Elements of an Effective Insider Threat Program – 2019 AT&T Business Summit

Elements of an Effective Insider Threat Program – 2019 AT&T Business Summit

Show Video

And. Everyone how are you, good. Good, and. So my name is todd watski Ellis I'm an a VP and AT&T cyber, security group, and. We're gonna spend some time today as you know cuz, you signed up for this talking about insider, threats, you. Know insider threats are becoming. More and more top of mind for organizations, may seen stats that say 30%, to higher, than 45% of attacks or associated, with insider threats but I think as. Security, professionals we often are so, focused. On the external threats right that the bad actors, from the outside and protecting our perimeter that we sort of failed to really dig, into how do we start dealing with the the threats inside of our environment, not just in our employees but in our partners and others like that I've, got an incredible panel here with me today I'm just gonna ask from left to right if they would take a minute and introduce themselves. My. Name is David Malan and I'm a professor in Georgia State University and, a director of the evidence-base Harbor Security Center my. Name's troywilkinson I'm the head of cyber. Security research and analysis at, IPG which is say new, york-based it's fortune 500, advertising company Joseph. Blankenship vice president research director with Forrester Research, awesome. We're, gonna have, some time at the end for Q&A so hopefully, you can cue up some questions for our experts here, but Joe. Why don't we just start, off with you Joseph if you don't mind so what makes a insider. Threat different, from, other threats I think. You, kind of set it at the top of the talk right usually. We think about threats in the, concept. Of cybersecurity, we're thinking external. Threats external actors instead. An insider threat it's actually the people we trust we can kind of look at everything coming from the outside and for, if it looks malicious, we can probably make a decision, hey that's likely, a malicious we should we should block that right we, have most of our defenses, focused on the outside and, we tend to trust all the people on the inside which is why, I get for it forest where we have the zero trust framework which we don't trust anybody including ourselves and, our co-workers so. The other the other big difference is you know while you can treat an external, actor you as a foe, you can't always treat your co-workers as a foe even though you might like to you. Actually have to have some. Level, of try or, some level of access. To information for all your all the people in your company and so you can't necessarily just, have, think. That everyone is guilty until proven innocent, instead, we've got to look at everybody and on a case-by-case basis. And actually treat them like trusted, co-workers so. I think you brought a key, point up there right so it's not just about our employees but. It's the end it's the trusted, entities, inside of our organization right, so that could be employees, that could be partners that could be vendors that, really could be anything across the board so. Troy what makes it difficult from, a cultural perspective to, deal with insider threats I mean what have you seen I think it's a you know it's a it's a people problem right I mean the, best use case of insider, threat that we all know and from. My background is, Ed, Snowden right he moved, around within certain jobs and his, privileges. And accesses, were never cut off and he was able to get, access to more data than he should have and walk out the door with it one, of our biggest, national, problems. Back then but. You, know it's all about the. People being centric, and what you're trying to figure out and so user behavior, analytics, has, really come to the forefront these days and determining. What's normal what they should have access to and kind of plotting that across you, know time so that you understand you, know when they're doing something they shouldn't I mean you have employees that are accessing, files when they're about to leave the company you know they put in their notice or maybe they don't and they start downloading all their work product or maybe stuff they shouldn't so. It's all about understanding the, the people, centric problem. With that so with culture as you said you can't treat them as hostile, but, you have to use data and so I'm always going to go back to data in science and that what I love right now in the, next two to five ten years we're really going to start relying on the, data and so the analytics, how do we apply machine.

