Think headlines about data theft and leakage have nothing to do with you? Think again. Many of these incidents have a common theme: Privileged access. It's your job to make sure your organization doesn't fall victim to the same fate by at the very least examining your existing insider threat program, and perhaps doing a major revamp.
Edward Snowden's theft and release of National Security Agency data, Army Private First Class Bradley Manning's disclosure of sensitive military documents to information distributor WikiLeaks and the shooting at the Washington Navy Yard by a credentialed IT subcontractor have given IT executives across industries pause to reconsider their security policies and procedures.
"A crescendo of discussions is happening in boardrooms everywhere about the impact an insider could have on corporate assets," says Tom Mahlik, deputy chief security officer and director of Global Security Services at The MITRE Corporation, a government contractor that operates federally funded research and development centers.
The Washington Navy Yard incident cost 12 people their lives; the full impact of the WikiLeaks and Snowden data releases cannot yet be quantified.
"These incidents have added another dimension to the threat paradigm -- privileged access," Mahlik says.
Mahlik suggests that existing insider threat programs must increasingly be focused on users with elevated or privileged access to critical information. To that point, he is leading an overhaul of MITRE's own program. His goal is to understand the threats insiders pose and to deter those threats via a program that synchronizes people, policies, processes and technology. "We are in the nascent stage of this effort," he says.
Realizing the new threat
For a new or rehabbed insider threat program to be successful, the CIO, CISO or CSO first has to gain boardroom buy-in and illuminate the value such a program would have to a company in detecting and preventing harm to people, property and company reputation. A thorough assessment of the known or existing vulnerabilities and threats, weighed against the overall company risk appetite, is essential.
For example, if a company manufactures a unique product, then intellectual property would be a key focus area for the insider threat program. But if a company provides medical services, then protecting patient records would be the emphasis.
Don't try to create an insider threat program during an attack or suspected attack. "That is the worst time to build any program with efficacy," Mahlik says. "You can't build relationships in a time of crisis."
Instead, companies should tackle planning, design and baselining as a necessary and continuous business process. "Institutionalizing a playbook and conducting [drills] before the crisis is the ideal," Mahlik explains.
In most cases, the first place to look for gaps in security is the flow of data in and out of the company. "People can move lots of data around very quickly today," says Dan Velez, senior program manager for Raytheon Cyber Products' SureView insider threat detection and prevention product line. "While that's good for business, it's bad for risk," he notes.
Traditionally, organizations have been good about protecting the perimeter but not what's inside it. "It's time to pull the covers back and examine more closely what's happening on our networks," he says.
Focus on data flow, Velez advises, because newer technologies such as cloud computing and mobile computing are being introduced to the organization on a daily basis, potentially altering the pool of privileged users. In addition, some companies continue to outsource pieces of the business, giving access rights to humans and machines beyond the company's immediate control.
Defining the threat
"When we talk about the 'insider threat,' we are talking about someone or something with authorized access [who] could use that access to do harm," Velez says. Mahlik agrees, adding insiders could be employees, business leaders or supervisors, contractors, subcontractors or supply chain partners.