First, the team should put together policies that allow appropriate access based on business needs, and looking at tools to safeguard against insider abuse. This entails providing the right level of visibility into insider access and possible deviations.
Not everyone agrees on who needs to be on this team though. It might just be semantics, but some experts believe the insider risk team’s main responsibility is to create policy and then the various teams are to follow them. Other experts see the team as a group that follows up on a minute-by-minute basis to find out where any abnormalities take them.
Hamesh Chawla, vice president of engineering at Zephyr, said insider risk teams should be consistently looking at reports and logs on a daily basis to understand what deviations are taking place, and address those deviations immediately with the group to implement a course of action. “These specialized teams should formulate a crisis plan to mitigate the damage should an insider attack occur and have concrete, appropriate actions against those abuses.”
Javvad Malik, security advocate at AlienVault, breaks down the duties into almost layers:
Line managers: A first line of defense, they know the employees best, are aware of what tasks they need to undertake, the information they need to access and their overall morale and well-being.
Asset owners: An accurate asset inventory needs to be compiled, the data classified, and owners identified. These asset owners should know what services and users require access to the assets, when downtime is scheduled, and any planned changes. In the event of any suspicious activity detected, the asset owner should be able to validate if it was malicious.
Legal / HR: Whenever looking into potential insider fraud, it is essential to have legal and HR representation to ensure that no individual rights are being breached and that any investigations are undertaken in a legal manner.
Forensics: Similarly, forensics investigators may be needed in order to undertake detailed investigation. This could include taking forensic images of devices for legal purposes and to investigate malpractice.
Analysts / SOC: The security operations center (SOC) is the heart of all threat detection within an organization. Working with the involved parties, assets can be identified and appropriate alerts configured. Similarly, behavioral analysis should be a core component of an SOC so they can detect any deviations from normal activity and behavior. They will usually kick off incident response processes by engaging the other responsible parties.
A successful insider threat program needs access to data, which should include endpoint, proxy, search history, phone records, and physical access logs if available, said Chris Camacho, chief strategy officer at Flashpoint. “Being able to understand and ingest multiple sourced data/information is a critical part to enable accurate analysis of who might be at high risk for insider activity. Naturally, an employee’s motivation is a critical aspect of why malicious activity could occur and can range from ideology, financial needs and even collusion or extortion of an employee. Access and correlation of the right data sets is paramount but leveraging intelligence analysts, the human factor, is an important piece of the insider puzzle,” he said.
Sign up for CIO Asia eNewsletters.