Cyber resilience is the next frontier of cybersecurity, as organisations increasingly focus on mitigation with the sober acceptance that a breach will inevitably occur.
The rise in both volume and sophistication of cyber attacks on critical infrastructure around the globe has demonstrated the need to up the ante, with many federal agencies now pushing for Zero Trust adoption.
The Cybersecurity and Infrastructure Security Agency (CISA) is one of the most recent to call out the need to build resilience under its 2023-2025 Strategic Plan. The plan is the agency’s first since it was established in 2018 and comes just one year shy of President Biden’s memorandum urging government agencies to accelerate Zero Trust implementation. The United States Department of Defense has also just released its Zero Trust Strategy and Roadmap.
What’s interesting about all of these plans is the shift in focus away from a prevention mindset in favour of risk mitigation. This is important because it underscores the ‘not a matter of if, but when a breach will happen’ narrative.
While prevention will always be the holy grail, what’s clear is agencies and organisations will be better off focusing their efforts on identifying and managing risk. This starts with understanding risk.
Understanding risk – the missing piece of the resilience puzzle
One key Zero Trust principle is the ability to map an organisation’s critical data, machines, applications, devices, and how users access and interact with sensitive information.
The latter is especially important, especially when it comes to insider risk incidents, which our research shows are seriously on the rise.
Some stats to consider:
- 72% increase in DTEX customer insider incidents in 2021 (2022 DTEX Insider Risk Report)
- 42% of insider threats were related to IP or data theft (2022 DTEX Insider Risk Report)
- 82% of breaches involve human element (2022 Verizon Data Breach Investigations Report)
- $15.3M estimated cost of known insider-led incidents (2022 Ponemon Cost of Insider Threats: Global Report).
Visibility is key to understanding insider risk, but what’s even more important is the raw data coming in and the ability to make sense of it. There’s a common phrase that you can’t secure what you can’t see. A similar thing can be said for insider risk: you can’t manage what you don’t understand.
The risk is human, and context is everything
Understanding insider risk starts with understanding human behaviour and intent. Unfortunately most cybersecurity technologies to date haven’t evolved to measure let alone capture this.
Take user and entity behaviour analytics (UEBA). Many UEBA products and services claim to mitigate insider threats by consolidating and analysing large data sets from multiple streams to provide actionable insights and detect risk.
But the claim is misleading. More often than not, UEBA has a high rate of false positives. This is through no fault of the technology, but the data coming in (and more importantly, the data that’s NOT coming in). Insider risk is a human challenge that requires a human-first solution.
Understanding risk requires an understanding of human behaviour, psycho-social factors, and an eye for (and sense of) the abnormal. Technology alone cannot capture such insights. Gaining human-centric data requires significant inter-organisational collaboration with human resources, legal, finance, technology, and cybersecurity teams.
With the right the mix of contextually-driven insights on user intent, organisations can understand, measure, and mitigate insider risks before they turn into threats.
Our Insider Threat Report lists specific recommendations for protecting against insider threats.
Looking forward: bridging the ‘psycho-cyber’ connection
DTEX is working hard with our partners, including MITRE Corporation, to raise awareness and enable critical infrastructure industries to strengthen their cyber resilience by better understanding and managing insider risk.
MITRE is creating an evolving, data-driven Insider Threat Framework that includes psycho-social and cyber-physical characteristics as common and observable indicators for insider risks. The framework will help insider threat/risk programs more accurately target and operationalise their deterrence, detection, and mitigation of insider threats.
As MITRE points out, “Existing frameworks of insider threats ignore psycho-social characteristics, focus solely on cyber, and/or are based on minimal or poor-quality data.”
When complete, MITRE’S Insider Threat Framework (but not the raw or aggregated data) will be discreetly shared with vetted insider threat community leaders on a need-to-know basis.
Contact us to learn more about how you can leverage our work with MITRE to better understand insider risk and drive Zero Trust cyber resilience.