Learning And in data, to, understand. What, people should do shouldn't do what's normal what's not normal and start alerting and surfacing, up the ones that come. Up yeah, my follow-up there was gonna be like so how do you profile, your, internal, threat right now how do you how you go about doing that but I kind, of touched on it with the data yeah, and so I started. My career in law enforcement was, an investigator, for, a long time and you know it's always the bookkeeper, who is the nice little old lady who's embezzling, from the company and so. When, you look at profiling, somebody, and trying to understand who is the the right person. Who would do this it's tough because, you know what what happens is perhaps they're in a bad financial situation they've, hit hard times something, in their medical, life, has come up you can never know and so trying to you, know create a overall. Profile of your employees, to say who's more likely or not to steal data it doesn't always work and so what you can rely on that's never wrong, is is data and so as long as you have those algorithms, and and the things that can show you what. These folks are you know normally doing what they should be doing when they try to go outside those bounds, then you have an indicator to say okay let's watch Sally you know she's. Never tried that before let's let's keep an eye on her so that makes, sense and I think I think we traditionally, think about. Cyber, security is people, process, technology, but I think historically we've been technology. Technology technology process. People, right and we've always sort of put that that. People last and I think we've really got to kind of shift to, moving that up front and there's, I don't think there's any vertical that's an immune to this right I mean I I believe that there's sort of these. These. Insider threats that that's that their primary motive is they're gonna get in your organization, from day one and they're gonna do something bad to you but then there's the opportunities. Right I mean we've seen the there, was a you. Know an individual at a social, media organization. That was using his access, to stalk, individuals. Inside of the you know the users, of the base right we see, people stealing, from financial institutions, and rerouting, money or you know whatever it might be and then even, a manufacturing, right we've seen you. Know, trade. Secrets going out the door and then, Snowden. Federal gov so there's really no I don't think there's anybody that's immune to it and again, I think there's some you know, opportunities. For insider threats where they just take advantage of when they can but there's, definitely some malicious and then there's the I think the FBI calls them the knuckleheads, which are really just the dummies they're just fat finger and then they cause some problems or something that. So. David maybe maybe I can do that I think as a criminologist. We know that opportunities, are very much important, right in. You know folks decision-making. Respect, to whether they will engage in type of crime or not so, profiling. Is cool, in whatever in again, maybe we have some you know some of us may have legitimate, reason. You know to actually profile, people right at the end of the day you profile, your employees. And you're making decisions, about you.

Know Their their. Opportunity. Or, the potential. Of them to actually harm, the organization, and if that's the case why would, you keep them there in the first place right I would I think opportunity. Is. Is is the key and I think that you know you, forget about profiling, and you talk about you, know designing out crime I, think what should happen is. Of course focusing, on the human but. Configure. The environment, configure, the systems configure, the network in a way that will nudge the offender, right to. Simply desist and that's. What I think is missing right now and that's what thing you know we should go so profiling, is you, know okay I mean there's a lot of research that indicates that maybe profiling, is not you know the best thing. To do maybe. The right thing to do is you. Know focus. On opportunities reduce the opportunity, for that's right yeah that makes a lot of sense I mean we do that now externally, right when we think about our external laboratories, we try to patch. Management, and do all those things to reduce the opportunity, but you know we don't look enough inside, so David evidence-based. Security, can you take a few minutes to tell us about that is, a program, and and how does that apply to the insider threat sure, so evidence-based. Cybersecurity is essentially, the. Approach, that suggests, that we, need to move from, a model in which we make decisions, based on our you, know personal. Background, our emotions. Our. Experience. In the field into. A mode and into a model, that. Essentially. Asked folks to make decision based on site scientific, data, and evidence. The. Focus, of the approach is in the human and. It, calls for the, implementation, of, rigorous scientific, methods. Like field experiments. Like surveys. Like observations. And in. I assume that folks sitting in this room are aware of the fact that this approach. You. Know actually worked in in in many many field like the medical field if you think about mortality rates right among, among kids among you. Know prank pregnant. Women, and so on we. See that you know because of the evidence-based, approach we were able to reduce mortality rates, same, thing with respect to police. You know during, before. The 90s crime rates were very high in, the United States but you know starting starting, the nineties, we see more and more police department across the, nation, adopting. This evidence-based. Approach. In order to really understand, what works and what, doesn't in a scientific, way and then we see a reduction in crime rates in our society, so we, believe, that this approach is relevant, also in the context of cybersecurity in. General when we're trying to understand, attacks and in the context of insider, threats. In particular. Inside. The threat is again is a very, you know it's an umbrella term for many, many types of you, know activities, different. Types of actors, so the approach calls, for you, know understanding.

