FEATURE
It is crucial for organisations to realise
that technology alone cannot tackle the
problem of insiders; and organisations
who put significant emphasis on the
technical aspects alone are ultimately
bound to fail. Therefore, an insider threat
team must consist of both technical and
non-technical staff who have a clear
understanding of the organisation’s
culture and operating model.
Building an effective insider threat
programme involves a combination of
people, processes and technology. The
most successful programmes will ensure
that every employee is aware of their role
in preventing and reducing cyberthreats.
Effective employee engagement means
employees can go the extra mile in
service to their organisation, they
are therefore more likely to buy into
the cybersecurity objectives of the
organisation and avoid making any
negligent or complacent mistakes that
could lead to an insider breach.
Bring in supporting technology
Most medium and large organisations
have limited insider monitoring in place
using data loss prevention (DLP) or
privileged access management (PAM)
system solutions. Yet, they still struggle
to effectively mitigate insider threat
risks. This is because, as much as it
may sound cliché, security cannot be
solved using technology alone. It is a
combination of people, process and the
nature of your business.
50
Determining your
organisation’s
appetite for risk and
its most valuable
assets is a critical
first step.
Once these policies and procedures
are defined, a technology that best
suits the programme’s requirements
should be chosen. For instance, a User
and Entity Behaviour Analytics (UEBA)
technology with a SIEM-like functionality
has proven to be useful for effective
insider threat detection and prevention.
Having a strong Insider Threat Program
(ITP) is critical for building insider threat
resilience. However, organisations must
also select the right technologies for
detecting insider threat. A SIEM tool
with automated threat identification,
threat chains and integrated remediation
capabilities is recommended for a
successful Inside Threat Programme.
Other key functionalities include:
Centralised Logs that have the ability to
ingest a variety of technical and non-
technical indicators of user activity. This
is typically done using connector and
collectors of various types depending on
the target system.
The tool should also have the ability to
normalise, aggregate and summarise
the user activity in preparation for data
analysis and Machine Learning.
And finally, the tool should come with the
necessary out of the box content to meet
the organisation’s basic insider threat
monitoring needs and provide the ability
to create custom content for industry
specific use case requirements.
The ideal technology will be able to
apply purpose-built Machine Learning
algorithms to specific use cases in order
to detect insider threats effectively. The
detection mechanism should consist of
standard rule-based violation triggers
and user behaviour-based anomaly
detection. It is this combination that
proves to be most effective.
The most successful programmes often
start small and grow over time. As the
programme gains momentum, data
insights gathered from the monitoring
and detection of insider threats can aid
in implementing both IT controls and
organisational behaviour changes.
It is important that this is a continuous
process, informed by both the individuals
that support the ITWG and the technology
that underpins cybersecurity.
Organisations that weave cybersecurity
into the fabric of the business will stand
the best chance at mitigating the threat
posed by insiders. u
Issue 23
|
www.intelligentciso.com