Finding insider threats is everyone’s responsibility.
So much of the noise today seems to still focus on the adversary/hacker breaking the perimeter and accessing a network. While a huge problem, I wanted to shed more light on the insider threat problem and better understand some potential trends. I interviewed three experts providing perspective from the technical, legal and compliance and consulting viewpoints. Experts include:
- Randy Sabett is vice chair, privacy and data protection practice group at Cooley
- Matt Olsen is president at IronNet Cybersecurity, former director at NCTC
- Bob Gourley is a partner at Cognitio, former CTO at DIA
Since cyber should be a team sport in all companies, is the better analogy soccer, football, or something else?
Randy Sabett — The analogy would be toward something just slightly different…rugby. Both rugby and cyber have been around a long time. Both involve the teams getting messy and doing things in a fluid manner. Also, though I’m not a rugby player or insider and so don’t understand all of the rules, I think about cyber today as being like a big scrum. The good guys and the bad guys all converged together on the network trying to maintain their position, though every now and again someone breaks free and scores (analogous to a successful breach if it’s the hackers and successfully defending against a breach if it’s the enterprise).
Matt Olsen — There’s no doubt that cyber requires a team effort. So, I think the best sports analogy for cyber security is basketball. It is almost March Madness in college basketball, when the intensity of the games heats up. What you notice on the court is that the teams with the best defenses perform best during the tournament. The key point here – and why I think basketball is the best analogy for cyber security – is that a good defense is often the springboard to a good offense. Defense leads to scoring opportunities. By analogy, a strong defense, protecting a company’s networks and data, can lead to opportunities on the offense – that is, revenue. Cyber security has become a differentiator in the marketplace. Companies with the best defense in cyber also have the best chance of success on the offense.
Bob Gourley — Sporting analogies are great conversation starters to discuss the topic of cybersecurity. Business leaders need to think through how to coach a broad team in reducing digital risk. CEOs need all their top executives to know they have a role in reducing digital risk and all should understand they face a dynamic adversary who is also fielding a capable team.
In your experience, whose direct responsibility in large companies is insider threat? Both proactive and reactive.
Randy Sabett — I find that insider threat responsibility usually falls within the purview of the CISO for proactive purposes and the CISO, VP of HR, and CFO for reactive purposes. I’m not sure that most organizations have thought of this as a separate responsibility yet, though that may change over time.
Matt Olsen — On one level, protecting against insider threats is everyone’s responsibility. I know this sounds like a platitude, but the fact is that every employee of a company has the responsibility to protect data from threats that lurk inside the company. Often a coworker, rather than a supervisor, is in the best position to identify and stop an employee bent on stealing company secrets. In terms of direct responsibility, the Chief Information Security Officer or Chief Security Officer typically shoulders the burden of preventing employees from threatening a company’s information. This is accomplished through policies, procedures, and technologies – all working in combination to protect the data and information assets of companies.
Bob Gourley — The greatest resource of a company is its people. The role of the Human Resources leader is to help the CEO in managing that great resource, but all line of business executives care for and lead their people. In the case where a person becomes malicious the HR department and line of business executive both have huge responsibilities, but they will need support of IT and security. How this plays out will vary from company to company. Our recommendation for larger firms is to appoint an insider threat manager who can help HR, IT and the line of business executives think through policies to mitigate threats in advance and, if the unthinkable occurs, help lead actions across boundaries to detect, respond and recover.
Do you think companies will eventually create a VP Insider Threat position?
Randy Sabett — Companies that have a large insider threat concern might consider such a position, but it might better fit under a slightly broader VP of Internal Security position (i.e., someone focused on only the internal aspects of cyber). Correspondingly, there would then be a VP of External Security focusing on threats from outside the network.
Matt Olsen — That’s an interesting idea, and I do think the problem of insider threats has risen to the level that companies will be looking at organizational changes to protect their data. According to one study, 69 percent of enterprise security executives reported experiencing an attempted theft or corruption of data by insiders during the last 12 months. And 43 percent of businesses need a month or longer to detect employees accessing files or emails they’re not authorized to see. At the same time, I would urge companies to make “insider threat” protection a shared responsibility, rather than creating a new executive position dedicated to this problem, which may send the wrong message to the workforce. Protecting sensitive data is the responsibility of coworkers, front-line supervisors and company executives alike – that should be the overriding message about stopping insider threats.
