In my first post, ‘10 Tips to Strengthen Insider Threat Program – Data, Intent, and Context,’ I outlined the first five building blocks that underpin successful Insider Threat programs that scale and stop real threats before data loss and IP exfiltration occurs. These best practices are based on my work with hundreds of DTEX customers. These included 1) Getting the Right Data; 2) Detection All Types of Threats; 3) Focusing on User Intent; 4) Forensics that understand behavior; 5) Understanding the Early Warning Signs.
In today’s post, we will focus on 5 more best practices you can use to build a successful and resilient Insider Threat Program.
5 More Insider Threat Program Best Practices
- Don’t Sacrifice Privacy – Employees are becoming less and less tolerant of heavy surveillance, and in some cases, so is the law. Here are some tips on balancing privacy and security.
- If possible, avoid heavy employee monitoring techniques such as taking screenshots or video capture. Not only do these make users uncomfortable, they also tend to bey very heavy and they make GDPR compliance difficult. If you do need these tools, try limiting their deployment. Gartner wrote a great piece of research on this in late 2020 – ‘How CIOS Must Lead the Ethical Debate on Remote Employee Monitoring’ – that offers specific recommendations for CIOs who are charged with leading the debate on this topic within their organizations.
- Collect meta-data wherever possible.The right meta-data can give you plenty of insights without the invasive quality of heavier data like screenshots or video. And as a bonus, the meta-data approach is much lighter on your endpoints and network.
- Anonymize personal identifying information. By anonymizing all personal identifying information, you avoid the privacy issue completely. What’s more, anonymizing your data makes it much easier to achieve GDPR compliance, especially if your organization does business in the EU. Recent news articles on the topic of employee monitoring have elevated the conversation around the topic of employee privacy. Definitely take a few minutes to read these articles when you have the time.
- Watch Policy Violations — Bad actors don’t just do one bad thing. Pay attention to IT policy violations, as they can be indicators of something worse. I often find that policy violations are indicators of dangerous habits and behaviors that increase the likelihood of malicious insider threat activities such as data exfiltration for personal financial gain. Some of these leading indicators include:
- Gambling or online gaming on corporate devices and networks
- Online shopping and selling. Some insiders can be so bold as attempting to sell company property using a company device and networks.
- Inappropriate web browsing
- Personal webmail use. This can also be a phishing risk.
- Pirated software usage.
- See Off-Network – Today, employees are more mobile than ever. Unfortunately, COVID-19 has made this the norm rather than the exception. Focusing on the corporate network isn’t enough anymore. Even before COVID-19 however, organizations were becoming more permeable. It is simply fool-hardy to expect data to remain in your organization at all times. The most recent insider breach at Tesla is a shining example of this. Getting off-network visibility is crucial to understanding how your data moves and protecting it from theft.
- Maximize Your Resources – Any tool you choose as the foundation of your program is only as good as your team’s ability to manage it. Prioritize making the most of your resources. One major way to be more efficient is to reduce false positives. Here are some tips that can help you do that:
- Use tools that alert based on behavior, not static rules. Tools that alert on user behavior rather than blanket rules cut through the noise faster.
- Leverage alert score stacking. Stacking scores or alerts means that the most urgent threats rise to the top.
- Know what you are looking for. Identify the highest risk areas based on your organization’s risk profile and the specific risk posture you’re willing to assume. This means carefully identifying the highest risk areas, users or data types in your organization and customizing your tools to focus there.
- Understand accuracy is based in data. Alert accuracy ultimately comes from the quality of the data. If you have the wrong data, you’ll gets lots of noise.
- Balance Visibility & Performance – We all agree that cumbersome aren’t useful. But, giving up visibility isn’t the answer, either. Some of you may be reading this and thinking ‘performance is a non-issue because I strictly limit endpoint agents.’ Well, you’re not alone. Lots of teams combat performance issues by turning to agentless solutions. Unfortunately, it’s not that simple. Remember Tip #1 ‘Get the Right Data’ in my first blog on this topic? Without the visibility into user activity that only agents can provide, you will never be successful detecting and preventing insider threats. And you can only get this data from the endpoint. Here are some tips to get the data you need without going agentless:
- Try setting an overall endpoint performance goal instead of limiting the strict number of agents on machines. This gives you much more flexibility. For example, your team could limit the CPU usage of combined agents to 8% max.
- Test, test, test. Before committing to a product, test it extensively within your environment and benchmark its performance for yourself.
- Pay attention to scalability. Even agentless solutions often run into major deployment problems.
- Avoid solutions that collect and store heavy data like videos and images.
I hope you found this short blog series helpful, and that the tips provided offer you food for thought as you build or refine your insider threat program. And don’t forget, all this information is available for reference in our ’10 Tips to Strengthen Your Insider Threat Program’ ebook. You can download that here.
If you have any feedback you’d like to share, please connect with me on LinkedIn and share your thoughts!