At the recent InfraGard Southeast Region ISI, a panel of experts discussed ways to address insider threats. I took away several useful perspectives on the question, and wanted to share them with all of our members.
First, insider attacks come in a variety of forms, including personal fraud, IP theft, IT sabotage, physical attack, and active shooter. Not all of these attack types involve the use of technology.
Second, many insider attacks occur at key moments in the lifecycle of an employee or contractor. These key moments include when an employee or contractor is hired, transferred, terminated, put on a performance improvement plan, or subject to M&A activity. Each of these moments represents a change for both the employee and the company - whether a seemingly positive change or a potentially difficult one. Some of these events may result in a change of attitude by a previously loyal employee.
Third, it is critical to understand "normal" behavior for your insiders and to be able to detect behavior that deviates from normal. In one common scenario for insider theft of intellectual property, an insider will use legitimate access permissions to retrieve data that they rarely or never access. Although the access is technically authorized, if it deviates from normal behavior it may represent a higher risk.
Fourth, the ability to correlate abnormal access requests with key moments in an insider's lifecycle can help identify high-risk situations. This requires both technical controls and a strong relationship between security, legal, and human resources.
Finally, remember that your supply chain may also represent insiders. Anyone who is allowed inside your facilities, networks, or systems is an insider, regardless of who issues their paycheck. Although third parties may be bound by a contract to conduct background checks and respect your company's IP, you cannot assume that the contract is enough to protect yourself against a threat from your supply chain.
So, how can you get started with your insider threat program? US-CERT's "Common Sense Guide" represents best practices for addressing the insider threat. Their recommendations don't just help address insider threats - they apply to a variety of threats. The guide points out that an insider threat program requires a "layered defense." An important component of the program is situational awareness -- knowing your users, knowing your assets, monitoring connections, and establishing a baseline for normal behavior.