Insider Threat

Establishing an insider threat policy

05/04/2018 Insider Threat

We at ZoneFox thrive on the detection and containment of the insider threat. Although having an effective mechanism in place to detect and contain insider threats is a must, having a policy in place to provide definition and parameters around the insider threat within your organization is just as important. The insider threat policy defines the threat, leverages existing policies, provides a guide for fine-tuning detection mechanisms, and outlines consequences.

Passing signed policy over computers

Defining the threat…and the policy

It is safe to say that we are generally all susceptible to the insider threat, largely due to the fact that these threats are very dynamic and rather unpredictable by nature. While there are some great tools out there to monitor and detect insider threat activity, the threat itself first needs to be defined. The creation of a policy to define insider threats allows you to define the insider threat based on the context of your business. Defining the policy based on business objectives and established guidelines around critical assets and data provides a blueprint for sensor tuning, and helps weed out false positive events effectively. For example, maybe your users don't handle sensitive data regularly, thereby exempting shadow IT such as third-party cloud storage uploads from the realm of insider threat activity. Imagine the reduced log noise...

You've probably done some of the work already!

There is a good chance that you have a few policies in place already, such as acceptable use of organizational assets, mobile device management policy, or an information classification standard. If that is the case, you can create references from these documents into your insider threat policy. Since the insider threat is basically someone violating policy, having policies written that a user can potentially violate goes a long way in helping you define the insider threat. From here, you just need to dictate classification of the events, as well as prioritization based on the scope of the threat, the perceived intent of the threat actor, and the outcome of an attack. In short, all we need is a little bit of context.

With context comes clarity

While classification and prioritization of insider threat incidents are paramount in providing a proper response, without organizational context it is much harder to accurately identify, classify, or prioritize insider threat incidents - or any other incidents, for that matter. Security policies, and therefore insider threat policies, are not created for the benefit of the cybersecurity team, they are created for the benefit of the organization as a whole, and everyone in it. As you’ve already defined what an insider threat is at this point, you now need to validate, classify, and prioritize which types of insider threat will affect your organization.

Generally speaking, the opposite of the CIA triad (confidentiality, integrity, availability) that we all work to defend in cybersecurity is the DDD triad: disclosure, destruction, denial. Let’s throw defamation into the mix, to create the four D’s that counteract CIA. How many of these factors do your business leaders really care about? Some companies care about all four. Some organizations really only care about defamation, while others care about any type of breach. Understanding the priorities of the business you serve will really help you define how swiftly and mercilessly you need to treat insider attacks. For instance, if a user makes a mistake and discloses schematics for your company’s next big prototype, you will likely be faced with an emergency situation. On the other hand, if a user only discloses (accidentally, of course) a new press release for said prototype, you might be a bit more lenient. The classification (disclosure) is the same, but the priority is much different; disclosing schematics can cost you millions of dollars, while an early news release may only be cause for more intrigue. Again, with context comes clarity - and action.

Enforcing insider threat policy with tech

Now that we have our insider threat policy in place, what type of controls can we implement to keep everyone on the straight and narrow? To begin with, a lightweight next-generation endpoint monitoring system such as ZoneFox will help with identifying insider threats in real time. Next-generation endpoint monitoring solutions can provide insight into user activity based on pre-built rules, or based on user-configured rules that adhere to the company policy derived from business context. Building a tighter configuration on your endpoint monitoring solution provides accuracy and efficiency when detecting insider threat activity and enforcing insider threat policies, and providing insider threat protection for the business. Which brings us to the final touch.

The final touch: business integration

Policy enforcement does not only come from technical controls, it also comes from the business. Since the policy is built based on business context, it falls to the business to create consequences and actions for each class of violation, as well as to integrate the policy into its governance program. Users must accept any consequences that may come about due to any actions - intentional or otherwise - that violate insider threat policy. As such, the insider threat policy will need to be integrated into your security awareness program and written (or digital) acceptance will need to be provided. From there, you have your actionable policy, and all you have to do is make sure it never goes stale.

The creation of an insider threat policy is definitely necessary in this day and age. It is key in defining the insider threat, aggregating elements of disparate pre-existing security policies, and giving your cybersecurity team a target when tuning their tech. The key to an effective insider threat policy, or any security policy for that matter, is business context. We can read best practices until we’re blue in the face, but the best practice is to add some business context to your decisions. A well written insider threat policy - along with ZoneFox to enforce it - will better prepare you for the next big insider threat.

Fail to prepare, Prepare to fail

This applies to cybersecurity, and protecting against Insider Threats as much as any other preparation-worthy activity, however there is a LOT at stake. Understand the different types of potential Insider, and arm yourself with the knowledge to protect your corporate data and IP. 

Share This