An insider threat program may seem like something from the Philip K. Dick story “The Minority Report,” where three precognitive individuals (precogs) identify criminals before they commit the crime and the precrime police force arrests the identified criminals to prevent the crime from occurring. In our insider threat programs, instead of precogs, we have machine learning, and instead of precrime, we have security controls and user behavior analytics. Like the story, an insider threat program can identify high-risk users and keep an eye on them and put additional security controls around them to help prevent an incident, but inevitably something unexpected still happens. We have security controls in place, but perhaps someone accidentally mistyped an email containing sensitive data or made a network change that caused an outage. Vulnerabilities were exploited unintentionally or intentionally and harm has been caused despite the monitoring and controls in place to prevent it.
Predictably, humans are typically the weakest link in any risk reduction efforts. People are prone to mistakes, misdeeds, or more nefarious motivations, and most insider threat programs focus on some kind of user behavior analytics tool that risk-rates human users to determine where additional security controls and monitoring are needed. This focus on the human makes sense in this context since users are the ones that usually initiate the loss or harm.
However, focusing only on human users may be a bit short-sighted.
Postmortems of major breaches almost always identify multiple failures in controls leading to loss, and even relatively minor incidents may show a pattern of failures despite having a process that should prevent it. If some processes or procedures have been defined and are not being followed, perhaps a better target for risk reduction would be to investigate what causes are contributing to the failure to follow those standards.
Non-Human Threats to the Insider Threat Program
In “The Minority Report,” when the main character John Anderton is flagged as a threat, he begins to question the precog system as a whole and discovers a flaw that highlights major vulnerabilities within the entire precrime system. Similarly, within our insider threat programs, there may be severe flaws within our programs and systems that won’t be discovered until the system is considered as a whole. When we start to consider humans as the catalysts and not the root cause of loss within our insider threat programs, we can start to check and challenge the entire system to determine what may need to be improved to mitigate risk more effectively. By looking at insider threats as part of a systemic whole and not focusing on the individuals, we can also build a more holistic program that will be more resilient and effective against some new insider threats.
Another reason to look beyond human-centric threats: recent insider threats have relied on supply chain attacks that are much more difficult to predict or identify. These new threats and vulnerabilities do not fit neatly into the typical human-centered insider threat paradigm. Because a supply chain hack occurs against a third party vendor or managed service provider, these attacks typically do not involve an insider human catalyst within the affected enterprise. Additionally, these attacks not only bypass human-focused monitoring but also potentially prey on the tools that we use to identify and monitor at-risk insiders.
For example, the SolarWinds and Kaseya attacks prove out that not only are recent insider threats not human-centered, but they may not even be within our own organizational or technical borders. This new type of insider threat requires a more flexible insider threat program that, in addition to focusing on the systemic causes for incidents, must also now watch the watchers.
The Expanded Insider Threat Program
We fight an ongoing battle to protect human users from themselves with things like limiting access to sensitive systems, blocking exfiltration of documents or files, and requiring validation before emailing. All these controls help against malicious or malignant human insider threats. While these controls are an important part of the program, they may no longer be enough.
Taking all this into consideration, an updated approach to the insider threat program should include:
- Starting with protecting the human element as much as possible. Create a user environment that mitigates opportunities for loss with the understanding that technical controls are often more effective than process controls. Surround the human with protections and remove insider ability to create damage where possible by automating and implementing controls like access limits and required validations.
- Expanding the focus beyond the human to the environment, culture and norms when assessing ways to improve your insider threat program. The “who” and “why” don’t matter as much as the “what” and “how” when it comes to determining the cause of loss and relevant mitigations.
- Starting to watch the watchers. If possible, include behavior monitoring for non-human accounts on high-risk and security systems, and deploy a well-tuned network behavior monitoring system to identify unusual or suspicious network traffic.
It initially may seem counterintuitive, but the humans in your organization may not be the real threat within your organization. Shifting away from a human-focused insider threat program and expanding to include procedural and third-party threats may just be the thing to build a resilient and extendable insider threat program.
Editor’s note: For additional resources on this topic, download ISACA’s complimentary white paper, A Holistic Approach to Mitigating Harm from Insider Threats.