Establishing a Foundation and Building an Insider Threat Program (2024)

Author: Kara Nagel, CISA, CRISC, CISSP
Date Published: 14 October 2021
Related: A Holistic Approach to Mitigating Harm from Insider Threats | Digital | English

Program Component Research andCapability Maturity Analysis

The first step is determining what constitutes amature insider threat program and what asuccessful program would look like. By combingthrough industry frameworks and best practices,1^,2^,3more than 50 controls and components spanningprogram, technical and process topics can beidentified (figure 1). A maturity analysis can showwhich processes and capabilities might alreadyexist that can be tapped into as part of a cohesiveinsider threat program. Combined with the definitionof a successful program, this research provides the appropriate starting point. Understanding anorganization’s current coverage can serve as astrategy road map, highlighting the program,process and technical capabilities that may requirefurther development. Understanding the capabilitiesthat already exist and those that are missing willalso highlight the key functions that need to beactively involved when shaping this program.

Defining Insider Threats

Before proceeding with any new process or controlimplementation based on the maturity analysis,insider threat, as it pertains to a particularorganization, needs to be defined. This requirescrafting a solid definition and soliciting programstakeholders’ thoughts on scope and priority risk.These components are crucial to steer the programin the correct direction. It is also important toidentify insider threat program capabilities andcontrols and research industry frameworks andpublications for common insider threat definitions.These definitions can be customized to fit differentbusiness models and unique risk.

One example definition of insider threat is anyintentional, negligent or accidental action by anemployee or subcontractor that may be detrimentalto the organization and its clients. These threatsinclude, but are not limited to, fraud, theft ofconfidential organization or client information, theft ofintellectual or physical property, sabotage ofcomputer systems, and unauthorized disclosure ofinformation resulting in damage to brand orreputation.

ULTIMATELY, INSIDERTHREAT MANAGEMENT ISOWNED ACROSS THEORGANIZATION AT LARGE.

A supplemental classification scheme, driven byinsider intent with characteristics and examples, isalso valuable to standardize the understanding ofinsider threat across your stakeholder group(figure 2).

Executive Stakeholder

Senior leadership must be involved in the programdesign. Ultimately, insider threat management isowned across the organization at large. Eachstakeholder may have different concerns or may own different pieces of the puzzle. Variousbusiness functions need to have an active voice inshaping the program and ownership of the relevantprocesses that will be relied on or modified toaddress insider threats. Implementing a programwith key leadership supporting the direction iscritical to success. Key representatives will likelycome from functions such as human resources(HR), legal, data privacy, investigations, informationsecurity, IT operations, enterprise risk management,internal audit and physical security.

Each of these functions have different concernsand are impacted by the program’s decisions indifferent ways. For example, HR and informationsecurity leadership may be eager to enhancesecurity protocols around individuals leaving theorganization; however, legal and data privacystakeholders may be aware of country-specificconsiderations that need to be addressed beforecontrols can be implemented across theorganization. Likewise, with a return to workingfrom offices, physical security leadership may havea legitimate concern about office-related threatsand thefts. A different set of safeguards may bewarranted as the post-COVID-19 world returns totravel and office-centric working models. Havingkey cross-representative stakeholders at the tableto discuss these concerns and considerdownstream impacts across the various functionsand processes is imperative to moving tacticaldecisions forward.

ANOTHER IMPORTANTSTEP IN SUPPORTING ANDDEFINING THE INTENT OFTHE INSIDER THREATPROGRAM IS TO ESTABLISHTOP-DOWN GOVERNANCE.

In addition to having the right members at the table,it is important that one group leads the charge ascommittee chair, but active participation from allteams is necessary to steer the program.

Governance

Another important step in supporting and definingthe intent of the insider threat program is toestablish top-down governance. This can be done inthe following ways:

Establishing or enhancing existing policies to stipulate acceptable behaviors, monitor activities and enforce ramifications of noncompliance pertaining to insider threat
Documenting a charter outlining the executive steering committee’s roles, responsibilities, expected output and overall program scope
Developing a tactical insider threat plan that outlines the life cycle of an insider incident, from discovery through analysis, triage, investigation and forensics, potential legal and HR actions, and root cause analysis

These documents serve to outline the specificpurpose of the committee and program to ensurethat all parties are working toward a common anddefined goal and that the organization at large isaware of the program and what may be considereda violation of acceptable behavior. Increasedknowledge of acceptable behavior and enhancedsecurity measures can be a powerful deterrentagainst negligent and accidental insider threats.

It is also beneficial to determine how this programwill measure success. Leveraging current metrics and analyzing existing incident and activity trendswill help to identify any targeted actions that may bewarranted. This trend and mitigation approachshould be shared with the stakeholder committeefor consideration.

