With this knowledge, what signs should organizations monitor for to identify insider threats? How can
            they reduce risks and the likelihood of these attacks?


            Connecting the Dots: Insider Threat Origination Points
            Protecting an organization from malicious insiders means organizations should focus more on protecting
            their crown jewels than focusing on watching employees. Remember, a successful insider threat program
            embraces company culture and requires support from employees. An insider threat program’s goals are
            to  mitigate  organizational  risk,  protect  intellectual  property,  and  align  to  company  culture.  Unless
            resources and business needs suggest, Mandiant recommends focusing on identifying malicious insider
            threats investments to core areas of concern, referred to as Crown Jewels. This includes key personnel
            as well.


            Mandiant recommends establishing an intelligence-led Insider Threat Program which uses a “follow the
            data”  or  evidence-based  model  and  assessing  it  annually  for  processes,  people,  and  technology.  A
            “follow-the-data” model is important for cases generated to support and withstand litigation requirements.
            Insider threat programs should also be poised to identify insider threat recruiting and access to protect
            intellectual property, mitigate organizational risk, and align to business goals and outcomes. The most
            successful  insider  threat  programs  are  aligned  with  business  unit  investments,  support  continuous
            awareness training, and report to the Board of Directors.


            Within the Workforce

            Organizations should focus limited insider threat security resources and key personnel on identifying
            malicious insider threats who target business core areas of concern, also known as crown jewels or key
            assets. Organizations should expand their view on who malicious insiders may be beyond current or
            departing  individual  employees,  in  order  to  defend  against  them.  It  is  becoming  more  common  for
            malicious insider threats to arise from coordinated groups of people rather than sole individuals, which
            can include supply chain, third-party contractors, system administrators and insider threat security team
            members.  Organizations  need  to  monitor  for  third-party  access  via  APIs,  service  accounts  and
            maintenance systems that can present risks from both a malware and insider threat perspective.

            Insider threat security teams require deep technical expertise and tailored training to identify and disrupt
            the most significant malicious insider threats. For example, by investing in data loss prevention (DLP),
            user  and  entity  behavior  analytics  (UEBA),  and  AI  solutions,  they  will  also  have  a  better  chance  of
            detecting and blocking malicious insider activity. But, these investments must work on and off network.
            In addition, having a third-party conduct at least an annual insider threat security assessment can help
            ensure existing people, processes, and technologies are adequate and efficient, and that the organization
            is being evaluated against the latest threat landscapes and risks, based on current intelligence.













            Cyber Defense eMagazine – June 2021 Edition                                                                                                                                                                                                82
            Copyright © 2021, Cyber Defense Magazine.  All rights reserved worldwide.