WORKFORCE CYBER
INTELLIGENCE AND SECURITY

BLOG

A Human-centric Approach to Operational Awareness and Risk Management.

CISA Insider Threat Self-Assessment Tool Hits the ‘Metadata’ Point

In late October the Cybersecurity and Infrastructure Security Agency (CISA), along with the Environmental Protection Agency (EPA), the National Security Agency (NSA) and the FBI issued a joint advisory warning that threat groups are targeting United States drinking water and wastewater infrastructure operations via vulnerabilities in hardware and software.

The warning was issued just a few weeks after the CISA released its Insider Risk Mitigation Self-Assessment Tool intended to assist owners and operators of public and private organizations, especially small and mid-sized ones who may not have in-house security departments, to gauge their vulnerability to an insider threat incident.

The Insider Risk Mitigation Self-Assessment Tool is a downloadable PDF that helps executives and IT teams evaluate their existing enterprise systems and readiness, focusing on key areas such as Program Management, Personnel and Training, and Data Collection and Analysis. The interactive PDF allows users to generate a report that scores their organizations risk posture and evaluate their immunity to insider threat incidents.

As I stated in my October blog post on the topic, I applaud the CISA for developing this tool and helping organizations educate themselves and score their internal risk mitigation readiness. From my experience, the tool’s recognition of ‘people as sensors’ hits the mark, as does their recommendation for understanding behavior using insider risk activity monitoring solutions. However, the tool itself presumes that organizations are accurately deploying ‘people as sensors’ to observe human behavior and possible insider threat intentions and that they are collecting the ‘right’ data from insider activity monitoring technologies if they have them at all. Most small to mid-sized organizations for whom this tool is intended do not possess the manpower or budget to deploy more than basic cybersecurity tools, so it is unlikely they are able to utilize the tool effectively.

The idea of ‘people as sensors’ is spot on and we all preach ‘if you see something, say something.’ That was great advice when we all worked in the same office, filled our plastic corporate branded water bottles at the same filtered water machine, and sat face to face in meetings or next to each other in modern workstations without walls. Our current Work-From-Anywhere situation makes this a lot harder, but certainly not impossible if behaviors and references are obvious and disgruntled.

Though CISA’s recommendations accurately capture what organizations should be doing, current Insider Activity Monitoring technologies have failed and do not allow for teams to utilize these recommendations. Gartner retired the User Entity Behavior Analytics category from its slate of research because harvesting log files as a method to interpret human intent just doesn’t work. Likewise, rules-based endpoint DLP technologies have proven to brick PCs, prevent legitimate business workflows, and wrongly classify supposed crown jewels while letting the most valuable information be exfiltrated with a simple process of archiving, renaming and VPN disablement.

What’s needed is a technology that augments ‘people as sensors.’ People are natural observers. We can sense things. We recognize when a co-worker is acting oddly compared to usual. If they are not online during the normal times, if they are not responding to email or Slack messages in a timely manner, if they are less talkative in meetings, if their work is missing the mark and they are missing deadlines, then something must give. These are behavioral indicators that an insider is distracted and perhaps, has developed malicious intent. There are others however that people can’t see but are just as important, if not more indicative, of a person’s intent.

For example, what if a person suddenly logs on at 3am on a Saturday night? Maybe from a seldom-used IP address? Maybe they are on vacation, working from a parent’s house, or traveling? Separately, these behaviors may not be interesting. Alone, this is not malicious. What if this logon behavior is done to access a shared folder location they had never accessed before? Now this is getting curious. This contextual metadata is identifying a sequence of behaviors that deviate from the norm. And what if while logged in they put hundreds of files in a duplicate folder, changed its name, archived it, and moved it to their device file store? And what if five days before this, the same employee spent two hours on Indeed.com looking for a new job? Or worse yet, what if they’ve spent 20 hours more than normal on LinkedIn in the last two weeks with a new connection from China?

As individual behaviors and moments in time, the behaviors above would not necessarily raise suspicions. But, when sequenced with understanding of the context and timing and organized in a notification with full evidentiary quality forensics, this digital behavior signals an impending threat. It is this data, this metadata, that the CISA’s recommendation for Insider Activity Monitoring alludes to, but could elaborate on further. Having this metadata is the difference between an IT Administrator trying to process thousands of log files as a part-time SOC Analyst and missing an insider exfiltrating a patent on IP versus her being alerted that an individual user’s risk score has crossed the threshold and it’s time to take preventative action.

‘Insider risk analytic capability’ is referred to a number of times. What does this actually mean? This should not be interpreted to be simply a UEBA capability, but something that can capture the sequence of indicators important for detecting insider risk…that’s what we at Dtex refer to as DMAP+, data, machines, applications, and people. DMAP+ delivers a 24x7x365 continuous audit trail of unique endpoint metadata to observe and record the actions and activities of these four main areas of focus in near-real-time, both on and off the corporate network to surface dynamic behavioral awareness indicators.

If you see something, say something. Combating insider threats is as simple as that. The challenge is what our technology can see and what it doesn’t. It’s time to challenge vendors to build technology that sees more, that blends behavioral science and technology to see and hear the indicators that happen in the wires as an expression of human intent, not log files or rules that blindly interrupt actions in a vacuum.

At DTEX Systems, we are accepting this challenge with vigor. Contact us today to learn more.