Bob Gourley — Thinking of that sends a chill up my spine. Would we ever get to the point in American business when we would need to watch for that many malicious people? We have all been tracking a rise in leaks and unauthorized activity and it may rise to the point of a crisis in many firms, but the way to address growing challenges like this should be to do it within the existing leadership structure. Creating a separate position may make it seem like the problem is being addressed but if this is not done in a holistic way little progress will be made. So, my hope is we never see a position of VP of Insider Threat. And if we do see that in a company I’m shorting that firms stock.
Do you think continuous monitoring will become common practice for directors, officers, and/or employees?
Randy Sabett — I believe continuous monitoring can be deployed across all parts of an organization as a way of determining not only compliance but also security on a real-time or near real-time basis. As such, any position that has compliance in its list of responsibilities should consider CM. In addition, the security function should consider CM as a way of gaining more granular insight into the overall security posture of the organization.
Matt Olsen — Most large companies with sensitive data have adopted technologies that enable continuous monitoring of devices on their networks. This is necessary to stop both insider threats and external actors. Network monitoring to protect company networks does not mean intrusive “big brother” reading employee emails. Cyber security is achieved by analyzing traffic metadata at network speed for anomalous activity on the network, and then rapidly identifying when that anomalous activity is malicious so that security operators can intervene. This approach is effective in addressing threats emanating from inside a company and from the outside.
Bob Gourley — A key approach to mitigating the insider threat is loving your people. Your people, from senior to junior, are how you accomplish your mission. They are also how you will detect if someone is changing their behavior and turning malicious. That said, it also pays to monitor for hints of malicious activity. This includes automated tools on the network (the most famous being data loss prevention tools but there are several other categories that do this). However, there are also tools and cloud services that provide continuous monitoring of police and court records and credit records that can alert if an employee has been arrested or has changed behavior in odious ways. These low-cost services rely on publicly available information and can be an important source for a company. Imagine, for example, if last weekend your CFO was arrested for drunk driving. Wouldn’t you want to know about that?
Are there lessons learned from counterterrorism (CT) and counterintelligence (CI) from the USG that can be applied to corporate America?
Randy Sabett — Clearly, CT and CI techniques (or at least concepts) have entered into the mainstream cybersecurity ecosystem. Think about the number of cyber companies that offer “network intelligence” or “surveillance” or “reconnaissance” in the context of staying ahead of the hackers. The cybersecurity world can always learn from and adapt the TTPs from the physical/kinetic world. Though they may play out a bit different, the fundamental reasons for intelligence, surveillance, and reconnaissance remain the same whether in the cyber world or the physical world.
Matt Olsen — The hard-earned lessons of 9/11 have significant implications for companies and our efforts to protect our networks against sophisticated cyber threats. First, just as in the counterterrorism fight, cyber security is a team effort. After 9/11, we broke down barriers to information sharing, and we need to make sure we eliminate similar obstacles in cyber. Second, since 9/11, we’ve built a vast network of counterterrorism experts – including law enforcement officers, intelligence analysts, military service members. We now need to build a similar cadre of cyber security experts to deploy across the country. There are hundreds of thousands of unfilled cybersecurity jobs – so we have a ways to go. And third, we need to harden our defenses in cyber, just as we did to protect the country against Al-Qaida and other terrorist groups. The key here is leveraging innovation and investment in new technologies that will give companies the edge on threat actors.
Bob Gourley — The greatest lessons from counterterrorism and counterintelligence also happen to be the greatest lessons from history, in my opinion, and yes they can be directly applied to corporate America. Counterterror and counterintelligence have long faced dynamic adversaries that do not give up. They cloak their actions in secrecy and seek to collect their own intelligence on our moves to mitigate them. And with every success we have against them they change and improve and re-attack. To the lover of history that same story is seen in great drama throughout the ages. Sun Tzu, Thucydides and Hannibal all gave us lessons from civilizations early days that show our kind can be incredibly creative and persistent in pursuit of any objective. This same persistence is apparent in mitigating threats from terrorists, spies and cyber attackers. We all need to understand that adversaries will keep coming back again and again. The bad news is that humans also have a great capability to forget lessons learned and pretend that our adversaries are not thinking, creative, persistent attackers. Don’t be that person who forgets.