Why Insider Risk Management Requires Different People, Process and Technology
Insider Risk is a delicate issue for many organizations. No one likes to think of their co-workers as threat actors. For many security practitioners, Bill, Michelle and Kathy are coworkers, not adversaries. “I like to believe that 99% of our employees are good people and mean no harm to the company,” said one CISO at a global manufacturing firm, with whom I met last week. At Code42, we call this presuming positive intent – one of our core values – and what is paramount to effectively managing the Insider Risk problem.
Unfortunately, COVID created the perfect storm for Insider Risk. According to our most recent Data Exposure Report, employees are 85% more likely today to leak data than they were pre-COVID. To make matters worse, 91% of security teams say they lack the technology and 66% lack the budget and resources to effectively address a growing Insider Risk (data leak) problem. No tech. No people. No budget. So, what are security leaders left to do? They’re forced to use existing people, processes and technology designed to mitigate external threats to manage Insider Risk. Mitigating external threats is fundamentally different than managing Insider Risk. So is leveraging existing people, process and tech the right approach?
Mitigating external threats is fundamentally different than managing Insider Risk.
There are three questions every security leader must ask when setting up an Insider Risk Management program:
- People: Do we have dedicated analysts trained for Insider Risk?
- Process: Do we have a documented response plan when co-workers put data at risk?
- Technology: Do we have the defined toolset to support our Insider Risk people and processes?
Managing Insider Risk requires analysts to have a different mindset. Analysts dealing with nefarious external actors are predisposed to assume negative intent when it comes to their adversaries. And they should: by definition, external threats are driven by bad actors. But internal risk requires a different approach. If Michelle in HR uploads a file to her Gmail account, we have to handle that very differently than if her machine is infected with malware. The analyst needs to understand the whole situation on why she might do that, which will likely require talking to Michelle or her manager. It may involve working with HR and legal, too. Unlike discovering malware, discovering exfiltrated internal files requires discretion because the files themselves (which are visible to the analyst) may contain incredibly sensitive data. Malware is dangerous, but leaked payroll information or strategic documents could be extremely sensitive.
In working with our customers, we have found that most train only a few analysts to review Insider Risk cases. Those analysts also work with HR and Legal to appropriately handle the difficult and sensitive cases. This segregation of duties between External Threats and Insider Risk has become a recommended best practice for any organization with more than 500 employees.
In a study commissioned by Palo Alto Networks and Forrester Consulting, the average SOC team receives over 11,000 alerts per day and a vast majority of them are prioritized, investigated, triaged and responded to manually. Often, an analyst can take definitive action by isolating or even shutting down a machine. But, Insider Risk requires a different process – one that involves the lines of business, HR, Legal and IT to not only define risk tolerance, but also the role each partner plays in risk prioritization, response and remediation.
First and foremost, Insider Risk can be an extremely noisy problem. And a shocking 91% of security teams say they lack the technology to effectively address it. In the collaborative world we work in today, employees are sharing files via OneDrive, collaborating with Box, moving files with Slack, printing, storing files on USBs, and generally sharing data all the time. Technology is required to monitor all of that activity and crucially to surface only the important events.
Managing Insider Risk requires visibility to not only all file, user and vector signals, but also a high degree of event context. Your technology needs to identify and correlate Insider Risk indicators, like whether an employee has quit, is working off-hours, has tampered with file extensions, is actively deleting files, and many more. By correlating these indicators of risk, the technology dramatically reduces the noise that analysts must contend with and provides important event context as they conduct investigations. You need context because your co-workers’ reputations and careers are potentially on the line.
Code42 Incydr for Insider Risk Management
Code42’s approach to Insider Risk Management (IRM) promises organizations never compromise the speed of the business nor the safety of their data. And it presumes positive intent. In order to deliver on this promise, the foundation of our approach is built on three core pillars: monitor everything – all files, all vectors and all users; never disrupt employee productivity or collaboration; and be born in the cloud –100% SaaS. Our approach is delivered through our product: Incydr.
Incydr continuously monitors and logs ALL file, user and vector activity to and from employee endpoints. Then, it analyzes and correlates said activity to surface what we call Insider Risk Indicators (IRIs). IRIs are made up of individual, combinations or sequences of file, vector and user activities and attributes (i.e. context), which are indicative of data risk. Individual IRIs can vary in severity, but when detected together, their severity changes. The stronger the IRI, the greater the risk to the organization and the faster the security team should investigate and respond using Incydr.
Incydr technology has contextual detection, investigation and response built-in to the product. It defines IRIs associated with a variety of use cases to prioritize and alert on the Insider Risks that matter most. For example, IRIs detected during source code exfiltration might be: 1) an engineer, 2) moves source code 3) to an untrusted removable media device 4) remotely 5) during off hours. Or IRIs detected for a departing sales employee might be: 1) a sales employee 2) who is departing 3) downloads a report from Salesforce.com 4) and then moves it to an untrusted messaging service, such as Slack.
Incydr’s high fidelity alerts help Insider Risk analysts quickly triage and take informed action to stop or obstruct (i.e. prevent) the data from leaving the organization. The informed action that analysts take will vary by data risk severity. We call this right-sized response. Right-sized response ranges from personal outreach via Slack or email and assigning the employee additional security awareness training to revoking or limiting access privileges through integrations.
Speaking of integrations, if you have established Insider Risk people and processes and you leverage SIEM and SOAR technology, the comprehensive detection capabilities of Incydr’s IRIs can be integrated via an open API. Code42 technology partners like Palo Alto Networks Cortex XSOAR, Exabeam, LogRhythm, Splunk, and Sumo Logic leverage Incydr IRIs to bolster efficiency, drive contextualized investigations, and speed and streamline incident response.
Using Incydr for Insider Risk Management means security teams spend less time manually sifting through thousands of alerts and instead more time improving the Insider Risk posture of the organization. This fundamental shift in mindset results in delivering true business value by ensuring employee compliance with data use policies, building a more risk aware culture and speeding security’s time to value.