Step 4 of 5 to Quantifying Insider Risk

by Mike Tierney | Feb 11, 2017

Align Risk Levels to Everyday Controls

At a very high level, the risk scores equate to how much the organization sees the position, department, or individual in terms of potential exposure. Because a successful insider attack will result in harm to the organization, the appropriate response is to watch for signs or elevating insider risk (metastasizing into threat), using an appropriate level of scrutiny aligned to their risk level. In general, those with a lower level of risk only need to be monitored with a level of scrutiny that looks for leading indicators of elevating risk. Those posing a higher level of risk need to be monitored far more carefully –with an ability to rapidly review their actions in detail if necessary.

You should group your assigned risk scores into two or more categories that correspond to implementations of the following technical controls (more detail on how to best take advantage of each of the technologies below is provided in the Guide’s Epilogue):

Lower-Risk Everyday Control – User Behavior Analytics

While those determined to pose a lower level of risk (as determined by the outcome of your Assigning Risk process) appear to be of no significant threat to the organization, it is critical to remember that risk can shift without warning, making it necessary to – at a minimum – analyze their behavior to proactively detect if the low-risk individual one day poses a higher risk based on leading threat indicators.

User Behavior Analytics (UBA) watches both an individual’s interaction with company resources and their communications, baselining what is considered “normal” in order to detect anomalies that suggest an insider threat. Using a combination of machine learning algorithms, data science, and analytics, UBA can quickly identify when an employee is demonstrating behaviors synonymous with malicious insiders – or if an external actor intent on harming the organization has compromised the credentials of the employee.

Higher-Risk Everyday Control – User Behavior Analytics + User Activity Monitoring

For those demonstrating higher levels of risk, the organization needs to collect and maintain a system of record of their activity, while mining that activity for signs of insider threat. Employing UBA with a tighter sensitivity around anomalies makes

UAM provides the organization with ability to record, alert on, and review insider activity. To demonstrate how UAM provides value, let’s re-use example of the Accounts Payable person in a construction company pulling a list of customers. With UAM, someone in IT or Security could be notified when an Export of details is run within the AP application. A review could then be performed by playing back the activity in detail before, during and after the export to see why the insider (now a POI) pulled the list of contractors and what they did with it.

It’s this context that allows organizations to understand the intent of the employee. If it was found that the AP employee copied the exported data to a USB drive with no evidence of any request for it on the part of any superior in the company, you know you have an insider threat action. But if an email was received prior to the export from the CFO wanting to run an analysis on the data, and the export itself was printed out, it becomes clear it was an action take as part of doing their job.

Aligning Controls to Risk Levels

We’ve provided just two types of controls. But, based on organizational need and the chosen solution(s), you may desire to take your assigned risk scores and group them into more than just two control levels. It’s important to consider the capabilities of your chosen UBA and UAM solution(s), with an eye towards making sure they deliver the ability to:

  1. Analyze – the activity and behaviors in your organization,
  2. Detect – meaningful events or shifts that suggest imminent risk,
  3. Prioritize – where your focus should be by presenting only meaningful information without contributing to ‘over-alert syndrome’, and
  4. Respond – effectively and efficiently, without significant strain on the organizations people and resources.

For example, you may have three control levels, representing those the organization deems are a low threat, those of medium risk that have access to some valuable – but not critical – data, and those of high risk with access to sensitive, confidential data.

There will need to be some work done to align the specific features of UAM and UBA solutions back to the risk-mitigating intent of each of the risk levels. It’s this alignment that will help both choose the correct solution(s), while also establishing the right number of control levels.