You. Know those. Malicious, and non malicious actors in there you, know network, and the computers, that they use and. We, believe that this approach is very, relevant. In the context, of insider, threats because, it allows, us to answer two key questions, first. The risk that people, sort, of bring with them to the organization, and, second, how, can we strengthen defense. On. The organization, Network computers. And. So on this. Is pretty much you know what, the evidence-based type of security approach is all about and we think that it's it's relevant, in the context of insider threats because it can answer those you. Know two key questions which you know I can talk about later you know how we, actually can answer those and. So in, gathering. That evidence I mean there's some tools technologies. That. You. Look to leverage inside, of the environment, too that, you would say hey we you know start with this type of tooling, if you're looking to you, know deal with insider threats or where would you start, so. You know it's a very good question, in. The context of insider threats we haven't done a whole, lot I, Fateh love that but you know the approach, essentially. Calls for really. Testing tools and policies, in the field and you, know before I came here I actually ran. A liquid. To review sort of speak and try to figure out what other people have, been doing with insider threats, and. And. I. Don't, know if folks will be surprised, but, there's really not a whole lot I mean there's a lot of research but it's not an empirical research that, is evidence-based, sort. Of research. The. Goal is to actually take those tools right those tools that focus on, you. Know me identifying, misuse, or identifying. Anomaly. Right and really test whether they work right in in the field I'm, not familiar with any research that, actually does that I know that anecdotal, folks can talk a lot about you know the effectiveness. Of Splunk or or honey pots or other, tools right in actually. Detecting. Insider. Threats but there's, really no scientific, evidence that indicates, that those tools really worth anything and. I'm sorry I'm a scientist, you know I'm not trying to sell anything to. The other side so from foresters, perspective, what. Are you seeing in terms of tools and technologies that organizations. Are looking to leverage from a insider, threat well usually when I get a customer inquiry and they're talking insider threat them the first thing they ask is what you BA should I buy and, I usually.

Flip That question go, and try to try it around say before, we start buying technology let's. Try to figure out what you're trying to solve for and get, to your point you've. Got to get the process, and the people ahead of it and this is very much a process oriented problem as well you, know cuz I kind of make, the analogy, of you, know what are you gonna do when you catch, an insider thread right you got one it's like a dog chasing, a car the, dog ever caught the card be like wow I got this car what I'm going to do with it say if you're an inside if you're a a CEO or you're a security analyst if you catch the insider what, are you gonna do you're gonna call the manager you're gonna get this person fired you, know are you going to have have, a, warning. Issued something, like they're gonna reduce their privileges, you're gonna do anything that's gonna land you in court later because. If you do any of those things it's, one person, then you do something different for the next two people you have now treated, liability, and more risk so you were better off letting the insider you know run rampant in your environment instead of actually trying to do something about it so it's very much a process thing what are we gonna do when we catch one what's. Our process what's our investigative, flow and now let's start talking about the tools do. You have to enable that who are the people we're gonna hire we did some research just figure out who makes really good insider threat analyst, and lots of former law enforcement counterintelligence. People, people. That have our you, know more of a, rigorous. Investigative, mindset, as opposed to you know a lot of some broad technical, skills make better insider threat analysts, you. Know I just like to add to that because I think that every. Business is different and this this is probably come out later but you, know you have to realize what your risk assessment says, and you're doing a 3-phase, risk assessment, whether it's operational. Risk with litigation risk or reputation, right and so, once you get to the bottom of what's what's important to me every, business is different might be your file structure, for one business where you have a lot of important, intellectual property files that you're trying to protect, it could be ecommerce where your customer database is the most important thing to you in the world and so once you start looking at that problem statement, of what do I want to protect then, you start looking at ways to to. See unauthorized. Access and there, are tools like Verona's out there who do file level access UBA. There's, tools like extra hop and dark trace that do the network layer. Analytics. Around behavior and so when you add those things up once you identify, where your risks are what you want to protect how you want to protect it then you can start layering the tools on afterwards, you call Joseph and say what's the best one for me.

