have time to react.
True, monitoring, detection and response technology must be continuously running,
providing historical context and complete visibility in tow all data activity.
This enables your insider threat team to quickly and effectively see the full picture at all times.
And finally, instead of focusing on the people, let's focus these work flows on the activity
by assuming positive intent, we can make insiders are allies, not the enemy. Of course, if our investigation reveals the intent wasn't positive, well, that's where HR and Legal can get involved.
By following these simple steps, you should be well equipped to build and run a modern insider threat program.