Insider Threats: Business Process Failures on Cyber Security's Shoulders
Many Insider Threat Programs (InTP) are missing a critical component in today's business environments resulting in increased risk and exposure
By: Donovan Risk
To echo some gaps in InTPs, I asked security expert Eric Lackey, Principal Advisor for Insider Threat Program Management at Flashpoint, what he thought. "One of the greatest challenges I see with organizations who are developing insider threat programs is they fail to effectively plan the implementation of the program itself. Many organizations go straight into to launching an insider threat program by simply implementing detection and response efforts, without ever engaging the organization's stakeholders. The stakeholders hold the key details as to what the "crown jewels" of the organization truly are and if you're not developing an understanding of those critical assets then your insider threat program is going to be much less effective." Eric continued with a position that unless a company recognizes the business, "The detection efforts are going to be hindered by countless false positives on alerts by applying the same risk standards without respect to the criticality of the data itself. At the same time, I often see those same stakeholders operating in silos and fail to integrate the necessary controls to protect their data. This is often because they either don't understate the threats that exist, or how to mitigate the risk by working with information security management to implement effective controls that allow them to operate without hinderance while protecting the assets."
An objective of information security is to protect the confidentiality, integrity, and availability of information in line with the business processes that depend on it to function effectively and efficiently. Information security also protects the confidentiality of any sensitive information in the organization lest a data breach impact an organization's reputation, leading to potential reductions in revenue, customer trust, regulatory compliance and ultimately the bottom line.
Loss, unauthorized access, theft – and compliance – are of predominant concern, but most companies struggle with protecting what they cannot manage or locate. The result is hordes of resources and monies directed to build the walls and moats around organizations to protect data from loss and disclosure.
Think for a moment about the Game of Thrones series, or other line-and-file wartime attacks waged in historic or fantasy settings. Even lay armchair military strategists will scream at the television, "FLANK THEM!" If you have a dragon, go over. Maybe find a back door. With Game of Thrones, the most devastating treachery to power holders are deceit and attacks by the insider. From the cyber realm, many headline breaches similarly didn't involve exploitation of the core frontline technological defenses. Attackers went around the conventional defenses and often came from within.
So why are business processes left out in information security solutions that focus only on technology?
In evaluating the efforts to prevent the loss of sensitive information because of theft or inadvertent disclosure, most would agree that information security technology can address only a small portion of the issues associated with information risk. Upon close assessment of recent information security breaches, it is clear that information security technology does not reduce information risk if violations and errors from human factors (or humanistics)
But this is neither a brilliant new deduction nor a provocative statement to the information security industry. The challenge is where to put the finger on the missing link, the "it" of information security consistent in methodology and operationalized framework.
Mostly, information security fails when it focuses primarily on risk mitigation as a technical problem. Through its efforts to protect information by restricting access and making complex demands on users, the prophylactic technical measures typically hurt business processes and natural transactional flows of information within the organization. To circumvent those cumbersome demands, business units typically create workarounds that negate the InfoSec controls, which then results in compliance gaps and security loopholes. Rarely are approaches such as Enterprise Information Management or Information Governance brought to the forefront of information security plans to manage and identify who actually owns the content.
Think about the challenges of ERP systems when CIOs unilaterally bought the solution and then began enterprise rollouts. The results were predominantly failures, because the implementations failed to consider the complex business nuances affected. In subsequent implementations that considered the business processes and involved business stakeholders, the ERP rollout achieved much better results. Where ERP initiatives and business unit collaboration took the time to reengineer and improve processes, the implementations actually improved productivity and bottom-line results.
I recently led a GDPR data mapping initiative for a large financial institution. When comparing notes between the technical managers and the business owners, many on the business side had ignored the security architecture plans and had allowed haphazard processes that created extensive personal information risk.
Information security today is facing many of the same challenges as ERP did nearly 20 years ago. Companies are more locked in on the technological contrivances and the probabilities of reducing adverse events of known risks with those moats and walls, as opposed to centering in on the process aspects to reduce consequences and enhance operational continuity or resiliency to manage, respond, and mitigate undesired incidents of information loss.
The "it" for IT Security
Insider Threat Programs may not be a one size fits all solution, but they can help drive better approaches to Information Risk Management (IRM) to both transform and accelerate the value of information while protecting the data itself. The approach should involve a strategic roadmap to achieve better collaboration and communication across the enterprise, based on a maturity model and an identified or ideal optimal future state. As information security and content management experts, IT systems are supposed to make organizational information use, transmission, storage, tracking, and retention more efficient – not drag the company down into a morass of process inefficiency. Therefore, it is important to guide IRM so it's applied to Intellectual Property (IP) such as Trade Secrets, Personally Identifiable Information (PII), Protected Health Information (PHI), and Payment Card Industry requirements. Similarly, it should leverage appropriate tools to simplify complexities of unpredictable human behavior and challenges with navigating enormous amounts of data. Jazz Networks, winner of US Cyber Command's insider threat competition, has been notable as a provider of user behavior analytics and data loss prevention software to prevent the types of insider threats and inadvertent data leakage at risk.
According to Jazz Networks' Jeff Roy, VP Global Sales Engineering, "Looking for traits and behaviors of previous attacks or leaning too heavily on systems based on pattern detection and signatures isn't enough coverage to stop all kinds of attacks or negligent behavior. To make Insider Threat programs work, it's necessary to also collect and analyze user data in real-time, and that comes with a big data challenge. When you're navigating millions of data records, your security technology needs to help you access pertinent details quickly so that action isn't delayed."
Some highlights of an IRM inject to Insider Threat Program process are:
• RISK - Identifying the information risks based on evaluating content and critical business information with the participation of the information owners, stewards, and other business information resources. This includes identifying sensitive data within structured and unstructured formats and developing guidance for data repository examination and access audits.
• COMPLIANCE - Identifying and validating legal and regulatory compliance demands and establishing a crosswalk analysis for optimal coverage and reduction or redundant controls
• BUs - Optimizing business processes between information security standards and the linkages to different business functions, such as legal, finance, human resources, facilities, management, etc. to create greater information value and efficiency
• BUDGET MATURITY - Prioritizing interests to balance impact, standards, coverage expense, and controls where the focus is on business risks and not on the latest technology or the bells and whistles now being marketed
The key to impactful information security strategies depends upon a company's ability to understand its own unique information protection needs and its ability to observe and manage associated employee behaviors and workflow needs in an insightful way: a way that works for those employees and workflows, not against them.
In the super category of Enterprise Risk Management, a company should look holistically at what may adversely affect the organization – which includes technology, but understanding that technology alone is not focused enough to effectively harness information risk and human factor elements that relate to Insider Threats. A mature Insider Threat Program, however, as its own discipline, can help more companies specifically concerned with getting their arms around potential information loss or unauthorized access, and the associated corporate risks, beyond the technology approach alone.
By adding the process of InTP to Enterprise IRM, and the complimentary approaches of information management, content management, and information governance, organizations can further protect hidden or disparate data structures. With a more business-centric approach to InfoSec, significant resources and monies can be redirected toward more focused risk identification, management, and self-audit, an approach that goes beyond building the conventional and predictable safeguards to protect data from loss and disclosure. It's an approach that would hamper an adversary to the point of finding another weaker target, one with weaker capabilities to protect information risk. One that isn't your company's liability.
I can't think of a C-suite executive or board of directors who wouldn't support that.
Author: Scott Swanson, Managing Director, DONOVAN RISK, an Insider Threat Consultancy