While the number of insider threats are on the rise, a dedicated team of properly-equipped security professionals can tackle the task, provided they have the support of management and staff throughout the company.
That is the message from a pair of professionals in the space. I recently spoke with Marc Crudgington, the chief information security officer (CISO) and SVP of Information Security at Woodforest Bank, and Steve Moore, the chief security strategist at Exabeam, a company which adds intelligence to security tools.
There are many challenges to providing a proactive security program in today’s environment, they explained. Leadership is one, Mr. Crudgington noted. Security leadership needs to begin at the top, at the executive and board level where security issues are regularly discussed and a proactive plan is struck and adhered to. CISOs need to be good communicators so they can build a proper business case for the type of security plan they have developed; they cannot count for it to stand on its own.
The COVID-19 pandemic has definitely accelerated the number of insider threats teams must contend with, Mr. Moore added. While they used to be mostly just theft and fraud, he identified four separate types. The negligent insider is someone who made a mistake, while the malicious insider meant harm. More prolific in this era of remote work is the compromised insider, whose credentials have been accessed. The final category are well-meaning but poorly defined business processes which create insider threat-like behavior.
While getting buy-in from the top is important in convincing everyone else to adopt new practices, it is also key because more departments should be consulted during the security plan development and adoption process. Human Resources, Legal and the C-suite all have their roles to play. HR obviously comes into play as threats are identified and staff are dealt with and obvious legal issues apply.
And beyond the adoption process, executives need to bring in security teams before any significant shift happens, Mr. Moore said. If a company is migrating to the cloud that raises all sorts of issues security teams will have to contend with, from access points to threat detection. If they are contemplating an acquisition integrating different systems and ensuring the new sections are up to snuff are crucial.
Security teams will develop systems which will track the usual behaviors of staff with similar responsibilities so patterns develop. Should outlying activities be displayed they look to similar examples and what the outcomes were to assess the risk and determine any actions to be taken.
Machine learning essentially saves the time of the mind, Mr. Moore said. At Exabeam they place those collective activities into a storyboard so regular behaviors are identified. That allows a wider range of personnel to look for derivations.
“I would argue we sell time more than anything else,” Mr. Moore said. “We’re giving you the ability to not do it manually.”
The new capabilities are far more advanced than they were even a few years ago, he added. Back then it might take a day to run a query, only to see the server crash. Staff would alter the query a bit and hope for a better result the second time. Now the goal is to create a storyboard where you can ask if an action is normal or not and then tie it back to a person or machine before investigating further.
These new technologies close the breach response gap, which is the time between the breach and response, Mr. Crudgington explained. Good technology gives you time back while also moving the most serious threats to the head of the line.
“Instead of looking across eight security tools to figure out what happened and build a timeline of what happened you have sophisticated tools and analytics built in that can help solve and put together the timeline for you,” Mr. Crudgington said.
Such systems take commitment from the top on down and need to be uniform throughout the company, he added. Too many firms have silos with their own decision makers and solutions, each of their own quality.
The security team’s role is to build the most capable system they can, while everyone else’s is to track that system’s adoption. It could be the gold industry standard but if few implement it it will not be effective.
That adoption is increasingly important as data and systems are pushed to the edge as more people work remotely. Audit controls now apply to home computers in many companies. In some large organizations staff have been told to not use their VPNs because of capacity issues. Phishing attacks have risen ten-fold.
“The problem is growing because it’s now easier to take advantage of an individual now than before because you can go out on the dark web and set out a ransomware campaign for $500,” Mr. Crudgington said. “But individual’s data has become more available to individuals and proliferation of data has gone out to the edge and data just continues to build. Data is the new gold and people are after that.
“You don’t have to bang on the front door, you can just compromise an individual and pivot around their environment. With some of the sophisticated tools, you can go unnoticed for quite a long time.”
Take those extra steps and you may empower some of your best people.
“When (companies) start to go beyond the legacy tools and processes, they are going to find things,” Mr. Moore said. “When you have curious staffers that go beyond just the legacy things, whether that’s an insider threat team or threat hunting…When you get curious people and enabled people they’re going to find (issues).”