Symantec Gov Symposium

CDW’s Gabriel A. Whalen on Identifying and Remediating Insider Threats

Insider Threats

Insider threats are nothing new, but advances in technology – such as information storage, data processing, and remote access to assets – have drastically increased the amount of damage a single individual can do. It’s no wonder that both government and industry have shifted their security focus to the insider.

Today’s technical solutions are certainly warranted, whether they include firewalls, intrusion detection and prevention, access management solutions, video surveillance, user behavioral analytics, or a SIEM. The sheer number of users, the extent of organizational assets, and the fluid nature of today’s operations demand a cohesive solution that will increase our ability to draw meaningful conclusions out of such a vast dataset.
Prediction can be another matter. As any psychologist will tell you, the best indicator of risk is prior behavior, but capturing and validating that behavior requires a lot of leg work, multiple sources, and an understanding of the person in context.

There is a middle ground – balancing technical elements and leveraging existing organizational elements and processes for early detection and mitigation of insider propagated threat. Organizations wishing to find this middle ground should consider an organizational wellness check, the testing of reporting mechanisms, and proper messaging around employee assistance programs.

The employee assistance program (EAP) is an organization’s opportunity to contain and remediate a stressor before it manifests itself in the workplace as an insider threat. Promoting and reminding employees about the confidential and non-retribution nature of the EAP provides a potential way out of a destructive cycle, as well as a means for managers to address behavioral indicators with employees while respecting the desire for privacy.

Not all organizations can manage a morale and wellness check, but almost all can afford some version of it – whether that be informal one-on-ones, generalized climate surveys, or more robust and engaging performance reviews. Some organizations go so far as to employ the services of industrial psychologists to develop climate and leadership surveys. Communicating and acknowledging results of a climate provides employees a sense of actual voice and ownership, while leadership has an objective data point from which to make informed decisions and evaluate what is or is not working as planned.

Mature incident response plans include testing and after action reviews, as should insider threat program. Employees will quickly learn there is no reason to report behaviors which have been identified as flags if the reporting mechanism doesn’t function, or worse, is absent. If an organization trains personnel to report certain behaviors and the mechanisms do not function, or appear to fail to take the employee’s report seriously, then organizations will quickly find such mechanisms under utilized.
While all organizations struggle to an extent with the potential for malicious and unintentional insider threats, there are technological and administrative solutions to detect, prevent, and mitigate the manifestation of these threats. A balanced approach to security, which considers expenses in relation to the criticality of secured assets, will provide the most efficient defense in depth. A mature program will test, retest, and evaluate the results of testing into programmatic development.

CERT’s Common Sense Guide to Mitigating Insider Threats, Fifth edition, is essential reading for additional matter on the topic of addressing insider threat.

Gabriel A. Whalen
CDW Principal Field Solution Architect, Security Assessments