building your modern insider threat program. You'll need to develop consistent and repeatable work flows to monitor and investigate insider threat triggers. While the details for each organization will be different, there are three main work flows to establish
investigation and remediation and response
where we watch for risk, investigate risk when it's found, and finally engage with the insider who triggers the risk.
Monitoring for suspicious activity depends on information. Lots of information.
If you're using a SIM or sore tool, you're already capturing lugs and have automated some of the process.
Even if you don't have one of these tools, you're probably collecting log information from various systems in a cyst log server.
No matter what tools you're using, you should be monitoring them on a consistent basis,
be it daily, weekly or whatever best matches your capabilities.
Some tools employ and easy to parse dashboard or send you alerts when there's something that needs your attention.
Whatever your methodology, make sure that it's consistent and put into your insider threat plan.
Next, you'll need to identify your define triggers from all that Monitoring data.
If you use of removable media is one of your triggers, your monitoring workflow should log and give you visibility to that type of activity on your users systems,
regardless of your triggers. The inputs to your monitoring work flows should be data that can log the kinds of activities that indicate potential triggers.
The output of your monitoring work flows should inform your security analysts that there's something they need to look at.
These could be identified by dashboards and your tools or through alerts from those tools.
Your insider threat program needs to have a way to report these incidents quickly and preferably without any kind of retribution.
Ah, user may recognize the problem right away, but if they feel they're going to get in trouble for reporting it,
they may take their chances.
If not reported quickly, malware or other social engineering attacks could go unnoticed.
Now that we're monitoring for triggers, let's hear from Todd Thorson about investigating those triggers.
With the triggers now visible, your security analyst needs to eliminate false positives quickly. Your plan should have specific criteria for determining a bogus alert from a real alert.
Many times these procedures are specific to the tools used.
You need to assess whether the tools currently used are capable of performing the monitoring and investigation of insider threats.
First, you identify the cause of the trigger. While there are varying degrees, the main question is. Was the activity accidental or malicious?
When the activity is first revealed, the security analyst probably won't know which it is.
The analyst should also protect the evidence until they can determine if the activity was accidental or malicious.
Once an initial determination is made, the security analyst needs to determine the course of action for the investigation and, based on the initial outcome, whether it should be escalated, dude impossible, malicious and 10 or, if the activity is non malicious, determine what remediation actions need to be taken.
Once the investigation has begun, evidence should be collected and retained until the determination of accidental misuse or malicious activity is made.
But once the security analyst has identified a risk,
how should they engage with the insider?
This is an important part of the insider threat program, and one that the stakeholders from human re sources and legal should have input on as they'll likely be key players.
Based on that input, your analysts should follow rules of engagement
a clear process to follow. When an insider threat risk becomes reality,
many factors, such as the seriousness of the activity, the immediacy of the issue and the risk to the business, will all influence the rules of engagement for any particular incident.
When writing these rules, we need to consider not only specifying the type of engagement
but also assigning roles and responsibilities for those engagements.
The security analyst should be involved with three things. Monitoring, investigation and response.
Monitoring is what brings about the detection of the event
Investigation, gathers information about the event and determines its validity. Response from the perspective of an insider threat program should mean two things. One is kicking off the response to the activity.
This could be something technically automated, like sending an alert over to a security tool. Or it could be more manual process, like creating a case file and send it to the appropriate stakeholder like HR or Legal for the next step.
The second aspect of responses. The actual remedy for the activity.
Keeping in mind that most insider actions air non malicious in nature when it comes time to question the person of interest, start by assuming positive intent.
There's a chance the user may not think they've done anything wrong or may not understand the implications of their actions.
Such cases should result in additional security training or communication with the user.
Your plan may require incidents to be documented to establish a pattern of behavior or, more broadly, to track areas for improvement in your corporate security, culture and behaviors.
Communicate any trends by anonymous izing the data to your security aware and his team so they can address risk themes in their training sessions and communications.
But what if the incident
At Code 42? Our employees are fully aware of our security activities, so we empower our security analyst to contact the user directly if they decide the activity was accidental and quickly remediate the issue. If an incident isn't accidental, it may be time to escalate. For example,
a departing employee incident may need to be handled swiftly and can have legal consequences.
Your legal and human resource is stakeholders will probably have some specific requirements for the rules of engagement regarding ikey sabotage, insider fraud or insider theft. Once a workflow has been triggered in potential data, Exfiltration identified
it should be the key stakeholders responsibility to directly engage the employee slash actor.
It's important that these rules of engagement separate security and I t for many enforcement responsibilities.
This allows them to focus on monitoring, detection and remediation and prevent security and i t from developing and adversarial data police relationship with staff
There are many regulatory and legal ramifications that need to be a part of the rules of engagement.
The rules and processes should be decided in partnership with stakeholder experts who are familiar with local employment or regulatory requirements. So again, it's important to establish relationships with those key partners.
While the details for each organization will be different, Consistent work flows with clearly defined steps and rules will ensure a program that is up to the task of dealing with insider threats.
Your work flows need to monitor four and give visibility to activities and events that relate to your insider triggers.
Once you start investigating your security, analysts will need to identify the cause,
collect evidence and determine if the activity was accidental or malicious.
When it comes time to engage the insider to remediate the risk,
analysts should follow your rules of engagement,
clear steps that the stakeholders from human re sources and legal should have input on.
instead of focusing on the people, let's focus these work flows on the activity
by assuming positive intent. We can make insiders are allies, not the enemy.
Of course, if our investigation reveals the intent wasn't positive,
well, that's where HR and Legal could get involved.