Best Practices for Implementing an Insider Threat Program

During the last week of National Insider Threat Awareness Month, we’ll be talking about best practices for implementing an insider threat program. An organization may have the most effective strategy against external threats, but if it doesn’t pay the same attention to internal threats, it runs just as much risk of a breach or theft.

So, in addition to looking outside, a business must also look inside to detect potential threats. Internal threats can come from a variety of sources, including regular employees, contractors, partners, IT staff, and even executives. Most, if not all, already have some level of access and at least theoretically have the ability to steal data. This means that all or some of them will, but awareness and vigilance are the watchwords here.

This means organizations and cybersecurity personnel need a comprehensive strategy to manage the potential for insider threats. Here are some best practices that organizations can use to incorporate insider threats into their cybersecurity strategy.

1. Engage stakeholders

The first step is to launch your insider threat program by engaging with all stakeholders. And this is a very critical step. You want to make sure that you identify who the stakeholders of this program are. And you want to make sure that you include all key stakeholders such as HR, legal, operations, etc. We see stakeholders being left behind many times, so defining this from the start will give you much more success keeping and understanding your organization’s culture.

Government agencies and financial firms accept that insider risk is a problem. They have compliance rules. They know they have to watch that. The company, as a whole, understands this and that it is serious. It’s not a matter of trust. It’s a security check.

On the other side of the house, we work with high-tech companies. We talk about insider risk as a trust issue. It’s about not trusting your employees, not trusting your contractors, or other people you do business with from a third-party perspective. So it’s a spectrum. Understand culture and that culture matters.

Every organization has an internal risk problem. The key is to understand how you are going to communicate this program to yourself. How are you going to handle this? You don’t want to be Big Brother. So this communication is super important.

2. Product Selection

The next step is product selection. Don’t think traditional approaches can solve the insider threat. It’s quite a change of mentality. This is another way of approaching the problem. You look at it from an inner point of view. You are looking at it from a contextual perspective. These are not transactions. There are many best practices on how you operationalize them. But even from a product selection perspective, it’s really important that you really look at some key things, and we encourage you not to look at your current platform and say, “I have a legacy rig and will just use it for insider risk.

It does not work. It has been tested by many, many failed organizations.

The key things to consider from a product selection perspective is a platform that can really give you a unified perspective of security and risk. Unified is important because you want to bring in different parts and pieces. You don’t want to go to a different platform to research behaviors. You don’t want siled analytics. You want a place where you consolidate all that data, run analytics, and get actionable results.

When we talk about actionable results, we are talking about prioritizing risk. So you know exactly that if that’s the risk and it’s a behavioral pattern that’s been triggered, your insider risk management team knows what to do from there. More importantly, as you mature, you can automate these controls, which is the end state we’re looking for.

3. Define threat indicators

Next, define your threat indicators. It is very very important. Over the past 11 years, we have learned a lot about this. We have best practices on our threat indicators that give you the most value. And we would say that HR attributes play a key role in this. It is important to have this partnership from the start and of course all the controls so that no one can see confidential information or need to be integrated into the platform.

Internal threat indicators are very different from indicators of compromise for external cyberattacks. In an external attack, you’re looking for things like communicating with just-created known malicious URLs and domain names. Insiders don’t use these kinds of tactics to execute their bad behavior. Instead, you might look for behavioral conditions such as:

  • Work odd hours
  • Work from strange places
  • Connecting from two locations at the same time
  • Frequent unsuccessful login attempts
  • Attempting to access systems or data outside of the employee’s scope of work
  • Copy, download, delete or modify large amounts of data

This is where it is useful to work with different stakeholders to understand what is unusual or unacceptable in employee behavior. Although threat indicators should be specific to your own business, Gurucul has a list of indicators that can bring you the most value.

4. Link information between multiple data sources

The next step in your insider threat program is to link information from multiple data sources to a single identity. Building that context together across different systems, looking at a user’s access activity, all of the alerts, creating that holistic view and tying it together is important. You can’t use correlation rules because they don’t give you the greatest efficiency – the rules are very basic. You want to use, and the platforms must have, a link analysis capability. You want to see who has built-in link analysis algorithms to give you the most efficiency in linking all that data together and creating that context.

5. Establish a baseline of behavior

Now your insider threat process needs a baseline. You want to establish behavioral benchmarks for all of your users and entities, not just insiders. You want to look at their peer groups and their machines. You want to look at other machines in that peer group, anyone, develop basic behaviors and look for deviations to identify where the anomalies are. And then it doesn’t stop. This is not just abnormal behavior. This is risky and abnormal behavior; that’s what we’re looking for.

6. Monitor and react

The next point of insider threat program maturity is monitoring and responding to suspicious or disruptive behavior. This is the key. We’ve seen many companies struggle with this. Everyone goes into the sweet frame of mind to solve this problem. It’s a lifestyle change this process. It’s a different way of looking at things. You want to put the right response mechanism in place, build the right playbooks, have the right governance committee in place to operationalize you. To have an effective insider threat program, you need to make all of these elements work, and you need to be able to continuously review the results and provide feedback.

With this feedback, Gurucul’s machine learning algorithms can adjust, as it learns itself, and you get higher efficiency results. The good news is that a good platform should give you very few alerts every day.

If you are talking about a company with 10,000 employees or insiders, you should receive about a hundred alerts per month, or about 3 per day. That’s very few alerts compared to signature-based platforms. That’s the advantage of a machine learning-based insider threat product like Gurucul’s.

7. Operationalize

Finally, operationalizing your insider threat program is critical to ensuring the success of the entire program. You need to make sure all the above steps are working properly and then continuously review the results and provide feedback. The loop around the steps “establish baseline, monitor and respond, and operationalize” should be constant and should evolve with your business and your risks.

Learn more

Defining and using best practices is necessary to put the entire company in a healthy position to identify and respond to insider threats. Gurucul Analytics-based SIEM and EUBA Products with advanced analytics and machine learning models can help IT staff develop a comprehensive insider threat identification and protection program.

Additional Resources:

The post office Best Practices for Implementing an Insider Threat Program appeared first on Gurucul.

*** This is a syndicated blog from the Security Bloggers Network of Blog – Gurucul written by Jane Grafton. Read the original post at:

Ryan H. Bowman