Page 23 - Publication6
P. 23
Zero trust must also include monitoring to ensure that each Creating an actionable Insider Threat Deterrence risk
user�s access to assets is reasonable and appropriate for model can be challenging, but is preferable to having to
their role (i.e. on a need to know basis). clean up the potentially wide ranging damage resulting
from an undetected insider attack.
Insider threat detection platforms that can predict patterns
of risky behavior—and detect them when they happen— About the Author
can be used to enforce zero trust.
Saryu Nayyar is CEO of Gurucul, a provider of identity-
For example, they can use information on users� roles, based threat deterrence technology. She is a recognized
titles, access, permissions and geographic locations expert in information security, identity and access
gathered from HR applications, directories, access control management, and security risk management. Prior to
systems and more, to monitor and analyze activity for founding Gurucul, Saryu was part of the founding team at
anomalous behavior. an enterprise role-management start-up acquired by Sun
Microsystems. She has held leadership roles in product
“Another strategy for security products at Oracle and Sun
Microsystems. Saryu also spent several years in senior
emerging method positions at the IT security practice of Ernst & Young.
for insider threat
deterrence is
called ‘self-audit’”
By taking into account (among other things) transaction
types, resources used, session duration, connectivity and
typical peer group behavior, it is possible to determine what
normal behavior is, and what constitutes outlier or
anomalous activity.
If one person�s anomalous behavior (i.e., midnight access
from out of town) turns out to be shared by others in their
peer group, it is no longer considered risky.
Another emerging method for insider threat deterrence is
called �self-audit�. This technique involves generating
routine credit card-like statements of activity, which
highlight anomalous behaviors for verification.
This can not only deter insider attacks, but also enables
users to alert the security team if any transactions were not
performed by them, which would indicate an account
compromise.
CYBER DEFENSE MAGAZINE - ANNUAL EDITION 3
