In July 2019, global hotel chain Marriott International was charged with a $123 million fine for leaking the data of more than 380 million hotel guests in the U.K. The incident was attributed to poor monitoring efforts and employee negligence — both of which were completely preventable had the IT systems been secured from internal threats.
Although mature organizations have well-defined incident response plans and procedures for common security events, few have dedicated efforts to better understand how to mitigate and respond to insider threats. This makes combating insider threats one of the most critical issues for chief information security officers (CISOs).
CISOs need to know who is at risk, what the source of the risk is and what the triggers are that can activate risky behavior
“Insider threats are a reality, and CISOs must account for these when creating an incident response plan,” says Jonathan Care, Senior Director Analyst, Gartner. “To combat these threats, CISOs can’t simply deploy a product, implement a process or increase user awareness. Insider threats require a multifaceted, multidisciplinary approach.”
But building incident response scenarios to account for every conceivable type of insider threat imaginable would take more time and resources than any single organization can apply. Instead, CISOs can build threat scenarios focused on three key areas:
- Capabilities for monitoring and surveillance
- Profiles and personas specific to their organization
- Past insider incidents
Invest in employee monitoring and surveillance capabilities
Invest in monitoring and surveillance capabilities to gain a better understanding of, and more visibility into, people and assets — from how data is handled to identifying employee behaviors that don’t follow standard policy. Such investments will help you efficiently roll out response, mitigation and recovery when violations occur.
“CISOs need to know who is at risk, what the source of the risk is and what the triggers are that can activate risky behavior,” says Care.
Thorough background checks of employees and vendors and monitoring anomalous data exchanges gives CISOs a view into user entity behavior analytics. This is critical for understanding sources of risk and their subsequent risk mitigation plan.
Build profiles and personas
Incident response scenarios come from developing user profiles and personas that can help identify unusual behavior for users or groups with high-risk activities.
Identify the potential risky behaviors and map them against potential solutions or mitigation. While they will vary by organization, common scenarios include installing unsanctioned software, failing password attempts and attempting access to other employee accounts. As you get more in-depth insight into user profiles and personas, these scenarios could be made more pointed.
“Once context-specific incident response scenarios are identified, iterate the actions to include specific users or groups to indicate whether the actions warrant escalation to an incident,” says Care.
Examine past insider threat incidents
Look to past insider threat incidents in your organization and use them to test and refine your incident response preparation and readiness. Work with your legal and HR teams to do so, as they typically document such incidents. You can also examine post-incident reporting and add it as a critical source to your scenario planning.
Remember that past incidents can help you create a playbook of use cases and implement incident management process improvements, such as adding future incident indicators for actions or behaviors that were missed.