Experts: Thwarting Insider Threats Takes A Holistic Approach

Insider threats, whether they are foreign spies, disgruntled employees or  embezzlers, can’t be stopped with software alone, experts at a cyber security summit recently warned. The last step a company trying to protect its intellectual property should take is installing new computer programs.

“Look at the impact that the Snowdens and the Mannings have,” said Michael Madon, vice president and general manager of RedOwl Analytics. “Part of the challenge we have — [as] the leadership — is to inform and create a holistic program.”

An insider threat is one that comes from within an organization — perpetrated by a person with access to information such as company data and security practices. There are several categories. There are foreign agents out to steal secrets. There are workers leaving for a new job that abscond with valuable data or are angry enough at management to vandalize systems. Some are simply greedy and engage in embezzlement.

While outside hackers make all the headlines, they only comprise 40 percent of data breaches, said Mike Crouse, director of insider threat strategy at Raytheon Cyber Products. The remaining 60 percent are insiders.

But software is not a cure-all, he added. Firewalls and detection systems don’t fix everything without a solid foundational program for preventing, exposing and handling threats.

“We’re not advocating you go out and spend money. It’s not that I want you to go out and buy all these new technologies,” Crouse said.

 It could be as simple as using data that is already there, he added.

Panelists said buying software should be the last step in a multi-faceted approach to targeting insider threats.

Privileged users, those who have been granted exclusive access to data within a company, are a major concern for organizations. Those given that status should be monitored closely because they have “exceptional access to the data,” said Larry Knutsen of the Laconia Group, a national security consulting service.

Daniel Velez, director of insider threat programs at Raytheon Cyber Products, said that there is an unsettling lack of concern toward insider threats among organizations and their leadership.

According to a Raytheon chart, “Building a Modern Insider Threat Program,” 51 percent of employees feel it’s acceptable to take corporate data because their companies don’t strictly enforce policies, and 37 percent have shared data without permission from their employers.

Because leaders often focus on perimeter safety measures to thwart outside hackers, they miss what is happening on the inside, Madon said.

For this reason, it is important to change company culture, Crouse said.

“I want to pop up windows. I want to make sure everybody knows … that [they’re] being audited and monitored — that we have different technologies in place,” he added.

If a company increases the strength of one of those forms of protection, it can’t lessen others, Madon said.  “Putting up one system isn’t going to cut the mustard.”

Velez said: “You can’t watch everybody all the time, doing everything.”

A lot of combating insider threats comes down to deciding to monitor and protect whichever data is most at-risk.

“You have the … passive auditing and monitoring versus deterrence, and it’s kind of a double-edged sword,” Crouse said.

Executives often skirt a comprehensive insider threat program because of a combination of five things: denial, lack of guidance, complexity, funding and not knowing of the problem, the Raytheon chart said.

In order for them to put such a system in place, they have to be shown the bottom line, Madon said.

“The hard thing about it is actually measuring and quantifying what those breaches cost.  That is one of the biggest things we’ve noticed over the past years,” Crouse said.

Velez provided a nine-step system for creating a successful insider threat program: Establish a formal program; create a business case; assemble a team and involve stakeholders; educate all parties involved; incorporate governance; and document all possible information. Lastly comes the technology, he said.

After the initial steps, the auditing and monitoring solution can be selected and then fully implemented.

Velez added: “All these preventive measures are more important even than the detection.”
Detecting and handling threats after they’ve been exposed are just some of many parts of the process overall, Velez said. 

“All too often, my old boss used to say, ‘They come to me when the baby is dead,’” he said. “Preventive medicine goes a long way.

“The tools should adapt to the program,” he added. Without an insider threat program foundation, the software can only do so much.

“The technology here is going to support [the] program,” he said.

The hardest part, however, is getting leaders to see the necessity in creating this underlying system, panelists agreed.

Topics: C4ISR, Cybersecurity