Intelligent CISO Issue 23 | Page 50

FEATURE It is crucial for organisations to realise that technology alone cannot tackle the problem of insiders; and organisations who put significant emphasis on the technical aspects alone are ultimately bound to fail. Therefore, an insider threat team must consist of both technical and non-technical staff who have a clear understanding of the organisation’s culture and operating model. Building an effective insider threat programme involves a combination of people, processes and technology. The most successful programmes will ensure that every employee is aware of their role in preventing and reducing cyberthreats. Effective employee engagement means employees can go the extra mile in service to their organisation, they are therefore more likely to buy into the cybersecurity objectives of the organisation and avoid making any negligent or complacent mistakes that could lead to an insider breach. Bring in supporting technology Most medium and large organisations have limited insider monitoring in place using data loss prevention (DLP) or privileged access management (PAM) system solutions. Yet, they still struggle to effectively mitigate insider threat risks. This is because, as much as it may sound cliché, security cannot be solved using technology alone. It is a combination of people, process and the nature of your business. 50 Determining your organisation’s appetite for risk and its most valuable assets is a critical first step. Once these policies and procedures are defined, a technology that best suits the programme’s requirements should be chosen. For instance, a User and Entity Behaviour Analytics (UEBA) technology with a SIEM-like functionality has proven to be useful for effective insider threat detection and prevention. Having a strong Insider Threat Program (ITP) is critical for building insider threat resilience. However, organisations must also select the right technologies for detecting insider threat. A SIEM tool with automated threat identification, threat chains and integrated remediation capabilities is recommended for a successful Inside Threat Programme. Other key functionalities include: Centralised Logs that have the ability to ingest a variety of technical and non- technical indicators of user activity. This is typically done using connector and collectors of various types depending on the target system. The tool should also have the ability to normalise, aggregate and summarise the user activity in preparation for data analysis and Machine Learning. And finally, the tool should come with the necessary out of the box content to meet the organisation’s basic insider threat monitoring needs and provide the ability to create custom content for industry specific use case requirements. The ideal technology will be able to apply purpose-built Machine Learning algorithms to specific use cases in order to detect insider threats effectively. The detection mechanism should consist of standard rule-based violation triggers and user behaviour-based anomaly detection. It is this combination that proves to be most effective. The most successful programmes often start small and grow over time. As the programme gains momentum, data insights gathered from the monitoring and detection of insider threats can aid in implementing both IT controls and organisational behaviour changes. It is important that this is a continuous process, informed by both the individuals that support the ITWG and the technology that underpins cybersecurity. Organisations that weave cybersecurity into the fabric of the business will stand the best chance at mitigating the threat posed by insiders. u Issue 23 | www.intelligentciso.com