So. There's, one thing that I think that it's important to emphasize is that that insider attack as I indicated, is a, very broad sort of term right, so you know I want. To present agree with you respect you know the CISO needs to figure out what is it that he's gonna do right with someone who's an insider, attacker. But we need to define that right because, we have the malicious, attacker right. And then you have the non malicious attacker that that, employee, who accidentally, clicked on a phishing link so you know you have to have different policies, to those. Those different, insider. Threats right, and. To me that's part of the process too is we've, gotta categorize, this with this actual maliciousness, was a carelessness. You know the knucklehead right, the person is trying to get around policy because oh wow the security, policy is really getting my way so if I just download everything in my personal PC I can just work off of this all that security stuff in the way and that's kind of the, accidental. Insider you know if you will but they're still violating, policies so you're right. So. It reminds me of the conversation, you often have about DLP, a lot of organizations, jumped into DLP, and they wanted to get it deployed on their network to see what was going on but to your point you're gonna be careful what you see because then you've got to act on it right sometimes. Maybe it's better or not right but once you have all the information you've got to do something Troy can you just double-click a little bit into that you know building a risk program right, I think that that would be helpful for maybe some more people to understand like where do you start with that like how do you begin, and and and how do I you know if I'm looking at my business from a business. Owner perspective, how do I start thinking about that it's it's funny because most people assume that the risk assessment, should come from the CISOs office and I postulate. That it should come from the CEO, and the board and they should mandate that a risk assessment should include the all business, units and all business heads because. The, risk that we're gonna find is usually going to be somebody in accounting or HR somebody who is, an accidental insider threat but. Also you have to have that culture, of security, and that's so important that you get buy-in from the executive, level because if we as CISOs. Or executive, directors and security, create and mandate then, it's not going to be followed but if it's from the top down and the board level down and it's a revenue impacting, and a bonus structure type buy-in. Then, you're gonna get people to to, cooperate, and do that so the risk assessments, again you go into how that's going to impact the company you can lay out whether you're compliant, to PCI whether you're compliant to HIPAA Sox sarbanes-oxley, whatever, you are you, know compliant, to along those three risk levels then, you can kind of marry that up so in our case we, basically look at IPG, from the, NIST of twelve pillars and we, map that to, the CIA's top 100 controls and then, we use that to also test. Ourselves against, the mitre attack framework so, by using these frameworks to actually test the controls we have in place the effectiveness, thereof, then, we can grade ourselves and get better it also helps prepare our roadmap for 2020. 2021, as we're looking to buy new technology, so you know the risk assessment, has to come from a broader level and to, Joseph's point and this, is the foundational, part is has to be in policy, and writing has to be signed it has to be part of that initial hiring package, has to be annually, reviewed, and signed again we, have to make sure that our employees are aware of this program because, if we don't then they're caught in the mousetrap, and they, weren't even aware that that was wrong in the first place, so. Maybe in the context of risk assessment one, of the things that it's important to emphasize that it's not only tools that we should take.

Into Consideration, when we're trying to deal with insider. Threat but also policies, right, many. Organization, talks about you know they have policies that essentially, penalize. Employees, for. Clicking on a link right reducing. Their. Paycheck, or I've. Actually heard of some, organization, that will get you fired right if you clicked on the link now the, question is what those policies are effective or not and and again like, the tools, we. Still don't know, you. Know we've said it three times already now and it reminds, me of, I. Knew a guy a long, time ago who ran a bar and the way that he would train his bartenders, to, be bartenders, one of the parts of the training program was to, teach them every way that they could steal from him right he would walk them through hey, if you do this I'm gonna catch if you do this to Mukesh and so, he felt that he sort of reduced his exposure. By, being open and honest right and I think we do that a little bit maybe with our employee. Awareness and training programs to some degree but the thing that's been mentioned over and over is culture that's right I mean so how do you how do you instill, that how do you shift the culture of an organization I'll. Give you all a chance to sort of talk on this because I know that what a lot of individuals, feel like this, is great but how do I take this back to my organization and and you, know put it into effect so how do you how do you try to drive that in the culture Joseph. It's. Actually it's funny because we're. Actually doing some research right now that talks about this it talks about you know how, does the CSO get out of you know being get, out of the security teams area wherever that is usually like theoretically. In a basement someplace, right where it's dark and everyone's wearing, hoodies and whatever you. Can actually get out into the into, the rest of the organization, and kind of demonstrate. And security it's more of a business in a blur and I think this whole concept of security, is we've always been you know kind of the Department of no and we're the people who that tell you how. Long your password has to be you have to change it every 90 days is right really ruin your lives with, all this kind of stuff but. Instead. Of having that sort of mindset it's really about to see so going, and demonstrating, you know to your point about risk you know here's. The real liability, that resides out there like a lot of insider threat programs get started, because they had an incident you, know that or, or. Maybe a board member you'll read about a pure, company, that had an incident say they realize, there's an incident there's a possibility, here so, then these sort of securities. To come in and educate and. Really start talking about how do we how do we do this culture. Wide and, insider threats are probably, that one problem as well as the phishing problem that David is you know talking about if, you don't have that culture of security you will never fix the clicking on things problem, you will never you, know you'll never get to the point that your your people are aware and there's like there was a great case with. A manufacturer. In North Carolina, I'm sorry I'm taking too much time but, didn't they had a policy on their campus no removable, storage media, right nowhere on the campus because they had you know corporate secrets when they protect employees, walking, along looks down sees an SD card laying on the sidewalk he's like wow I shouldn't, be here why don't that removable media here now most anybody in this room would say oh wow free SD card I will go put that in my computer, this.

