Insider Threat Part 3: Getting the Data & Third Party Risk

The Data Needed to Identify Insider Threat

Topic three where do you get the data to understand?

In the first two blogs on insider threat (here and here), we discussed the motivations of insiders, how and why they assemble, and the potential damage they could cause.

But a lingering question from readers is “how do I identify them early?” And “do third party risk management platforms help me locate insider activity with limited data?”

The Data to Know

The challenge with insider threats is what type of data – and how much data – you actually need to detect an insider.. early.

As we’ve seen in a time of work from home, many tools have been exposed, such as Time Doctor, ActivTrak, Teramind, and StaffCop (credit to Wired UK).

In banking, massive data collection is a way to not only track for reporting an audit, but also metaphorically “beat people into obedience.” The data collected includes not only browsing history, but keystroke recordings, email analysis, and (most disturbing) available and away status.

But as we’ve seen – and Wired reported – virtual machines (and containers) render much of this useless.

What Data to Collect?

How Much Data is Enough?

Let’s think about regression analysis.

If you ask an economist, they will tell you need a different amount of data then if you ask a marketing analyst. For case studies such as the price of a baseball ticket, every type of data – from television broadcast to weather, alternate events, parking, and concessions – impacts pricing.

However, if you ask a strategy person they will tell you a different amount of data. Pricing a firm for acquisition is a complex process, but utilizes a surprisingly small and simple set of data.

For our insider threat purpose, the optimal amount of data that you need is the minimum viable amount.

Where Do You Actually Get this Data?

In another recent article from Wired (this time from their US publication), collecting data to predict violent crimes is too flawed to use.

Relating this back to our situation, the data to locate insiders are truly an enigma. They throw false positives. And like violent crime (which occurs in an instant after planning – or not), using data to detect a non-offender is tricky. Reviewing employees’ news sources or automotive enthusiast sites is not enough to determine an insider threat. Nor are legitimate banking sites for those who might be socially engineered.

Now comes the tricky part – how you figure it out, in time? The data behind the “why” is so disjointed and imperfect that it would be nearly impossible to throw data and artificial intelligence at this problem.

This is where the magic of defense-in-depth, married to good planning, and artificial intelligence all come together.

How About Third Party Risk Management? 

Over the past 5-7 years, a discipline – and startup companies – have emerged around third party risk management.

Their goal is multi-fold.

First, they act as a background check – or “credit score” – for technology vendors (albeit this is imperfect).

Second, they continue to refine and validate security issues.

Here’s the problem – they’re blind to insider threats. There isn’t a clear-cut definition of what constitutes, triggers, or indicates good-will-become-evil.

They should be an aid to track and stop insiders.

But as of yet, they are not.

In Summary 

We live in a time that even the most advanced technology is no match for society. People can hide anywhere – detection comes too late.

Is anything ready to detect and stop insiders today? How about much hyped third party risk tools? Probably not. The data analytic tools – user & entity behavior analytics – haven’t shut down the big insider incidents, and have de-tuned their message (shied away from claiming to help).

But it is something we should all look at and think about, since it is a gap in cybersecurity and risk management. Jumping to conclusions about potential insiders can also lead to lawsuits, angry employees, and fallout from false positives.

Uber, Tesla, semiconductor manufacturers, and digital marketing companies know this too well.

Once source code is leaked, or an executive exposed, or a previously unknown and underpowered competitor now viable – it’s too late.

What can we do? Know who has access, today. Stop unnecessary user access. Block privileged accounts.  KNOW THE PRIVILEGES WE HAVE AND QUANTIFY THE ACCESS WE HAVE GRANTED.

YouAttest automates the creation and review of these access reviews. To learn more about YouAttest, please register for our next webinar, Insider Threat and Access Reviews. Or write us @ info@youattest.com.

 

Facebook
Twitter
LinkedIn

More
articles