Companies across a wide spectrum of industries continue to wrestle with how to implement a well-designed insider threat program. The US government has provided guidelines that help but, as we’ve reported before, don’t go far enough, leaving the companies to fill in many of the blanks on their own.
This problem has been well known for many years now, but it was brought home to us again recently in a SANS Institute survey, co-sponsored by Haystax Technology, of information security professionals around the US. Forty percent of respondents to the SANS 2017 Insider Threat Study: Defending Against the Wrong Enemy agreed that malicious insiders — those who inflict major harm thanks to their privileged access and intricate knowledge of the organization’s systems — were the most damaging threat vector they faced. Despite that, almost 40 percent of the organizations surveyed said they currently have no effective ways to deter these types of attacks.
For the nearly 50 percent of organizations that said they were developing formal incident response plans with provisions for insider attacks, Haystax recommends the following six steps to reducing risks from malicious insiders:
- Know the common modus operandi of malicious insiders.
- Reduce false positives to avoid analyst alert fatigue.
- Note unusual deviations from the peer group’s baseline.
- Use trustworthiness scores to prioritize investigations.
- Verify that data collected complies with the organization’s privacy regulations.
- Proactively collaborate and act across the enterprise to mitigate risk.
This six-step plan has been proven effective at all types and sizes of enterprises, thanks to our patented approach that uses probabilistic Bayesian models to assess individual trustworthiness. Haystax’s Constellation for Insider Threat product runs diverse data sets through its Carbon ‘whole person’ model, which has encoded hundreds of different human behaviors based on the judgments of diverse experts. The model establishes a ‘pattern of life’ and then continuously analyzes new information to quickly discern when individuals deviate from the norm or trend in a negative direction. Constellation for Insider Threat scores and prioritizes these individuals and presents the results to analysts and decision-makers for further investigation and response.