SAN FRANCISCO -- Whether an enterprise is just starting to build a program to mitigate the risk of insider threats...
or has had the program in place for years, without solid insider threat detection tools, an organization's program has little chance of success.
We need context to help us train good employees and put them back to work.
Senior program manager for insider threats, Raytheon Cyber Products
That was a key message offered by Daniel Velez, senior program manager for insider threats with Raytheon Cyber Products, who spoke Wednesday at RSA Conference 2014 about the fundamentals of successful insider threat management programs.
Velez said insider threat detection tools, which generally fall under the label of data loss prevention or endpoint monitoring products, are tools deployed to endpoints to monitor how users are interacting with data; they apply policy-based technical controls that prevent users from doing such things as forwarding a sensitive email to a personal account or copying proprietary data to a thumb drive.
Velez said that often, organizations get drawn in by flashy tools with robust endpoint detection agents, but he warned against making a tool selection based solely on what it can detect on the endpoint. Instead, he recommended basing product choice on an enterprise's unique profile, including what endpoint platforms it runs, how easy it is to deploy and manage, what policy flexibility it offers, and how smoothly the incident response and governance capabilities integrate with an organization's existing processes.
There are also a number of often-overlooked criteria that few organizations consider during the product-selection process. For instance, Velez said many large organizations or those with a mature governance structure often have many stakeholders involved with the insider threat management process, including audit committee members, compliance stakeholders, and human resources and legal representatives, and each of those parties may need access to the product.
"So does the tool allow me to have multiple stakeholders?" Velez asked. "If the general counsel wants an account, or HR wants an account, can I keep them in their own stovepipes for different audit requirements?"
Velez said a good insider threat detection tool will also help administrators put incidents in the proper context, offering enough information to help discern whether an employee maliciously attempted to infect the network or simply plugged his or her own thumb drive into a PC without knowing there was a virus on it.
"I spent eight years as a counterintelligence threat investigator, and 98% of the incidents that landed on my desk were someone else's problem -- often just a rule-bender who was trying to get a job done," Velez said. "We need context to help us train good employees and put them back to work."
He noted that a product should be able to adjust policies quickly to changes in the insider threat detection program, specifically how users and stakeholders react to it.
"Trust me, if you're doing the implementation covertly, word is going to get out," Velez said. "When you roll this tool out, you're going to get a lot of blame for a lot of things, so be ready for it and plan to continuously audit your policies."
Velez also highlighted the importance of ensuring that an insider threat detection tool can offer output that's normalized for human consumption. He said that while a 20-page report on a single incident may be useful to some, a good tool should be able to boil down the key points of an incident so that a CIO or other executive or nontechnical stakeholder can quickly and easily understand what happened and make the right decisions on how to respond.
Adding to the challenge of selecting an appropriate insider threat detection tool is that the maturity of the commercial products varies widely. Velez said that's why it's critical to start the selection process not with a predefined group of products highlighted by a research firm, but instead based on the organization's audit requirements.
"Start by asking the basic question, 'What do I want this tool to do?' And then dig a little deeper," Velez said. "Talk to other organizations like yours that are doing this and explore what their capabilities are. And you want to find a vendor that has been doing the job for a while and isn't afraid to connect you with existing customers."
Even with all that in mind, it's impossible to know everything a tool can and can't do until it's actually in place, which is why Velez strongly recommended a pilot implementation before committing to a product. He added that it's a great way to ensure that the vendor not only has a solid implementation plan, but also can support an organization's specific business requirements.
Attendee Jim Butler, an Atlanta-based member of the information security and compliance team with CareerBuilder.com, said his organization is currently evaluating insider threat detection tools.
Butler said his organization has a wide-ranging group of stakeholders involved with audit processes, and it needs a product that can help an already-busy staff audit potential insider threats on an ongoing basis without being a huge burden.
He also noted that finding the right tool for a highly collaborative dot-com environment that is constantly rolling out new products and processes is a significant challenge.
"It's hard to say what tools will work in what environments," Butler said. "It's really about finding something that doesn't intrude on what employees do or slow them down while still allowing us to have some visibility."