A DEDICATED OPERATIONS TEAM MAY BENEEDED TO MONITOR THE NEW TOOLS ANDINCIDENTS RESULTING FROM THEIMPLEMENTATION OF TACTICAL CONTROLS.

Building a metrics program also necessitatesestablishing a baseline. Depending on the maturityof the investigation and incident managementprocesses, insights can be gleaned from existingdata points. For example, to determine whichtactical controls to apply, decisions should beinformed with common data exfiltration methodsand end points. The common activity and incidentrates of an organization serve as the baseline toinform decisions and actions and drive successmeasurements. If the investigations team identifiesthat based on the past year of security incidents, alarge majority of incidents that resulted in data losswere through external media or data beingtransmitted to personal cloud storage sites, theorganization then has two very specific areas towhich enhanced controls can be applied. It isnecessary to continue to monitor incident trends todetermine how successful the tactical actions are.If the incident trend line drops, then the insiderthreat program and tactical controls implementedare addressing the identified risk of data loss.Depending on the technologies employed andcontrols implemented, insider threat programmetrics can continue to evolve.

Key Risk Scenarios and Program Focus

Once a program establishes its maturity level, hasexecutive alignment and an agreed-on definition,implementation can begin. A key guiding principleto creating a tactical and risk-based programdeployment methodology is to start small.

On one hand, an organization can focus onimplementing technical controls or operationalprocesses to shore up the biggest gaps in thematurity analysis. On the other hand, if thestakeholder group is comfortable with the level ofmaturity, a risk-based approach with a focus on keyrisk indicators (KRIs) or specific business scenariosis appropriate. Concerns that executivestakeholders might want to act on include:

Enterprise intellectual property or physical assets leaving the environment, regardless of the intent of the insider
Individuals leaving the organization and their motivation or intention to do the organization harm
Enhanced security and monitoring of critical IP or unique assets, especially the access and activity of those individuals with higher privileges to that information or asset
Unique business scenarios and strategies that may necessitate proactive and tactical actions
Workplace violence, with returning to work on the horizon

Each organization is different, levels of maturityvary and the issues needing active attention are upto the executive stakeholder committee to define.There is not a cookie-cutter solution for an insiderthreat program. It must be tailored and remain agileas business and risk landscapes change.

Regardless of the approach, after the immediateroad map is defined, stakeholder meetings shouldcontinue to be held regularly to discuss ongoingand emerging risk scenarios, prioritize actions, andconfirm tactical implementation plans.

Once critical risk cases are addressed andstakeholders are comfortable with the foundationand maturity of the program, the next evolution isproactive monitoring for behavior anomalies andinsider alerts, based on defined thresholds. Forexample, if an employee is suddenly accessinghighly restrictive business applications that do notrelate to their role and responsibilities or isdownloading extremely large amounts of data fromknowledge databases within a short period of time,this may be a threshold that could trigger an alertwithin an insider threat management tool. Thesethresholds and scenarios require vetting with the executive steering committee, and downstreamimpacts to investigation teams need to beevaluated before implementation. A dedicatedoperations team may be needed to monitor the newtools and incidents resulting from theimplementation of tactical controls. An increasednumber of reported incidents and generated alertswill have a downstream impact on the escalationand investigations that are needed.

Conclusion

It is an arduous task to establish an insider threatprogram. It is prudent to start small, remain agileand prioritize actions based on risk. Mostorganizations have siloed functions that all areworking toward a common goal of protecting theorganization, employees and key assets. An insiderthreat program is only successful if it works at theintersection of all these functions. An organization’sprogram can be expansive or lean, mature orelementary, and proactive or reactive, but it cannotoperate in a vacuum. The priorities, tactical actionsto take and strategic direction to work toward allneed the input, oversight, support andaccountability of cross-organization leadership.There is much to do in this space, but every stepforward is a step in the right direction.

Endnotes

1National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-53 Revision 5 Security and Privacy Controls for Information Systems and Organizations, USA, 2020, https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
2CERT National Insider Threat Center, Common Sense Guide to Mitigating Insider Threats, 6^th Edition, Carnegie Mellon University, Software Engineering Institute, Pittsburgh, Pennsylvania, USA, 2018, https://resources.sei.cmu.edu/asset_files/TechnicalReport/2019_005_001_540647.pdf
3National Insider Threat Task Force, Insider Threat Program Maturity Framework, USA, 2018, https://www.dni.gov/files/NCSC/documents/nittf/20181024_NITTF_MaturityFramework_web.pdf

Kara Nagel, CISA, CRISC, CISSP

Has more than 15years of experiencehelping organizationsidentify emergingsecurity andtechnology risk, definemitigation strategiesand implementtactical solutions.Nagel has held audit,advisory andgovernance positionsat Protiviti, UnitedAirlines, Accentureand PlayStation. In arecent role, she waspart of the core teamdeveloping andmitigating insider riskthrough programformation andstrategic controldeployments.