Growing up, one of my favorite techniques to remember coursework in school involved breaking up unwieldy concepts by chunking them into 3. To date, this is an approach I still live by in my world of Portfolio Strategy & Marketing. Luckily, Gartner had the same idea in their recent “Market Guide for Insider Risk Management Solutions”. In the guide, they dive into mitigation goals that they categorize as Deter, Detect and Disrupt. In my earlier blog 10 Takeaways from Gartner 2020 Market Guide for Insider Risk Management Solutions, I made the case that the absence of “blocking” signalled a sea change in how security is beginning to think about mitigation strategies.
If there’s a sentiment that captures what “blocking” signaled to security teams in 2021, it certainly this quote from our friends at Snowflake: “The 90s called and they want their DLP back.” More organizations (especially in a post-pandemic era) are questioning traditional approaches to mitigating situations of insider risk. And let’s face it, to date, that approach has been primarily categorized by “blocking” (specifically blocking employee collaboration and productivity). Simply put, prevention solutions assume culpability (without the context to prove innocence) and then take steps to essentially stop that employee going any further. The problem is recent data from Forrester and even Gartner clearly point to the fact that situations of internal incidents are largely attributed to inadvertent misuse. We know users can be careless (heck, I fall into this category too!) but penalizing a user for simply trying to do their job cannot continue!
D to the power 3: Deter, Detect and Disrupt
Describing mitigation goals for insider threat as a rule of three, Gartner describes the following:
- Deter the individuals
- Detect the activity
- Disrupt the effort
To implement the rule of three effectively, security and risk management leaders need an insider threat mitigation program that is composed of people, processes and technology. All three are required in order to be successful. Let’s unpack these in turn.
Deter the individuals (People)
Many organizations have woken up to the idea that their “insiders” as it turns out, happen to be their best security champions. An empowered and knowledgeable workforce is the perfect extension of a technology strategy since it is rooted in people. The power of security awareness goes a long way! When you think about the 2020s high profile Twitter hack for example, one can’t help but wonder how a more aware workforce would have reacted. The positive example is also important to highlight. As was reported with the failed ransomware plot on Tesla, the potential attack did not succeed due to an aware and well-intentioned employee report.
Detect the activity (Technology)
Detecting anomalies in the world of insider threat remains a challenge for many! This is clearly a technology shortfall. Today’s solutions rely on the precise policies, ungainly data classification, continuous maintenance, and even after all of that, the flood of false-positive alerts that simply go ignored. To exit this cycle, security practitioners need end-to-end visibility that encompasses the user, the data (files) and the exfiltration vector(s) to truly understand the risk embodied within an insider incident. This visibility is imperative to an holistic Insider Risk Management approach.
Disrupt the effort (Process)
This one takes on multiple forms – as it should! When we talk about disrupting an effort, we are talking about a right-size response to having detected an activity. Keep in mind that the activity in question may not be malicious. That’s precisely why we need to think of it in terms of “disruption” vs “blocking.” So what does a disruption look like? Let’s look at an example of best practices from Code42.
It starts with response examples to more common, low risk activities, and builds to higher risk circumstances that also happen less frequently.
The first thing to internalize, is the idea that security teams may not need to do a one-off response for every low-risk event. They can use Incydr to detect trends in how data is being used and shared. Incydr can inform their security awareness strategy and their team’s processes around awareness training to more directly address widespread trends like employees using their devices for personal use and therefore putting personal sync apps on them.
Next, there’s the importance of direct user outreach. User outreach is our recommended next-step for lower risk events that DO need to be addressed individually. The purpose here is for security to understand intent and request resolution from the user. This is something our own team does often. They reach out through Slack and may then perform a video call to watch a user delete files that were taken.
For slightly higher risk events, we recommend adjusting the user’s access permissions. When something happens, simply lower or remove permissions. This ensures the user does not have continued access to sensitive data and systems. In the case of our product, this response can even be automated using an integration with Okta.
Finally, for the most rare but very high risk events, we recommend a hybrid human and technical response option. Security teams can build playbooks in their SOAR to take a predefined action, and they can escalate a case built within Incydr to a line-of-business Stakeholder. This can then proceed to more serious consequences like termination or litigation if warranted.
The 2020s Called, They Want To Empower Their Employees
At the heart of Insider Risk Management is a fundamentally different approach to helping organizations balance employee productivity with data protection. Deter, Detect and Disrupt map to People, Tech and Process which leads to a more holistic approach. Today’s security teams face an inflection point; Embrace a new security approach rooted in your people or become stagnant? I think the 2020s have spoken!