OPERATIONALIZING YOURINSIDER THREAT PROGRAM

Copyright Notice: © 2016By INSIDER THREAT DEFENSE, INC.

Agenda

Common pitfalls of insider threat initiatives Four best practices essential for a successful program Overcoming obstacles while operationalizing your program Insider Threat Program checklist

Common Pitfalls

Too Many Definitions For Insider ThreatToo Many Definitions For Insider Threat• Disgruntled Employees

• Workplace Violence

• Divided Loyalty Or Allegiance To U.S. / Terrorism

• Espionage (National Security, Economic, Industrial, Corporate)

• Data Destruction, Information Technology Sabotage

• Fraud, Theft

• Insiders Who Are: Ignorant, Negligent, Cyber Insider Threat

• Insiders Who Affect The: Confidentiality, Integrity And Availability Of Information (Wittingly, Un-Witting Causing Damage)

These Are All Threats

Un-Witting Is The Biggest

Problem

UBS PaineWebber Systems Administrator Attack Impairs Trading Impacting On Over 1,000 ServersAnd 17,000 Work Stations

Employee Sabotages Company's Network Servers - Company Permanently Loses Data And SpentHundreds Of Thousands Of Dollars Repairing Equipment & Recovering Data. ($1 Million In LostBusiness)

Low-Level Engineer Managed To Steal $1 Billion Worth Of Intellectual Property Former Security Director For Lottery Charged With Tampering Equipment Before Secretly Buying

$14.3 Million Winning Ticket Virginia Man Pleads Guilty To Attempted Espionage For Stealing Aircraft Carrier Design Details Former Georgia Pacific Employee Charged with Damaging Computers Log Audit Reveals Developer Outsourced His Job To China, While He Surfed The Internet All Day

At Work Management Information Systems Professional At Military Facility Encrypts Large Parts Of

Organization’s Database And Holds It Hostage-Company Pays Ransom Money U.S. Embassy Official Charged With Sextortion, Cyber Stalking Scheme Secret Service Agent Sentenced In Online Currency Theft FBI Busts Comcast Hacking Suspects - Including Comcast Employee Who Helped Hackers FBI Arrests Pharmaceutical CEO Martin Shkreli On Securities Fraud Charges Virginia Businessman Sentenced to 88 Months in Prison for Role in Bribery Scheme Involving

Government Contract Report Shows FBI Ignored Accused Fort Hood Shooter Nidal Hasan Out Of Political Correctness Disgruntled Employee Shot CEO Before Killing Himself FCC Fines AT&T $25 Million For Privacy Breach-Insider Threat Securities Firm Avoids FTC Action By Standing Up Insider Threat Program And So Many More.............................................

Companies Have Too Narrow Of Focus

Companies Don’t Get Employees Consent To

Credit Check Background Check (Checking Databases) Rules Of Behavior Login Banners

Note: For continuous employee evaluation, having a statement explicitly stating that this is a "continuous process" is essential.

Companies Don’t Identify Right Stakeholders

Putting Together An “A” Team

Many of the components needed for an effective Insider Threat Program are already available within an organization; Senior Management Legal / General Counsel Human Resources, Personnel Security Corporate Security, Facilities Security Information Technology (IT) Information Assurance (IA) Incident Response (IR) (CSIRT) Counterintelligence (CI) Contracting

Identify Gaps, Enhancements, Build Better Working Relationship

Companies Don’t Have The Right Information

Computer Activity (MS Windows Event Logs) USB, CD / DVD Usage Network Folder & File Access E-Mails Being Sent And Received, Including Attachments Databases (Access, Queries, Exports) Software Application Usage, Custom Software Applications Remote Access / VPN Access Print Usage Monitoring Network Bandwidth Analysis (NetFlow, SolarWinds) Internet Usage (Websites Visited, Uploads, Downloads, Searches),

Web Chat / Messenger Copy Machine Usage Mutli-Function Printer Usage (Copier, Scanner, Fax) Fax Machine Usage

Or Use A Comprehensive Insider Threat Management Solution Such As ObserveIT = Holistic, User Monitoring, Behavioral Analytics, Policy Enforcement, Forensic Recording (Video) --- A Complete Picture

People Centric A Holistic View

Labor Intensive

4 Best Practices

Best Practice # 1

GET BUY INProtecting an organization’s assets requires getting the right executives / legal on board, gaining buy-in and continued support. This is essential. (Assets = Data, Information Systems, Networks, Personnel)

Organizational leaders must see risk management and informationsecurity as a core enterprise business function rather than a mere task the IT team or security is handling.