Guy Was smart he actually took it to corporate security, and said I found this on the ground it shouldn't be here find, out what it is corporate security gets in there they find gig after gig of. Data. They did not want getting out and so now it's about who, did this and why alright so they kind of do you know some evidence collection they figure out what machine it came from they monitor the user of that machine for a period of time and they ended up calling a law, enforcement having that person arrested but. That's that's cultural, awareness that's not supposed to be here here's what to do with it right. Hashtag. No hoodie yeah. But. It's a we, could have a two-hour session on culture alone because it's such an important topic to people these days and I think it comes from just, having. Emphasizing. That along all levels and so, what I've seen be successful, and is rewarding. People for contributing, and so, we have challenge, coins from the CISOs office and if. One of our hundred thousand employees decides, to do something outstanding, like what he just mentioned that we recognize publicly, and they'll be given one of our challenge points and they use it to like say you know I helped, we. Also have moved, to more, interactive. Security, awareness training so instead of just you know click click yes yes yes now, it's these interactive, videos that are fun to watch and you know informative, and I think as you, know citizens, at. Home we understand, that cyber security is a thing now we're connected, with our watches our thermostats, in our toasters, as we talked and so, the. The, average person, who doesn't know anything about cyber security is aware that this is a problem so I think we're seeing more buy-in from the general employees, and we're also getting that buy-in at the board level because. We. Have people who are extensively. Aware, of the financial risk to our business if we get hit with something significant. So, so maybe I should I mean I'm sorry I mean this is one of the reason I love cybersecurity, right and being you know a professor of cybersecurity is that I get to be the destructor, in all those sessions. And come up with provocative, of questions. And so, you know as a sociologist in, training I don't understand what a culture means in the context of cybersecurity so I've been really cool for you, know for me to understand, we said it together put together a two-hour session of culture when, I think of culture I think about you know people dressing, in a certain way people go to specific you, know sport. Event you, know people eat specific. Food in the, context of security. III I don't, I don't see that I mean I see, maybe people, complying.

Right, With with with. Guidelines with policies, I don't. See culture, you see more of a mindset like how do you how do you that's what I see yeah, I'm. Trying to think about okay let's say let's let's let's say that there is this thing that you guys sort of call a culture, how do you measure you operationalize, it how do you put together in order to really test whether it's. Effective and, in reducing the risk in the organization, or not I mean I. Don't. Know I mean I don't think that you guys maybe. You guys know but and it's not only you write anything it's the security field right in general I and. I think that in general the cyber security field suffers, from the, fact that we don't know how to measure things right I mean we come up with those really you know weird ways to measure things, using, sample of three people right and then we think. You know we should sell it. Again. In the context of a, cyber security culture, I don't know what it means so we've, never been able to measure cyber security right it's like air conditioning could see their honors off and when it's off you don't know about it well I mean I think I. Think, that it's easier, to measure. Cyber security right, well, again less spending, seven years thinking, about this so I think it's then really. Trying to understand what the cyber security culture is all about to. Me I think culture is really just awareness you, know bringing people from going, to work to let's, say B or an account and understanding. Bringing. That awareness level up of cybersecurity, that there are threats out there that could impact you personally or the business and so, we, do use the word culture in interchange. Lis with the word awareness, but, in this example that Joseph gave that this person saw the SD, card and they know they knew that was not supposed to be there and they brought it to the attention of security you. Know perhaps we have helped educate that person we've increased their awareness and now they were more aware, of themselves so when it's a culture just more of to, me it's an enterprise awareness. Of security. And helping, people be a part and want, to be. On the good side of helping us in that case turning that in instead of taking at home or doing something else we're just throwing it away so yeah. Awareness. Works. Definitely. More than culture, I feel. About vendor agnostic it was never a fan of I believe vendors yeah yeah. Definitely. Out there yeah exactly. They call me every day yeah. So. As. We look at the next generation of workforce, that's coming up and I say this with. Authority. Is with the father of two teenage girls right and kids that have, really very little, awareness. Of their own personal, information they're posting stuff all over social media right, this this rainbows. And unicorns world. Of creating, culture, and and awareness. Is gonna become more and more difficult right so yeah. People and process are important, but let's just kind of shift to technology. And foresters, big in the zero trust model right so so, if you think about this from a technologists, perspective, right but what can we do today when, we look at our environment, and how do we start maybe. Segmenting. Off or doing whatever we think we need to do to start addressing the insider threat from the technology, perspective and I'm not talking about putting, in more monitoring tools and those types of things but what we have today what, do you think somebody can do well, I think the first, thing that we can do is exactly. What we've been talking about right has, the technical controls, in place that actually reduced, the threat surface, the whole idea. The concept of zero trust was everybody, heard the phrase. Crunchy. Exterior chewy, Center that. Sound familiar the M&M model of security so, when. That. When zero trust was first conceived we, were like we've, got this chewy Center how do we basically, this we're saying that everything that lives in this Center is trusted, that, means we're gonna let everyone on the panel go and access all of our file shares they can have access to applications. We're, never going to turn their access off like everywhere Snowden, written it's as they go from one project to the to, the other well let them accumulate, credentials, as they go right so the whole concept of zero trust is, let's. Identify the individual, and say this individuals, match with this with.

