Last week, the National Counterintelligence and Security Center – a component of the Office of Director of National Intelligence — made an announcement that will be welcomed by many in the cybersecurity industry: they officially declared September as National Insider Threat Awareness month. The goal is to educate both public and private sector organizations about insider threats and draw attention to this growing risk.
This is good news for a variety of reasons. Firstly, there’s the obvious: as a rule, it is always good to see more public discourse devoted to the important topic of insider threats. But secondly, this is a particularly interesting move because it confirms something that we’ve been suspecting for a long time: that inside threats have officially reached the mainstream as a major security concern, in public and private organizations alike.This supports what we’ve been seeing in the field, both in private organizations and in the public sector (for example, Dtex was recently granted an Authority to Operate by the DoD specifically for the purposes of helping fight insider threats).
But in order to fully understand the meaning of this announcement, and the place that insider threats occupy in our current cybersecurity landscape, the question must be posed — why now?
We have been talking about insider threats for years and insisting that organizations of all kinds need to take them seriously — and more specifically, that they need to be approached differently than they ever have in the past.
For a long time, even security professionals thought of “insider threats” exclusively as Snowden-style, malicious data thieves. To some degree, malicious insiders like that have always, and will always exist. But there’s a reason why insider threats are a particularly pressing problem now, and that’s because technology has flourished in a manner that makes the number of ways that employees of all kinds can harm the enterprise limitless. In the past, technology was limited and users interacted with company data with relatively predictable patterns, methods, tools, and locations. Those days are long gone, and organizations are finally understanding the security implications.
“All organizations are vulnerable to insider threats from employees who may use their authorized access to facilities, personnel or information to harm their organizations – intentionally or unintentionally,” said William Evanina, a former FBI and CIA official who heads the counterintelligence center.
This is telling, because it confirms that the National Counterintelligence and Security Center is recognizing the true breadth of insider threats. Note the use of the phrase “intentionally or unintentionally.” The counterintelligence center is specifically calling out the fact that insider threats come in many forms, and that all of them pose a significant pressing threat to modern organizations.
This is merely emphasizing what we’ve already seen in the field. 100% of Dtex risk assessments find some form of insider threat, even in organizations that already have extensive cybersecurity postures. It’s very encouraging that the true scope of this risk is being formally acknowledged in the mainstream.
But recognizing the problem is not enough. What about the solution?
Hand-in-hand with this shift in what we recognize as an insider threat comes a shift in how we must think of prevention. In the end, it comes down to this: to fight a problem that is based on limitless possibility, the only answer is to build a response based in knowledge.
Some organizations are taking this to mean heavier user monitoring. We have seen, for example, an increase in “Zero Trust” approaches, especially among federal organizations. This response makes sense, but there’s an important caveat to consider. Heavier user monitoring may technically increase the amount of data that you collect about user activity, but it doesn’t necessarily collect the right data, or do anything to help security teams actually understand it at scale.
The intention of user monitoring, or even of implementing a “Zero Trust” approach, is not to simply supervise employees as much as possible. In fact, we believe that the ultimate goal of “Zero Trust” should not be to eliminate trust in your users, but to eliminate the assumption that you know all of the risks inherent to how people use your technology — and to build a culture of trust through comprehensive understanding.
The key to achieving this is not a greater quantity of data, or more revealing data, but actionable data that shows you what you really need to be looking at — and just as importantly, allows you to quickly and effectively contextualize that knowledge into the bigger picture.
A Modern Method
Part of the reason why we’re so glad that September has been declared Insider Threat Awareness Month is because it offers an open door and an open forum to not only talk about the struggles of fighting insider threats, but also the solutions. The security industry has seen many solutions try and fail to solve this problem, or manage to successfully solve it for a short period of them and only to lose effectiveness as the market matured.
Gone are the days that organizations can assume that their security tools are working as intended, with 100% accuracy, 100% of the time — whether those tools are based on rules, indicators of compromised, lock-and-block, screen capture, or anything else. No single tool is ever going to be one a one-stop shop for insider threat prevention. In this landscape, the only way to fight this omnipresent risk is with knowledge.
Our approach to this has been to develop the Dtex Enterprise DMAP Intelligence Platform, which combines modern user activity monitoring at the endpoint with machine learning to elevate users for inspection. Dtex allows organizations to see the full audit trail of a user’s activity and easily understand where the gaps and blind spots are — meaning that they can make informed, knowledge-driven decisions about cybersecurity. This approach has been utilized by top private-sector enterprises and the federal government alike, including a major DoD agency and multiple civilian agencies.
Over the next three weeks, we’ll be discussing more about insider threats in honor of Insider Threat Awareness Month. In articles to come, we will cover the difference between simple data and actionable intelligence, how to audit and improve existing cybersecurity measures, and how organizations can future-proof their insider threat strategies. All of this will be tied together with our insights from the field and unique Dtex findings.
We are thrilled that the National Counterintelligence and Security Center has decided to make a concentrated effort in recognizing the importance of insider threat education — and all organizations, public and private alike, can benefit.
To learn more about how Dtex helps the US Federal Government detect and investigate insider threats, click here to download our white paper.