Thursday, Jan 28, 2021

Managing the Insider Threat – An ISF Panel Discussion

<span>Photo by <a href="https://unsplash.com/@imthebear?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Thomas Lefebvre</a> on <a href="https://unsplash.com/?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span>
Photo by Thomas Lefebvre
Carl Leonard Principal Security Analyst

Continuing our involvement in the Information Security Forum’s (ISF) human-centred security research series on 20 January 2021 our principal research scientist, Dr. Margaret Cunningham, was hosted by ISF Senior Solutions Analyst Daniel Norman and joined by CybSafe CEO Oz Alashe MBE.

Managing the Insider Threat: Human-Centred Security

The goal of the panel discussion was to explore insider threat and the impact it has on cybersecurity while offering tangible solutions for mitigating the discussed risks.

The 43-minute discussion evolved around the challenge of identifying the types of threat posed, knowing what to do in response, and effecting a response in a timely manner.  And demonstrating within an organisation that the response was successful.

As Dr Cunningham offered at the top of the conversation: “Dealing with people seems easy on the surface.  We all are people, we know what it’s like to be a person…we’ve all made a mistake and most of the time we don’t think our mistakes made an impact – that’s not the case.”  Has this mindset hindered the ability of organisations to examine the people aspect in the people/process/technology triangle?  Daniel quoted a survey result that 70% of respondents said people are the most important aspect of people, process and technology - good news it seems.  Oz cautioned that if you don’t consider the interplay between people and technology you are not considering the whole risk and therefore the whole opportunity.

As the scene was set the conversation went on to explore this opportunity further.

Key takeaways

  • Understanding the human aspect is an important component of the risk calculation – this is key to the work we do here in Forcepoint X-Labs.
  • It is vital that organisations understand the categories of insider threat such as the accidental insider, the negligent insider and the malicious insider – the behavior of such a diverse range of personas can manifest itself in a myriad of ways as played out in what we call Indicators of Behavior.
  • In response to an audience question Dr Cunningham cautioned that controlling the behavior of users can lead to compliance with the rules all of the way through to the opposite effect of rebellion – which drives individuals to a workaround.  Consider if your current tools have visibility of workaround attempts.
  • Similarly, the merits of effecting a change in behavior were discussed.  The panel agreed that user awareness and training is the not the silver bullet it was hoped.  Dr Cunningham warned that if training does result in a change in behavior that change for the positive is often temporary.
  • The panel discussed the need to measure the impact of solutions – else it will not be possible to see if the change or action was effective.
  • In regards to changing behavior of users within an organisation Oz offered a checklist to understanding user behaviors and their impact on risk:
    • What behavior is important (to control or change)?
    • What are you trying to impact?
    • What risk does it relate to?
    • What is the most appropriate intervention for that?

The panel went on to discuss the merits of incentivising “good” behaviour, the best way of identifying the accidental insider threat, the importance of baselining good behavior in order to identify the bad, and how a strategy of starting small on a journey to understanding user behavior can reap dividends in demonstrating effective risk management.

Recording

We hope you find the discussion useful.  If you weren’t able to attend last week, the ISF panel discussion can be viewed on-demand at your convenience:

Resources

About the Author

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...