Who should be on an insider risk team?
28 February 2017 | 0
Mancini said an effective insider risk team that will design controls, take action, provide governance, and investigate. “Governance and control are critical to an insider risk team, who will watch the watchers? Audit capabilities must be woven into the process.”
Kennet Westby, president and co-founder, at Coalfire Systems, says that the insider risk team should also include representatives from any other users/groups with elevated access and privilege, including any vendor management and third-party contracting teams. Others believe the team should include the CISO, CIO, and Risk and Compliance officers.
Steven Grossman, vice president of strategy and enablement at Bay Dynamics, noted that everyone in an organisation needs to play a role. “However the key core players must be comprised of multiple talents that understand user behaviour, and the overall landscape of cyber risk. That includes the type and value of applications, hosts associated with those applications, and the vulnerability posture of those hosts and applications. Application security owners who have a deep business understanding of the value and security of the applications under their governance play an essential role on the team. They know whether a seemingly unusual behaviour was indeed business justified,” he said.
Team punch list
Initial, valuable activities to identify in insider threat risk assessment and analysis are:
- Shared service accounts used by multiple staff, typically with administrative-level access
- Local systems accounts exclusive of shared authentication and authorisation systems
- Outside, remote entry accounts used by vendors and consultants with elevated access levels
- Culture and policy enforcement for personal device and data use
- Security awareness and learning management
- Controls for identity access management
- Management practices for notification of personnel separation, terminations, and transfers
First, the team should put together policies that allow appropriate access based on business needs, and looking at tools to safeguard against insider abuse. This entails providing the right level of visibility into insider access and possible deviations.
Not everyone agrees on who needs to be on this team though. It might just be semantics, but some experts believe the insider risk team’s main responsibility is to create policy and then the various teams are to follow them. Other experts see the team as a group that follows up on a minute-by-minute basis to find out where any abnormalities take them.
Hamesh Chawla, vice president of engineering at Zephyr, said insider risk teams should be consistently looking at reports and logs on a daily basis to understand what deviations are taking place, and address those deviations immediately with the group to implement a course of action. “These specialised teams should formulate a crisis plan to mitigate the damage should an insider attack occur and have concrete, appropriate actions against those abuses.”
Javvad Malik, security advocate at AlienVault, breaks down the duties into almost layers:
Line managers: A first line of defence, they know the employees best, are aware of what tasks they need to undertake, the information they need to access and their overall morale and well-being.
Asset owners: An accurate asset inventory needs to be compiled, the data classified, and owners identified. These asset owners should know what services and users require access to the assets, when downtime is scheduled, and any planned changes. In the event of any suspicious activity detected, the asset owner should be able to validate if it was malicious.
Legal/HR: Whenever looking into potential insider fraud, it is essential to have legal and HR representation to ensure that no individual rights are being breached and that any investigations are undertaken in a legal manner.
Forensics: Similarly, forensics investigators may be needed in order to undertake detailed investigation. This could include taking forensic images of devices for legal purposes and to investigate malpractice.
Analysts/SOC: The security operations centre (SOC) is the heart of all threat detection within an organisation. Working with the involved parties, assets can be identified and appropriate alerts configured. Similarly, behavioural analysis should be a core component of an SOC so they can detect any deviations from normal activity and behaviour. They will usually kick off incident response processes by engaging the other responsible parties.
A successful insider threat programme needs access to data, which should include endpoint, proxy, search history, phone records, and physical access logs if available, said Chris Camacho, chief strategy officer at Flashpoint. “Being able to understand and ingest multiple sourced data/information is a critical part to enable accurate analysis of who might be at high risk for insider activity. Naturally, an employee’s motivation is a critical aspect of why malicious activity could occur and can range from ideology, financial needs and even collusion or extortion of an employee. Access and correlation of the right data sets is paramount but leveraging intelligence analysts, the human factor, is an important piece of the insider puzzle,” he said.
An insider programme can also leverage technology such as user behaviour analytics (UBA) that would provide a head start to bringing all data together. “However, in order to make the most use of the tool, someone has to be able to filter out the noise. Having access to data in one platform is a great start but filtering through events and noise is even more critical,” Camacho said, adding that knowing how to find anomalies or patterns that don’t make sense is one key function to the beginning of a successful programme.
“In short, an insider programme should be able to curate data points that reveal a toxic risk score of ‘who’ might be high concern for malicious activity,” Camacho said.