This Project or, with this file share and let's, continue, making. Sure that that individual is a who they say they are right, and B are, not in policy, violation, so we're continually. Making sure that, they're supposed to be there and let's. Revoke their privileges when they're no longer associated. With something so that's all about identity, so identity is sort of the number one challenge, there we used to say it was data right. Because we were going segment didn't you know the network around data and all this kind of stuff now we stick many more around the user because we can actually isolate. The the user and associate, them with the right places to be. Sure. To, continue on that you know we have employees, in the business who, work in accounting in HR who have no need to access production. Servers, or files yeah and a lot of our companies they can and. So it's all about segmentation, I mean it's something simply is turning on a switch really, looking, at your Active Directory structure, and keeping, the file shares you, know segmented, from users that don't need to have access almost. Every. Risk. Assessment, I've ever done in my career has been this, person has she's. The executive, assistant for the CEO so. She needs to have access to everything and what happens is she'll get the ransomware email which, will encrypt everything for the company and that's that's, where we really need to focus is it, can be the malicious, intent of the actor internally, but 99%. Of the time is going to be an accidental. Infection. And so we just need to look at what access does people have and how many how, many third-party. Contractors, do we have accessing, our environment. How many uh how many audits that we done of those third parties targets. A great example the HVAC company that helped that intrusion, into target that did the payment card. Malware. And so it's, it's all about access it's all about understanding when to terminate, it and also how to monitor, it I. Think. That you know the. The issue with insider and with. Cyber crime in general, the focus should be with with, the human right and so I agree one per person with you the fact that when, you should we should spend. More time and effort to. You. Know talk about those issues but I think that you know the answer is that and I'm not sure that this answer and, the tools are actually you know available. Nowadays what.

Needs To be happening is that, we. Should all come up with a really realization. That it's the human and we. All make decisions, and we. Need to nudge the, bad people to behave in a the bad people the malicious or non malicious insider in in the, case of this panel to. Comply right with with our policy. To. Mitigate. The consequence, of an event to, reduce potential, harm even. If the ngage and insider, attack. I. Think, i think that is where the so the way this is this is where the solution lies sort of speaking the, technical, tools and everybody talked about AI and machine learning, which again is very very fence you know I love those buzzwords. But, you know what, needs to be happening is that we need to configure. Computers. We need to configure networks, in a way that will nudge, decision, makers to behave in a predictable way the bad guys to, leave us alone and reduce, the consequence. Of, an event to. The. System or the organization, and and the good guys are our employees, to. Comply with security policies, and and prevent, from event like this to happen it. Greed, and, I think if you're looking at the zero trust it's a lot of organizations, say we you know that's a big undertaking for me to go into and we've. Helped organizations do that that is a big undertaking so short. Of that I mean when we talk about basic. Cyber hygiene in terms of patching, management, and vulnerability, management there's, some things you can do today in your network just to look at you know going, through your Active. Directory see, who you know, compartmentalizing. Your users better right I mean some, other examples, of things that you can just do today to, make a difference and and hopefully reduce that opportunity. For somebody to you know either make a mistake or do something malicious, it's. All about designing out crime right, so we know that from the fit from the physical world right from the offline environment, so why shouldn't, we try and do the same in online, space. So. I think best, for last is, you, how does. Data. A sort, of privacy, laws come. Into play when you're talking about insider, threat, right and and all of the you, mentioned a couple of challenges of what you're gonna do with that person would you catch it but David. Any any thoughts around you know how legal, and privacy issues play into this well. Again as a scientist, my suggestion, is for you guys to follow your. Legal team advice with respect to all those insider, programs. And. And the implementation. Of those programs, I see two major issues with. You. Know some. Of the programs that we, have out there today, first, is online privacy as you indicated, right the, fact that we monitor pretty much everything, but again, the legal team will say and. The. NSA is monitoring, traffic. 24/7. I mean so you know if you don't want them to do that just you know don't. Go the allegedly allegedly. So. You know it's pretty much the same thing with respect to organizational. Network I assume right I mean so if you, don't agree to our Terms of Use don't, don't use our network and then you know you can't really work here so that's one thing that. I. Think that an, issue that should be discussed the other one is is it profiling.

