Enterprises with insider threat mitigation programs often focus primarily on detecting and responding to malicious actors. At best, they may subdivide their threats into either malicious or negligent personas.
These are overly simplistic constructs, however, because they ignore several other kinds of threat behaviors that are in fact quite common — and often just as dangerous to the organization.
We’re glad to see, therefore, increasing signs of recognition in the security risk community that insider threats come in all shapes and sizes, rather than being a monolithic entity. That’s an important step towards more effective insider risk mitigation.
The latest example is Verizon, whose recently released Insider Threat Report analyzes a series of insider attacks originally described in its most recent annual Data Breach Investigations Report (DBIR), published last year.
The new report notes that some 20% of all cybersecurity incidents and nearly 15% of all data breaches described in the 2018 DBIR came from trusted insiders. Verizon goes on to list not one or two, but five, categories of insider threat:
- Careless Worker: An employee or partner who misappropriates resources, breaks acceptable-use policies, mishandles data, installs unauthorized applications and uses unapproved workarounds. This person’s actions are inappropriate rather than malicious.
- Inside Agent: An insider recruited, solicited or bribed by external parties to exfiltrate data. (Note: We would add extorted/blackmailed to that list.)
- Disgruntled Employee: Insider who seeks to harm his or her organization via destruction of data or disruption of business activity.
- Malicious Insider: Actor with access to corporate assets who uses existing privileges to access and steal information for personal gain.
- Feckless Third Party: Business partner who compromises security through negligence, misuse or malicious access to or use of an asset.
With so many different personas to contend with — each with its own unique motivations, levels of intent and behavioral patterns — it’s no surprise that companies and government agencies have great difficulty managing an insider threat mitigation program that can catch them all.
This is where Haystax comes in. Rather than relying solely on conventional machine learning or rules-based systems to analyze network data, we created a probabilistic model of trustworthiness (which we call Carbon) and then integrated it into an analytics platform that allows the model to ‘reason’ on a wide array of ingested data.
The result is a continuously updated risk score for each individual in an organization, derived not just from network activity but from HR, travel, expense, access-badge and many other data sources. Evidence can even be ingested from third-party and publicly available sources, not just from internal data.
Haystax also pulls in data that can provide evidence of financial, legal, personal or professional stressors, as these are very accurate indicators of future insider threat activity.
Our model-based analytics are ideally suited to early identification of all five personas in the Verizon scenarios (the examples below use actual [ModelNodeNames] to illustrate how the data is applied as evidence to the model):
- The careless worker is discovered from evidence applied to nodes such as [NeglectsSecurityRules], [DisregardsAuthority] and [ExhibitsInformationHandlingIssueOfConcern], all of which influence the higher-level node [CarelessTowardDuties].
- The inside agent [HasRiskyForeignAssociate], is [SusceptibleToInducement], attempts [UnauthorizedLocationAccess] and/or [HasUnexplainedAffluence].
- The disgruntled employee typically [ExhibitsDisruptiveBehavior] and [ExhibitsDegradedWorkPerformance], and is [UnderWorkStress], [HypersensitiveToCriticism] and [HabituallyTardy], among other behaviors. These and other nodes influence the higher-level concept of [Disgruntled].
- The malicious insider has a host of model nodes for which data can be found, including [SuspiciousRemovableMediaExfiltrationAttempt], [CommitsEmployeeTheft], [Untruthful] and [AccessesFacilityUnauthorized].
- The feckless third party can be discovered with all of the same data used as evidence for careless, disgruntled and malicious employees, especially email and online activity, as well as risky behaviors discovered among public records.
Verizon’s report goes on to list 11 practical countermeasures to help organizations reduce insider threat risks and enhance incident response efforts. Several of these emphasize the need to include IT, Legal and HR in any detection, investigation and response efforts.
We agree completely. This kind of broad cross-departmental coordination and collaboration is a critical requirement for organizations that aspire to effectively manage a holistic risk-based program designed to mitigate any type of adverse insider — regardless of their motivations or behaviors.
# # #
Note: For an in-depth look at how one formerly high-flying executive devolves into a disgruntled insider threat, download the newly published second edition of our Insights Series paper, To Catch an IP Thief.