Insider threat is a relatively new field. With that comes a lot of unknown terrain. There are several things that require attention. The identification of crown jewels is critical to any program. Additionally, careful attention needs to be paid to the number of alerts vs the quality of the alerts. Lastly, there needs to be an efficient and straightforward escalation process for the analysts to follow.
Identification of Crown Jewels
Businesses love coming up with cool names for projects. Names like Scarlett, Autopilot, Icarus, etc. are likely to be unknown to most in a company in the early stages of a project. Security through obscurity is not something to scoff at, but if you want your intellectual property to be safeguarded then there are some groups that need to know.
Cyber incident response teams and especially insider threat teams need to be acutely aware of crown jewels. Without them having a basic understanding of the intellectual property that they are tasked with safeguarding they are unlikely to understand that IP is walking right out the (cyber) door.
In order to prevent such lapses in knowledge it needs to become standard that those tasked with protecting crown jewels are read in on what those crown jewels are. Routine meetings to keep security teams apprised of the company’s newest research and the newest concerns should be standard.
Quantity vs Quality in Reviews
Analyst fatigue. Those two words scare any leader that oversees cyber analysts. These members are necessary in the process, but their role can often be repetitive. It is imperative that leaders do everything in their power to make sure that minds remain sharp and interested. An analyst who becomes bored or tired mentally is one who is going to miss a key indicator of risk. Keeping things fresh is needed for all employees, but especially those doing reviews.
A great solution to this is to always be updating your policies. If a policy is triggering too many alerts then it should be refined in order to eliminate the excessive, noisy alerts. As you get the number of those alerts down you can start focusing on finding new indicators. This will help to prevent your analysts from looking at the same type of alerts all day every day. The goal is quality reviews, not a heightened number of reviews.
The Need for a Simple and Efficient Escalation Process
Analysts are not all knowing. We must give them a bit of leeway or else they can be prone to inaction for fear of getting something wrong. But this leads to a whole different issue: sitting on the fence. When an analyst cannot decide which way to lean on that fence it is often a difficult decision. There are many factors that likely weigh in depending on the type of analyst that they are and the type of events that they are looking at. The goal should always be to make these decisions as easy and clear as possible.
You do not want the process of escalating an event to be a factor for those doing reviews. If a process is arduous or unnecessarily painful, then you are going to be influencing your analysts when they are on the fence. As much as we all want to believe that it wouldn’t happen, it does. A case that just barely meets the threshold of escalation, a case that could well be a highly concerning incident if an investigation occurs, may be cleared as non-concerning to avoid the process of escalation. Teams need to ensure that this never happens.
The best method of preventing this is automation. Available data should never have to be transcribed manually. The best-case scenario is that an analyst only must hit an escalation prompt and then add the comment of why they think that it is a concern. Making life easier for the analyst is always in the best interest of the organization because it is in the interest of security.
Contact ITMG to Develop Strategies and Protocols Designed to Help Your Company Mitigate Your Insider Risk
ITMG is an industry leader in helping organizations throughout the United States strengthen their insider risk management programs and secure sensitive data and intellectual property. Our team of bona fide experts has the real-world experience necessary to plan out and create holistic security solutions tailored to the needs and risks in your industry. Contact ITMG today to learn more about how we can help! You can also visit our Facebook, Twitter, and LinkedIn pages for more updates and insights into the world of insider risk management.