Complexity noun | com·plex·i·ty
- The state or quality of being intricate or complicated
- A factor involved in a complicated process or situation
If that definition sounds like a day in your life working in security, keep reading. As security professionals, we already understand this definition of complexity because we are intimately familiar with its meaning. From vulnerabilities and threats to policies, alerts, security ecosystems and products themselves, every facet of the security industry today is complicated.
Some would argue that complexity is necessary for insider threat programs and that it is in the intricacy of the interconnected elements, the nuance, and the people process associated with it that make them effective. While it is valid that the most mature insider threat programs truly do combine security and risk at the highest level, which makes them incredibly complex, a majority of organizations today do not have a solution for detecting, investigating and responding to data risk caused by insiders. Code42 Incydr™ can provide the foundation that actually makes it easy to reduce this risk.
Where the complexity begins
Technical complexity is at the forefront of the complexity challenge that security teams face. It is the very tools, which are intended to help make insider threat programs more effective, that introduce problems, which lead to the degradation of the insider threat team, hindering their effectiveness. I have had extensive experience building and consulting on insider threat programs at various organizations, Fortune 500 companies in technology and business services industries. In my past experience, I have seen security teams navigate through highly complex, intricate systems with great success. But I have also seen complex systems fail. This is where a simple use case focused solution like Incydr can greatly reduce risk.
The success story
In a very specific set of circumstances, complexity can lead to success for a security team, and more specifically, an insider threat program. Success in these instances is largely due to a focus on metrics, ROI and the ability to measure the effectiveness of a security program both in terms of risk mitigation and operational cost. There must be a thoughtful and purposeful approach to using well-defined, objective metrics to calculate the effectiveness of money spent in order to ensure the cost of program complexity never outweighs the benefits. This is an important consideration regarding both technical cost as well as people and process costs. Organizations would be wise to ensure they have an objective way to measure success, agreed upon by executive leadership and relevant stakeholders. This removes any future ambiguity about the “worth” of your insider threat program. Key metrics that successful security teams typically rely on to measure the risk reduction of insider threats programs include:
- How many alerts are we getting?
- How many alerts actually warrant an investigation?
- How many investigations resulted in the reduction of real risk?
- How many alerts and investigations were false positives?
- Did we improve over time?
In order to be meticulous about measurement, it is crucial that organizations begin with an understanding of their current data risk exposure. Without knowing what vulnerabilities you have and what threats are most pervasive, there is no way to know if any new tools or processes will help move the needle. A product like Incydr can help you assess risk, and accelerate and simplify insider threat investigations. The data risk surfaced by Incydr provides security teams with the insight needed to respond appropriately. When it comes to insider threat response, this is often a human response rather than a technical control. Combine response with analysis of the available data risk insights, and you’ve got the critical components for the success of an insider threat program.
Organizations that succeed with managing complex security stacks tend to designate specific groups to run DLP, CASB and their insider threat program. This approach can be effective because it allows individuals to specialize, so the same person who writes the rules in DLP does not also have to manage CASB, UEBA or do investigations. This diversified structure essentially removes the complexity from each individual’s job. The challenge is for organizations who don’t have a huge budget or security team – the roles and responsibilities list reads like a CVS receipt. If you don’t have the luxury to strip complexity out of roles and responsibilities, then look for tools that do it for you. Incydr’s risk exposure dashboard and detection lenses make it easy to tune out the noise inadvertently caused by employees collaborating to get their work done and instead focus on truly high-risk situations, such as departing employees and high-risk employees.
The cautionary tale
Most organizations that have, or are thinking about implementing, robust security toolsets do not have a large enough security team for individualized and specialized roles across all security domains. Rather, most security professionals are wearing multiple hats, and have a never-ending to-do list and realistically too many responsibilities for one person to manage.
All too often, senior leadership ends up focusing on tools, solutions with acronyms for names and certain technology categories for the sake of checking a box or responding to an ill-defined regulation. The cybersecurity industry, for all of its benefits, has a marketing problem. Too often, we see tools marketed as a data protection panacea– “deploy this tool to every endpoint and prevent all your data from leaving your organization!” Anyone who has spent time trying to implement broad data protection efforts will know the pain associated with this line of reason. Deployment does not equal protection. This perception of protection is where DLP initiatives fail, and already thinly stretched security teams are left wading through unnecessary layers of complexity as they try to make the most of their organization’s investment.
To avoid this, start by using a product, like Incydr, that can give you visibility into your data risk exposure. This will provide you with a baseline understanding of your organization’s data exposure vulnerabilities and insider threats. Once you have this foundation in place to assess your risk posture, you will be in a good position to start protecting your data from insider threats – the easy way.
The cost of complexity
On the opposite end of the easy way paradox, is the hard way. The hard way has high costs and complexity due to two main contributing factors:
- Most tools traditionally used to solve for insider threats require extensive amounts of time from a maintenance perspective. Maintaining infrastructure, updating agents, ensuring agents aren’t causing conflicts on endpoints – this all takes a lot of time and effort. The more tools an organization has, the more time the security team needs to spend just keeping them functioning. We have all heard the stories of teams who constantly spend their resources just to get tools to do no harm, which inhibits you from using the tools for their intended purpose.
- TIP: Mitigate this by thinking cloud-first. This will reduce the time you spend managing infrastructure and you’ll have the latest security updates and product features without maintenance. A cloud-first solution, like Incydr, can be deployed in days rather than months. This ensures your team can start detecting, investigating and responding to insider threats as soon as the endpoint agents are rolled out.
- These same tools also require sophisticated rulesets or programming, which generate a lot of noise. The concept of alert fatigue is a big problem and is well documented in the security industry. What is not well known is how to fix it. It is certainly possible to manually tune alerts until they are high fidelity, but this takes skill and months (or even a year) to perfect.
- TIP: Select a tool that isn’t noisy to begin with. Incydr approaches data security differently than classification- and policy-based products. By monitoring all file activity and correlating it with high-fidelity risk indicators (such as exfiltration activity involving files where the extension and content don’t match), Incydr is able to more accurately detect and prioritize risk to data.
Every product has a total cost of ownership, which is calculated by three things – the cost of the product itself, the infrastructure required to support it, and the cost of people and their processes required to manage it. The cost of complexity largely comes into play when you’re considering people costs. Security expertise is costly, and building a large team of talented, seasoned security professionals will result in a lot of overhead – after all, security is a cost center. If your security team is smaller, you may save on salary costs, but you end up with a small yet mighty team of overworked and overextended security warriors. When security teams don’t have the bandwidth or expertise to effectively manage the security tools in their arsenal, their products are far more likely to become shelfware.
At the end of the day, these decisions are about opportunity cost. If you are investing in high-priced security salaries (not to mention the cost of security products and supporting infrastructure), you need to carefully consider if you are getting equal value out of the product. If your expensive, highly-skilled security team is spending their day conducting investigations and mitigating insider threats, then odds are you’re on the right track. But if this highly-skilled team is spending their time trying to fix a broken endpoint agent, navigating a maze of configuration challenges, or wrestling with poor user interfaces and reporting, then the cost required to maintain the product likely outweighs the benefits. It’s time to let go of complexity that is not moving the needle and consider a simpler approach.