Data comes in a multitude of formats and flavors: physical, cyber, organizational, and, of course, the human sensors. Collecting data is easy – it’s the lowest hanging fruit. Capturing and correlating complete and accurate data sets is not as straightforward. And when the data is flawed, drawing meaningful findings and outcomes is an impossible feat.
When it comes to insider risk detection, data relationships tell the whole story, providing analysts with the contextual insights they need to draw actionable conclusions.
Data, Data, Data
To be clear, collecting data is not enough.
Without a means to assimilate and process the large mountain of telemetry collected, the data is of little to no value. Understanding the contextual relationship of data coming from machines, applications and individual users is the first step to being able to put the data to use. In a mature environment, such collection of data is 24/7/365 and vast, including sessions, files, process, webpages, interfaces, net-flow, windows, network, devices, event logs, registries, clipboards, printers, and other activities which can be identified via the granular endpoint review.
The proverbial rubber hits the road when you allow the disparate data sets to tell you a story, and in doing so provide insider risk management (IRM) analysts with a starting point to determine the probability of errant human behavior and to decide the next course of action. For example, whether the behavior warrants an alert or a discussion to determine the individual’s intent.
Let’s dig into the importance of the interrelationship between the various disparate data sets that help analysts understand an insider risk, holistically.
At any time, an insider (i.e. employee or contractor) may affect an event through any number of actions. For example, the user may be seen to have unexpected escalation of privileges. They might have attached an unauthorized device to their corporate laptop, attempted obfuscation of file types or attempted an unauthorized external network connection.
These are just a handful of examples of behaviors and data points that, when viewed in isolation, might make one’s antennae rise. When measured against themselves or their peer groups, however, these data points provide the necessary context that’s needed to tell a holistic and accurate story of risk.
The data sings when behavioral enrichment takes place.
DTEX Systems Co-Founder and CTO Rajan Koo notes, “Behavioral enrichment is the act of correlating and contextualizing disparate signals and observations into indicators that can be used to effectively quantify the risk an individual poses to the organization. Without this enrichment, insider risk findings are rarely actionable and can often be misleading.”
Behavioral enrichment brings to the table the increased likelihood of determining if the event being witnessed is truly anomalous or just odd. By understanding the underlying intent of such events, analysts can more successfully gauge what activities warrant further investigation and scrutiny.
The Human Factor
What about missed signals? When employees highlight out-of-scope behavior of a colleague and are ignored, we end up with incidents like the 2023 Pentagon leaks, where Jack Teixeria shared secret intelligence on a Discord group, or the case of Brent DeSalvo, who was accused of compromising a plethora of U.S. Air Force communications systems across 17 Department of Defense installations.
Both the Teixeira and DeSalvo cases fell within the remit of the DoD insider risk program mandate, as directed in U.S. Executive Order 13587, and within which exists the requirement to investigate when credible allegations are made concerning the behavior of a peer. Looking backwards, the actions in the past are always crystal clear and the missed opportunities are ablaze with significance. Analysts, when made aware, can tweak their collection, analysis, and processes with a focus on questionable behavior and determine whether it is malevolent or just odd. Whichever the case may be, the behavior is able to be addressed and corrective action, if any, may be taken. DITMAC will have their hands full determining why warnings concerning DeSalvo were ignored. The Secretary of Defense has already taken action requiring an overhaul and review following the Teixeria revelations.
Monitoring Does Not Equal Surveillance
Monitoring does not equal surveillance, as the lack of context and behavioral enrichment of the various signals, observations and indicators is absent. One’s desired state is to have data coming from as many disparate points as possible, and drawing data relationships. But, as noted by Koo, the enrichment is key to detecting real risk as distinct from ‘just odd’ behavior.