Organizations attempting to implement a world-class insider threat program must ensure their focus is on prevention rather than detection, writes Haystax Technology CEO Bryan Ware in his most recent Security Analytics blog for Network World.
To be effective, the program must be centered around an early-warning system that allows organizations to prevent insider threat events through a comprehensive risk assessment framework that leverages a wide array of internal and external data. “The way to do that,” Ware writes, “is to build an expert model of their specific insider threat challenges, in coordination with their own analysts, and then run that model against all available data sources in real time.”
Insider threat programs must also be adaptable and scalable, he writes. Adaptability means the system must be able to evolve as understanding of insider threats improves over time, and it needs to adjust to changing organization-specific needs. It also should be able to integrate with existing enterprise systems that contain potentially valuable intelligence.
As for scalability, the system must be able to absorb new data loads regardless of format or volume as soon as the data becomes available, and should also be able to handle the load without either bogging down or producing a surge in false positives that overwhelms the existing analyst team. Moreover, the system must scale to an organization’s national or global footprint as it grows.
According to Ware, “An effective operational solution for insider threat will measure and continuously monitor the trustworthiness of all key personnel in an organization regardless of their roles or the level of potential risk they pose. It will blend qualitative model-based expert judgments with quantitative analytic tools to find threat signals buried inside multiple internal and external data sources, prioritizing the riskiest individual behaviors at machine scale and quickly alerting those who need to know.”
To read the full article, which is the second of a two-part series on insider threat programs, click here. Part 1, examining lessons learned from less-than-successful insider threat programs, can be found here.