Best Practice # 2

ESTABLISH COMMUNICATIONS / SHARING The most important part of insider threat risk mitigation is breaking down the silos and establishing communication with all pertinent and relevant departments within the organization.

Organizational risk will be addressed from an enterprise level, rather then a single departmental level.

Best Practice # 3

GAIN VISIBILITY Having visibility of employee actions / behaviors is essential for Insider Threat Risk Mitigation.

Best Practice # 4

START TRAINING Insider Threat Program Manager / Insider Threat Analyst / Insider Threat Program Support Personnel positions require a specialized skill set and could require additional training.

Insider Threat Program Concepts In-Depth Procedures for conducting “Insider Threat Incident” response

actions. Laws and regulations on gathering, integration, retention,

safeguarding and use of records and data and the consequencesof misuse of such information.

Legal, civil liberties and privacy policies.

Obstacles

Overcoming Obstacles? Insider Threat Program Is Big Brother, Witch Hunt (Consider Naming Asset

Protection & Compliance Program) (Create CEO ITP Rollout Message)

? The Challenge Of Obtaining Data (Technical & Non-Technical)

? Information Sharing / Trust (Use MOU’s-MOA’s), (For Continuity Of ITP)

? Corporate Culture (Not In My Organization Belief)

? We Do Background Checks – This Is Sufficient

? We Do Computer User Activity Monitoring - This Is Sufficient

? We Are Compliant - This Is Sufficient (Scope Of ITP, Classified Info Only)

? Funding

? Legal Resistance / Stakeholder Resistance

Overcoming Obstacles (Cont.)? Employee’s Resistance To ITP & Reluctant To Report

? Stakeholder(s) Reluctant To Share Vulnerabilities With ITPM / Insider ThreatProgram Working Group, That Identify Security Weaknesses In Other SecurityDisciplines & Departments

SUCCESSFUL INSIDER THREAT RISK MITIGATION REQUIRES: Senior Executive Management Support + Communications & Sharing OfInformation W/ITP + Visibility Of Employees Behaviors = Successful ITP

Checklist

Insider Threat Program Checklist Gaining Buy-In From Senior Management, Legal Designation Of Insider Threat Program Manager (Time Considerations) Insider Threat Program Name (Name It Something Else) Insider Threat Program Placement In Organizational Structure (Unbiased

Department) Insider Threat Program (Announced / Need To Know) Create Insider Threat Working Group / Hub – Identify Stakeholders Identify Data Sources That Will Support The ITP Scope of Insider Threat Program (Personnel, Data, Information Systems,

Classified / Un-Classified Networks) Insider Threat Program Policy (Announced / Need To Know) Insider Threat Awareness Training (How To Report?) User Monitoring (Need To Know) (Technical / Non-Technical)

(Thresholds Exceeded, Focused UAM, Approvals) Insider Threat Reporting, Case Management & Response Actions /

Incident Handling Process Insider Threat Risk Assessments – Insider Threat Risk Mitigation

Starts With Risk Management 101

Questions

Contact InfoJim Henderson, CISSP, CCISOCEO Insider Threat Defense, TopSecretProtection.Com, Inc.Insider Threat Program Training Course InstructorCyber Security-Information System Security Program Management Training Course InstructorCyber Threat - Insider Threat Risk Assessment Auditor / AnalystFounder / Chairman Of The National Insider Threat Special Interest GroupPhone: 888-363-7241 / 561-809-6800Websites / E-Mail Addresses:www.nationalinsiderthreatsig.orgjimhenderson@nationalinsiderthreatsig.orgwww.insiderthreatdefense.comjimhenderson@insiderthreatdefense.com