In July 2019, global hotel chain Marriott International was charged with a $123 million fine for leaking the data of more than 380 million hotel guests in the U.K. The incident was attributed to poor monitoring efforts and employee negligence — both of which were completely preventable had the IT systems been secured from internal threats. Although mature organizations have well-defined incident response plans and procedures for common security events, few have dedicated efforts to better understand how to mitigate and respond to insider threats. This makes combating insider threats one of the most critical issues for chief information security officers (CISOs).
CISOs need to know who is at risk, what the source of the risk is and what the triggers are that can activate risky behavior
“Insider threats are a reality, and CISOs must account for these when creating an incident response plan,” says Jonathan Care, Senior Director Analyst, Gartner. “To combat these threats, CISOs can’t simply deploy a product, implement a process or increase user awareness. Insider threats require a multifaceted, multidisciplinary approach.”
Read more: Gartner Top 7 Security Risk and Trends for 2019
But building incident response scenarios to account for every conceivable type of insider threat imaginable would take more time and resources than any single organization can apply. Instead, CISOs can build threat scenarios focused on three key areas:
- Capabilities for monitoring and surveillance
- Profiles and personas specific to their organization
- Past insider incidents
Invest in employee monitoring and surveillance capabilities
Invest in monitoring and surveillance capabilities to gain a better understanding of, and more visibility into, people and assets — from how data is handled to identifying employee behaviors that don’t follow standard policy. Such investments will help you efficiently roll out response, mitigation and recovery when violations occur. “CISOs need to know who is at risk, what the source of the risk is and what the triggers are that can activate risky behavior,” says Care. Thorough background checks of employees and vendors and monitoring anomalous data exchanges gives CISOs a view into user entity behavior analytics. This is critical for understanding sources of risk and their subsequent risk mitigation plan.
Build profiles and personas
Incident response scenarios come from developing user profiles and personas that can help identify unusual behavior for users or groups with high-risk activities. Identify the potential risky behaviors and map them against potential solutions or mitigation. While they will vary by organization, common scenarios include installing unsanctioned software, failing password attempts and attempting access to other employee accounts.
As you get more in-depth insight into user profiles and personas, these scenarios could be made more pointed. “Once context-specific incident response scenarios are identified, iterate the actions to include specific users or groups to indicate whether the actions warrant escalation to an incident,” says Care.