Page 48 - Cyber Defense eMagazine for July 2020
P. 48

Moreover, she recently wrecked her truck and her cat is sick again. She is not sleeping well and
                   has turned to drugs and alcohol.

            Jolene has moved far along the critical path to insider risk. She has multiple stressors, exhibits concerning
            behaviors and has experienced problematic organizational responses. And she has access to critical
            company systems.

            It would be wise to fully evaluate then mitigate any risk that Jolene presents, with the goal of protecting
            company assets and assisting a struggling employee. Yet very few companies have the capability to
            assemble and analyze this non-technical information to effectively identify when an insider like Jolene is
            on the path to insider risk. Assessing employees’ private lives through background or credit checks or
            other measures is not even necessary in most cases; many other indicators are already collected by the
            organization and readily available.

            The inadequate use of non-technical indicators might be due to the fact that many insider threat programs
            grow out of existing cyber security programs using management tools such as UEBA and SIEM, which
            were developed to evaluate large volumes of technical data using rules and machine learning to identify
            technical behavioral anomalies.

            As  discussed  above,  when  looking  at  insider  threats  as  caused  by  known  humans,  these  technical
            indicators  are  perhaps  one-third  of  the  picture.  Risk-scoring  models  built  solely  around  technical
            indicators are not designed to put the anomalies that they detect into the broader context of the critical
            path to insider risk. These models can only be effective if they add non-technical behavioral indicators to
            the analytical mix.



            Multi-Disciplinary Technology Platforms for Evaluating Insider Threats
            Insider  threat  programs  should  consist  of  diverse  experts  representing  human  resources,  legal,
            information  security,  cybersecurity,  information technology,  physical  security,  behavioral  science  and
            counterintelligence. These disciplines bring data and perspective when evaluating insider threats. They
            weigh evidence and give opinions on whether the behavior is indicative of a threat.

            The problem is that this approach does not scale well in organizations with large numbers of employees,
            since no team of experts could keep up.

            But the experts can share their judgments and wisdom in analytic tools that apply complex reasoning that
            goes into contextualized analysis of insider threats. For this approach, Bayesian inference networks are
            an ideal solution.

            Bayesian networks can be built to probabilistically model expert reasoning across multiple domains using
            the full range of technical and non-technical behavioral indicators of insider risk. The result is a vastly
            improved capability to identify high-risk insiders that have committed threat activities, as well as those
            who are on the Critical Path to potentially commit them in the future. The probabilistic model enables the
            desired proactive response necessary to protect company assets, including the insiders themselves.






            Cyber Defense eMagazine –July 2020 Edition                                                                                                                                                                                                                         48
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.
   43   44   45   46   47   48   49   50   51   52   53