Page 82 - Cyber Defense eMagazine forJune 2021
P. 82
With this knowledge, what signs should organizations monitor for to identify insider threats? How can
they reduce risks and the likelihood of these attacks?
Connecting the Dots: Insider Threat Origination Points
Protecting an organization from malicious insiders means organizations should focus more on protecting
their crown jewels than focusing on watching employees. Remember, a successful insider threat program
embraces company culture and requires support from employees. An insider threat program’s goals are
to mitigate organizational risk, protect intellectual property, and align to company culture. Unless
resources and business needs suggest, Mandiant recommends focusing on identifying malicious insider
threats investments to core areas of concern, referred to as Crown Jewels. This includes key personnel
as well.
Mandiant recommends establishing an intelligence-led Insider Threat Program which uses a “follow the
data” or evidence-based model and assessing it annually for processes, people, and technology. A
“follow-the-data” model is important for cases generated to support and withstand litigation requirements.
Insider threat programs should also be poised to identify insider threat recruiting and access to protect
intellectual property, mitigate organizational risk, and align to business goals and outcomes. The most
successful insider threat programs are aligned with business unit investments, support continuous
awareness training, and report to the Board of Directors.
Within the Workforce
Organizations should focus limited insider threat security resources and key personnel on identifying
malicious insider threats who target business core areas of concern, also known as crown jewels or key
assets. Organizations should expand their view on who malicious insiders may be beyond current or
departing individual employees, in order to defend against them. It is becoming more common for
malicious insider threats to arise from coordinated groups of people rather than sole individuals, which
can include supply chain, third-party contractors, system administrators and insider threat security team
members. Organizations need to monitor for third-party access via APIs, service accounts and
maintenance systems that can present risks from both a malware and insider threat perspective.
Insider threat security teams require deep technical expertise and tailored training to identify and disrupt
the most significant malicious insider threats. For example, by investing in data loss prevention (DLP),
user and entity behavior analytics (UEBA), and AI solutions, they will also have a better chance of
detecting and blocking malicious insider activity. But, these investments must work on and off network.
In addition, having a third-party conduct at least an annual insider threat security assessment can help
ensure existing people, processes, and technologies are adequate and efficient, and that the organization
is being evaluated against the latest threat landscapes and risks, based on current intelligence.
Cyber Defense eMagazine – June 2021 Edition 82
Copyright © 2021, Cyber Defense Magazine. All rights reserved worldwide.