Most organizations detect their biggest insider threats only after an incident has occurred. This is a less-than-ideal situation – certainly no one wants their program to be purely reactive – but is proactive insider risk mitigation even possible?
The answer is yes, says Haystax Director of Insider Threat Operations David Sanders, and it starts with a broad approach to detection that goes well beyond simply monitoring technical indicators for anomalies.
In a newly published article in the July 2020 issue of Cyber Defense Magazine, Sanders argues that foreknowledge of personal predispositions and behavioral indicators “can inform the judgment of experts to determine whether an insider is on the path to becoming a risk.”
“Based on that judgment,” he says, “a measured and effective response can be planned to assess the risk through preliminary assessments – and perhaps a complete investigation, if warranted.” The ultimate goal is to mitigate or prevent the insider risk event by engaging with the potential threat early.
Sanders draws on a groundbreaking 2015 research report by operational psychologist Dr. Eric Shaw and Laura Sellers, a clinical social worker and former DoD counterintelligence analyst, who concluded that perpetrators exhibit observable indicators prior their acts. He cites what the researchers call the Critical Path to Insider Risk, which combines observable personal predispositions, stressors, concerning behaviors and even problematic organizational responses in order to identify who may become an inside threat.
A combination of technical and non-technical data sources, many of them readily obtainable in companies and government agencies, provide the necessary indicators to map critical paths for each at-risk individual.
Sanders adds that other elements, like reporting of adverse behavior by colleagues and supervisors, as well as the use of temporal analysis of risk indicators over a period of time, are also important ingredients in a proactive human-focused insider threat mitigation program.
That said, Sanders acknowledges the difficulty of having the kinds of diverse in-house expertise needed to analyze a large number of indicators and critical path categories. “The problem,” he writes, “is that this approach does not scale well in organizations with large numbers of employees, since no team of experts could keep up.”
What’s needed instead is a way for the experts to “share their judgments and wisdom in analytic tools that apply complex reasoning that goes into contextualized analysis of insider threats,” he writes.
One ideal way to attain the required level of analytical scale is to use so-called Bayesian inference networks, because they can be “built to probabilistically model expert reasoning across multiple domains using the full range of technical and non-technical behavioral indicators of insider risk.”
When integrated with an analytics platform that ingests data and applies it to the model as evidence for or against the likelihood that a trusted insider is becoming a risk, Sanders writes, the result is “a vastly improved capability to identify high-risk insiders that have committed threat activities, as well as those who are on the Critical Path to potentially commit them in the future. The probabilistic model enables the desired proactive response necessary to protect company assets, including the insiders themselves.”
# # #
Note: To learn more about the Haystax Analytics Platform and how it integrates probabilistic models, technical and non-technical data feeds and an intuitive interface for proactive investigative workflows and decision-making, download our free white paper.