Combating the Insider Threat
In this article
One of the most significant, and in many cases least considered organizational risks, involves the insider. Although CERT's definition of insider threat focuses on the malicious insider, it clearly states that insider threats can be unintentional and non-malicious.
It many cases, the topic of the insider threat is taboo within the organization. Leaders will say, "we hire good people," or "we perform background checks." While those statements may be true, they represent a point in time and clearly don't address the general insider threat problem.
The initial confusion stems from the differences between insider threat and the malicious insider, where the latter focuses on the insider's malicious intent and the former focuses on the threat regardless of intent. Every organization needs to consider and manage the insider threat, regardless of intent.
To understand the types of malicious insider threat, we can use the simple acronym C-R-I-M-E, ironically presented to me by an FBI special agent. CRIME describes the drivers behind the malicious insider:
- Compromise (or coercion) – The insider has been compromised or coerced by an external entity that typically leverages blackmail, public embarrassment or intimidation.
- Revenge – The insider is disgruntled against their employer, supervisor or colleague for a perceived wrong.
- Ideology – The insider disagrees with the organization's mission, policies or strategy.
- Money – The insider financially benefits, either through the malicious act itself or through some external entity funding their efforts.
- Ego – The insider views his/her abilities to be superior or his/her actions above the law.
Compare the drivers behind the malicious insider to insider threats introduced through negligence, carelessness or lack of training. While the individual intent may be vastly different, the impact to the organization may be equally severe.
Organizations need to consider a proactive approach to the insider threat problem. Incorporating insider threat risk analysis into current risk management programs is essential, and considering insider threat as part of a comprehensive vulnerability assessment will certainly help as well.
We're seeing maturity in identity access tools that can appropriately manage elevated privileged access (another critical insider problem), and can align insider actions and behaviors with SOC operations to react to anomalies. We're also seeing emerging analytic tools that can detect anomalous user or application behaviors, which may be caused by insiders. However, many of these tools are reactive — they expose an insider threat problem when or after it has occurred.
Interestingly, there are some emerging technologies that try to get "in front" of insider threats. One innovative solution is called SCOUT, a patented application developed by Stroz Friedberg that scores insider communications (think email, chat, social media, etc.) across dozens of personality attributes and creates individual risk profiles.
SCOUT uses sophisticated psycholinguistic algorithms to create risk scores for individual users across the enterprise. The research that led to the development of the algorithms was initially conducted by the US government to profile world leaders, and later matured by a clinical psychologist working with Stroz Friedberg, leading to SCOUT. It identifies high-risk insiders based on their communications, while protecting individual privacy, relying on an extremely low rate of human review (less than .0001 percent, less than 1 in a million).
Regardless of the technology, it's imperative that organizations find the right balance between organizational security and privacy concerns. Knowing when, where and how to react when they believe there is a significant insider risk is critical. Organizations need to continue to bring awareness to the insider threat problem, and mature their processes and tools to adequately manage insider threats.