By Findlay Whitelaw, Senior Director, Insider Threat Program, Solution Engineering
Organizations worldwide are increasingly alarmed by the threats posed by insiders. Many organizations are focused on protecting themselves against external and internal cyber threats, mainly where security risks arise from individuals with legitimate access to sensitive organizational information, systems, and premises that can result in severe or material harm to organizations, unintentionally or maliciously.
Today’s business operations are highly interconnected and intensely reliant on technology, making cybersecurity a focus point for most organizations. Nevertheless, when it comes to risk management, threat intelligence, and security monitoring, insider threats extend beyond cybersecurity. While acknowledging that insider threats are often associated with cyber threats, insiders may intentionally or unintentionally disclose confidential information, steal IP, or compromise physical security measures. Some examples are negligent or malicious employees who violate organizational security policies or engage in fraudulent activity to steal or collude with external threat actors. However, the problem goes beyond this, with a broader scope involving personal and personnel security – a distinction I will explore further in this blog post.
A broader perspective on insider threats
Traditionally, insider threats have been associated with disgruntled employees intentionally causing harm to organizations, and more recently, the term has expanded to include cyber threats posed by internal actors, whether malicious, accidental, negligent, or compromised insiders. However, the threat landscape is evolving further, including more than just cyber risks, touching all departments and layers of hierarchy. These threats can be physical, for example:
- Theft or sabotage of equipment, inventory, or sensitive documents
- Physical damage to infrastructure, tampering, disabling, or manipulating equipment/systems
- Information leakage of confidential/sensitive information, for example, photographing or printing sensitive information
- Reputational, with inappropriate public or unethical behavior that damages organizations’ reputations, violates organizational policies,
- Workplace violence, which includes physical harm, aggression, verbal abuse, harassment, or threats against co-workers, third parties, and customers
Personnel security vs. personal security: a critical distinction
I want to explain what I mean when discussing personnel security for clarity and completeness, differentiating the difference between personnel and personal security. These concepts are often used interchangeably, which can cause some confusion. But in the context of insider threats, it is crucial to distinguish between the two.
Personal security refers to the measures an individual takes to ensure their physical and digital safety. These measures often involve self-awareness and proactive steps, such as choosing unique passwords and being cautious of phishing attempts. Personal security measures also protect individuals’ lives, safety, and well-being within an organizational context. They could involve personal alarms, active shooter/threat emergency response plans, or hostile environment awareness training (HEAT) designed to prepare individuals for the potential risks and dangers in regions affected by conflict, political instability, natural disasters and other threats.
Conversely, personnel security focuses on safeguarding an organization’s assets such as people, property, and information. These include implementing protective measures to help organizations understand and manage the risk from threats posed by individuals within the organization, and minimizing the ability of individuals to cause harm. An example of a personnel security control is background screening, or pre-employment vetting checks that may look to verify candidates’ identities, criminal, credit, fraud checks, and assess an individual’s fitness and propriety for a role. Additional personnel security controls can also include (not exhaustive):
- Security information and event management (SIEM) and user and entity behavior analytics (UEBA) bolster personnel security by monitoring user activity, identifying suspicious behavior, and providing real-time alerts for potential security
- Access controls ensure employees have the least privilege access only to the information and resources to do their job
- Security training and awareness programs empower individuals with the skills and knowledge to identify and mitigate potential security risks and threats
- Physical security controls prevent unauthorized access and maintain a safe environment of physical well-being (locking doors, securing areas, installing surveillance cameras)
- Security policies and procedures establish clear guidelines, standards, and protocols to minimize security threats
- Exit strategies ensure a smooth and secure transition, protecting the interests of both the departing individual and the organization
From a strategic standpoint, these two concepts need to work in harmony. Ensuring we understand the distinctions between personnel and personal security is essential to avoid setting inadequate security measures, particularly when building your insider threat program. Furthermore, if employees are educated about their personal security, it can significantly complement the broader personnel security efforts of the organization.
Progressive measures for managing insider threats
Given the expanding horizon of insider threats, organizations should explore progressive security strategies with opportunities to integrate, synergize and maximize their SIEM and UEBA technology. Here is a leading-edge strategy that may help you gain traction to embed a culture of security awareness and proactive protection measures in the context of personal and personnel security;
- Unify data collection: Integrating as many valuable data sources other than data sources from IT (for example, network traffic logs, firewall logs, application logs, DLP violations, etc.) fosters a comprehensive view of organizational activity, which SIEM systems excel at. And by layering UEBA capabilities, this can identify anomalies with more accuracy. Integrating and aggregating data from HR systems, legal case management, physical security systems, and more will offer a more holistic view of potential threats.
- Leverage advanced features of SIEM and UEBA: Correlation and anomaly detection capabilities of SIEM and UEBA can identify complex attack patterns, and UEBA can help baseline normal behavior and detect deviations. Unlike traditional rule-based systems, integrating other logs and data sources from your security tools and systems that address your organizational security risks will reinforce and close detection gaps. Add risk-boosting capabilities, for example, adding watch lists or segmenting populations of employees who can cause the most harm within an organization across your insider threat policies, can help emphasize and prioritize alerts.
- Strengthen personal security awareness programs: Utilizing centralized data of SIEM and UEBA gives visibility into individual actions on the network, which can be used to educate employees about how their actions impact overall security. Furthermore, machine learning in SIEM and UEBA can help identify risky behavior; these insights can inform personal and targeted security training and awareness programs to address individual weaknesses, and team and departmental security cultures, thereby strengthening personal security and making it a tangible and understandable concept. This helps build a culture of accountability and good security culture.
- Proactive personnel protection: Integrating SIEM and UEBA capabilities provides a more granular level of user activity and network events; this can assist in detecting subtle signs of insider threats and can help identify potentially harmful actions before they result in causing significant harm. For example, detecting unusual data access, file transfers, or detecting potential phishing attacks can help protect individual employees from becoming victims and the subsequent consequences.
- Reinforce personnel security policies: The granular visibility of user activity, SIEM, and UEBA can demonstrate that security protocols are being followed. An example could be confirming that users are changing their passwords and complying with the organizational password policy or verifying that access to sensitive data aligns with defined roles and privileges. This can foster a culture of compliance and reinforce the importance of personal and personnel security to external parties, including auditors, regulators, and customers.
It should be noted that continuous tuning, revalidation, and optimizing SIEM and UEBA capabilities can help keep pace with the ever-evolving threat landscape and the changing dynamics of the organization. Furthermore, data collection and aggregation should be performed while respecting privacy laws and regulations and protecting personal information.
To truly capitalize on these advantages, it is important to have well-defined processes in place for monitoring alerts, investigating incidents, and responding to threats. However, SIEM and UEBA technologies can amplify the effectiveness of personal and personnel security measures by creating an environment of security-conscious, proactive protection and trust. This strategy leverages technology and harnesses the power of human elements in an organization’s security strategy.