Again, Profiling, is is a. Big thing I'm essentially what we do with profiling, in the context of insider threat is trying. To assign, a score, right to each employee with, respect to the potential harm he or she will cause. To the organization, or can, cause to the organization, in the attempt in, a in an event of of an, insider threat right. Again. We can talk a lot about profiling, and we actually start, this this panel we're talking about profiling, there there are issues with profiling. Legal, issues with with profiling. The. Way we do profiling, nowadays is also not very good I mean essentially what we do is we take data. Retrospective. Data and based on that we make some, predictions. With respect to someone's potential, behavior. Right, in the future and based on that we, assign a score so it's problematic then, you have another profiling, approach which is the Behavioral, Analysis approach that you indicated essentially, is intuition. Right. Yeah. You simply and and I hear a lot of people actually talking, about the, that they knew a lot of cecil's right in there and, advices so talking about the, fact they knew someone will, generate. A problem and insider attack simply by talking to him or her, right and and. Sort, of looking. At some of the cues right that she or he. Sent. So. Again I mean these are the key issues that you know I I see. Who respect to you, know the legal discussion around insider. Threat programs and, and I think that you know legal things should spend more and more time trying to figure those up one. Thing on that, aside. From that. Care. Is that you, have to understand what constitutes a breach because, now with Nevada California, and, all these other states that are coming up with data. Privacy laws that are matching or more, stronger than gdpr and. Then on top of that notifying. Customers. Every. Single state 50 states have different breach, notification laws that. Require you to divulge, information to the clients affected in that state based, on certain criteria so, if an insider threat gets.

Access, To a customer, database and, does. Something malicious like download it or remove it from do you need to notify those customers what constitutes, a breach so. I think there's a lot more challenges around that, side of it as well so that we now can understand the, regulation. Landscape that's coming at us so fast. The. Other the flipside of the of. This tube on, the monitoring I'm very, much an advocate for monitoring the flip side is if your monitoring, is so heavy and overt that, now. Your employees feel like Big Brother's constantly, watching, that. Is actually a giant. You. Know push on you. Know productivity. Attitude. You probably even encourage, people to come insider threats, right, because they'll, become disgruntled, so, that it's a delicate balance and you, know you mentioned before Troy you know it's all about educating. Them that the program exists, and this is why it's not about you it's about the data it's about the company's data and by the way it's not your data you, know it's the company's data and keep making that they're, kind of instilling that in folks, and it's definitely the privacy question is definitely a bigger question in. The EU than it is in the US there's virtually, nothing that will stop you from monitoring, anybody. Here in the US as much as you want to but as soon as you get another Gio's it gets, very much more or a particular. Yeah. I would make a suggestion I heard this it, was from an analyst I'm not sure what. Organization, was from the food for Marty with me it was smart so it must have been you. Take. Away for everybody I think from from for. This session is to this point when. You go back identify, that one person, and there should only be one person in your organization that can use that word breach right. You, done to make sure that that person is empowered, because when they use that word internal. Or external it, has a whole lot of implications, right so think about that when you go back, we've. Got about four minutes left they're there any questions, comments. Thoughts. The. Actual. Breach itself, and looking for those people what about the became, here it, causes that in the first place. So. It's, good and I had, this literature, review before I read, through few articles before I came here so disgruntled, employees they tend to be in. You, know more, likely I mean again this is. Scientific. Literature which, is not really scientific because it's case studies, right that people know so disgruntled, employees, they're. More likely to engage. In. Insider. Threats. You. Know loners, are also more likely to do that. And. Again I mean. Sometimes. I feel uncomfortable, sort, of generalizing, because we have different. Types of insider, threats but you have the spies right. And then you have you. Know the, thieves right, who are simply there to steal, their data. So. You know the, literature, distinguish. Between those. Two actors, and then another one that I'm blanking on. And. Each, of those actors have different, personality, trait I mean the spies are doing this for money of course they're trying to embed themself in the. Organization, and, usually. These guys are in higher ranks, right they tend to be you, know vice presidents, of the organization. But. The thieve is just someone who. You. Know barely you know barely make, and me so. Again. We're all over the place right with respect to understanding these guys who they are based. On the scientifically, which are unfamiliar, with, yeah. Basically based on the research that, that. I've done you're exactly right David, and it kind, of bit that into the spectrum those are people who are a little more sophisticated especially the spies and believe it or not there are actually people who are trying to get into your company, it's is still your intellectual, property it's not just about PII pH, I, PCI. All, that it's about IP that's, the thing that's really valuable here it's not one thing to walk away from it's, one of the only thing you're not gonna get an audit about is how are you protecting your intellectual, property but, behaviorally, yeah I think the other class is saboteur, yeah. But, they just want to destroy the data right it's, usually because they're disgruntled, days are mad at the manager the company, could, be a hack to this sort of a mindset, you know power to the people I'm gonna destroy the data you, know hack the world hack the planet all.

