Page 48 - Cyber Defense eMagazine for July 2020
P. 48
Moreover, she recently wrecked her truck and her cat is sick again. She is not sleeping well and
has turned to drugs and alcohol.
Jolene has moved far along the critical path to insider risk. She has multiple stressors, exhibits concerning
behaviors and has experienced problematic organizational responses. And she has access to critical
company systems.
It would be wise to fully evaluate then mitigate any risk that Jolene presents, with the goal of protecting
company assets and assisting a struggling employee. Yet very few companies have the capability to
assemble and analyze this non-technical information to effectively identify when an insider like Jolene is
on the path to insider risk. Assessing employees’ private lives through background or credit checks or
other measures is not even necessary in most cases; many other indicators are already collected by the
organization and readily available.
The inadequate use of non-technical indicators might be due to the fact that many insider threat programs
grow out of existing cyber security programs using management tools such as UEBA and SIEM, which
were developed to evaluate large volumes of technical data using rules and machine learning to identify
technical behavioral anomalies.
As discussed above, when looking at insider threats as caused by known humans, these technical
indicators are perhaps one-third of the picture. Risk-scoring models built solely around technical
indicators are not designed to put the anomalies that they detect into the broader context of the critical
path to insider risk. These models can only be effective if they add non-technical behavioral indicators to
the analytical mix.
Multi-Disciplinary Technology Platforms for Evaluating Insider Threats
Insider threat programs should consist of diverse experts representing human resources, legal,
information security, cybersecurity, information technology, physical security, behavioral science and
counterintelligence. These disciplines bring data and perspective when evaluating insider threats. They
weigh evidence and give opinions on whether the behavior is indicative of a threat.
The problem is that this approach does not scale well in organizations with large numbers of employees,
since no team of experts could keep up.
But the experts can share their judgments and wisdom in analytic tools that apply complex reasoning that
goes into contextualized analysis of insider threats. For this approach, Bayesian inference networks are
an ideal solution.
Bayesian networks can be built to probabilistically model expert reasoning across multiple domains using
the full range of technical and non-technical behavioral indicators of insider risk. The result is a vastly
improved capability to identify high-risk insiders that have committed threat activities, as well as those
who are on the Critical Path to potentially commit them in the future. The probabilistic model enables the
desired proactive response necessary to protect company assets, including the insiders themselves.
Cyber Defense eMagazine –July 2020 Edition 48
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.