How to build a FREE (well, nearly!) Insider Threat Program

So you have fallen behind on investing in an insider threat program, have you? Well put your checkbook away (for a couple more weeks anyway) because I will share in this post some free ideas to get your insider threat program off the ground.

There is no silver bullet for insider threat; it is virtually impossible to completely eliminate insider attacks. There are, however, mitigation steps and tools that can be used to reduce the likelihood and impact of such an attack.

The first thing needed is to acknowledge that with no program in place, you have no idea how detrimental an insider attack could be to your organization.

So lets get to the free stuff!

1. Asset Classification

What are you trying to protect? We will need to identify what it is that we are most concerned about losing (IP theft), being destroyed (IT sabotage), or falling into the wrong hands (espionage). Asset classification is one of the foundational blocks for an insider threat program being successful. What is important to one area of your business may be completely different than another. A holistic look organizational wide is a MUST.

ACTION: Create a prioritized list of what your company needs to protect most. Include what, where, how much and who are you protecting it from. Invite stakeholders from different areas of the company to contribute in the vetting process.

Documents, customer confidential data, designs, prototypes, machinery, software and algorithms are just some of the endless examples of assets that could be important to be classified.

2. Audit your technical controls

To be able to perform analysis that can identify the size of the task ahead of you, we will need to have some data to analyze. Some of the very basic controls in your current infrastructure can serve up a wealth of information. For example, have terminated users had their accounts disabled? Are access rights assigned appropriately to users? Have password restrictions and policies been put in place?

98% of breaches indicate attackers activities were available in security log files – (Verizon Data Breach Report)

ACTION: Create a checklist of technical controls and review those controls to ensure that the most restricted policies and rules are being enforced. Ensure that logging is enabled and valuable data is being stored.

This could include:

  • Network logon / logoff
  • File access and deletions
  • Elevated rights used
  • Database activities

Accounts enabled / disabled, appropriate access only has been granted, password restrictions, logon time restrictions, audit logs are retained are some of the examples to include in your checklist. If these are not enabled and providing value, now is a good time to begin your data collecting!

3. Education and awareness

At this point, your program is likely not mature enough to have documented education and awareness in place to send throughout your organization.   But what you can accomplish is the sharing of security minded concepts that help to highlight risks and also inform your employees that insider threat is being addressed within the company.

ACTION: Create an awareness document highlighting security do’s and don’ts that can be distributed enterprise wide on a routine basis. This could also include worrying or troubling things a coworker could be doing.

For example, ensure that confidential documentation is LOCKED in desks and draws when away from your desk. Never write your password down and leave it close to your computer (you may laugh but it happens all the time) and report suspicious or strange activity you may see in the workplace.

4. Correlate existing insider data

Review your current tool set and look for opportunities to gather data that could be useful for building out an insider threat profile. Proxy logs, IDS logs, Firewall logs and DLP logs all present a potential gold mine of data aggregation that can be used to gain better knowledge of someone’s intended actions.

ACTION: Build a person of interest list (POI) from data gathered from network tools. 

Examples could include users who, according to proxy logs, are uploading large volumes of data to websites, employees connecting remotely to an external IP and users performing network scans or sending large attachments to personal email addresses.

5. Document, Document, Document!!

You cannot over document the initial stages of an insider threat program. Documentation can ensure that your processes are repeatable, that your steps are methodical and that your requirements for the next phase of your insider threat program are easily identified.

ACTION: Consider the following documentation as minimum requirements for your insider threat program:

  • Insider Threat program scope, objectives and stakeholders
  • Policies and standards that map to insider threat requirements
  • Technical control checklist
  • Information security awareness documentation
  • Data analysis list
  • Escalation and incident plan
  • Data collection planning

The solutions given so far are all steps that can be taken to build out your program foundation.

Another value exercise is to create “Use Cases”. A use case is a documented scenario that your company may have already experienced from a breach, or see as being a major threat or concern from an insider prospective. Examples could include:

Scenario 1:

An employee is terminated for poor performance. The employee has access to critical research and development files on the network; before the employee leaves the company he decides to copy 500 files to a USB drive.

Questions to ask:

What has been done to cut the employees’ access? Can data in motion be tracked? What legal standing do we have to retrieve the data? How could this impact the company financially?

Scenario 2:

A financial analyst does not get the promotion he was hoping for. He becomes disgruntled and begins planning an exit from the organization. He begins sending home client lists to his personal email address with intention to solicit his clients from a competing financial organization.

Questions to ask:

Were there any signs the employee was becoming disgruntled? Did any of his work habits change? Can data in motion be tracked? What legal standing do we have to retrieve the data? How could this impact the company competitively and financially?

What next?

So you are up and running with some of the foundational components of your insider threat program.   What next? Next, you will need to begin thinking about collecting more data, applying a scoring methodology and performing baselines to see what “normal” behavior looks like in roles within your organization.

These tasks can be overwhelming at times, but with the right tools and guidance your program can and will be successful.

Consider engaging Securonix for a consultation on how their product suite can aid in your insider threat program; they have been helping some of the largest companies in the world create a more effective and robust insider threat program since 2008.

As your program matures, the volume of data that you take on while looking for insider indicators can become overwhelming. Securonix insider threat solutions available include:

                 Identity Intelligence                  High Privileged Account Monitoring

       Data Exfiltration Intelligence                   Continuous Risk Monitoring

Reach out to Securonix for a free consultation on how our data analytics solutions can help your organization build out an insider threat solution customized to your organization.

Securonix Threat Labs Monthly Intelligence Insights – May 2024
Securonix Threat Labs Monthly Intelligence Insights – April 2024
Securonix EON Takes Center Stage at Record-Breaking RSA Conference
What is Going on with the SIEM market?