That Kind of stuff so there's all. Kinds, of psychology, that plays into this but the garden-variety. Malicious. Insider is absolutely, a thief. Any. Other questions. One. Year and one back there, so. You mentioned, something about you, know creating a culture, of everybody's. Aware of security, how. Do you balance that out with. You. Know I think of a couple instances like the Atlanta, Olympics where you, know the guy discovers, the bag and, all the sudden that's, the guy that go after I mean there's a they made a movie about this thing where this guy was the guilty, party are giul yes, that's it Richard Jewell right or were you look at it from the standpoint of, you. Know I'm, not going to use a third McCarthyism. But turn in your friends, and. The. Fact that it's like well if my friends doing this I can't turn them in what do i do so, where's. The balance in there to the point where you have people that want to protect the company but they don't want to be the bad guy or, they're afraid of the scrutiny that could come up on them, well. I think that part of part of that is create, a communication. Mechanism where maybe they'll have to identify themselves kind like Crimestoppers, did, you see a crime or a reporter, murder you, know but you don't want to, have to testify yeah you can certainly do, something like that. But. Again the cultural awareness is more about, you're protecting the company there. Was a great case with, a computer manufacturer. Where co-workers. Turned in somebody who was acting very oddly in their cube form and this person was taking, bringing. Update IP on the screen taking, pictures with their phone and then, they ended up catching the individual, with several, gigabytes of, data, on the phone trying, to walk out the door and by the way had to take one-way ticket to China to. Take all the data with with him so the FBI was called in that person is now arrested, so, it's, not about you know turn in your friend it's about hey let's not triple the companies we're all out of jobs perhaps. There's. A little bit where. Do you see the convergence of physical security in IT security and, why, is that and just curious. Of why, I've, seen that lagging, a little bit and in, companies, and a lot that are attending in here is you, know the system one, of the first things they do is they put badge access right and generally. A lot of companies, still have those as two separate organizations so, when.

And Where do we see that kind, of coming together you see, it more in some companies than others and I love this field because obviously came from the physical security police, side I love it. We have the. Machine learning on the videos now so you can see facial recognition when, employees are coming and going you, know we use geolocation data, to understand when we have somebody accessing, the network from somewhere there don't normally, access, you, have facilities. That are able to help you prevent, both physical, and cyber attacks because when when, you have what we call blended threat both. Physical, and cyber. The. Bad guys for 911 you know they were taking photographs and, digital they were trying to tap into street. Cameras you know it's a cyber and a physical threat so these, things go together like this so some, companies have really embraced that and the seaso is over both physical, and cyber some, companies are completely different where they have a, physical. Security department that doesn't even talk to cybersecurity so. I think it's it's something we have to encourage you, know to get these guys together I don't I won't advocate, it's the same role but, definitely get these guys together to where they're you know planning budgets together and bringing data together because at the end of the day I'm all, for the data because data doesn't lie you start applying science, the data you start having all these insights you can the needles, in the stack of needles nah not the needle in the haystack the needle in the stack of needles and that's that's what's so important. Well. Personally I went out thank you all very much for taking some time out of your day to spend with us I hope you you, gained some useful information out of this I'd like to thank my panelists, for for, joining me here today as well thank you very much. Few. Of us will be around afterwards, if you have any follow-up question to addressing, but again thank you and enjoy the rest of stomach. Thanks. For watching for, more videos from 18t business click Subscribe.

2020-02-01 14:56

Show Video

Other news