Lesson 2 Part 1.pdf

Full Transcript

Lesson 2 Part 1
Hi everyone, my name is Pulumi Rajibolaji, and I'll be walking you through the second
lesson in the Insider Threat Analyst training course. And the lesson is focused on insider
threat data sources, and I hope you enjoy and find a lot of value in the lesson. In this
lesson, we'll explore the critical role that data sources play in an insider threat program,
and understand their significance.

You will learn how to identify and evaluate both technical and non-technical data
sources, assessing their strengths and weaknesses. We'll also be covering how to
prioritize these data sources effectively, and apply this theoretical knowledge to practical
scenarios. Data sources play a crucial role within insider threat detection and mitigation,
as they are the evidence behind users' actions.

They help to identify the intent behind users' actions and are proof of whether a violation
was committed or not. Data prioritization, on the other hand, is useful in the allocation of
resources, early identification of potential threats, and protection of critical assets. As we
go deeper into the lesson, we'll be exploring the different types of data sources that
insider threat teams can utilize, and the role that they play when conducting an insider
threat investigation.

In the context of insider threat detection, the value of non-technical data sources cannot
be overstated. These sources offer insights into the human element of security,
providing a complementary perspective to the technical data derived from IT systems
and networks. So how do we define non-technical data sources? Non-technical data
sources encompass all information that does not originate from IT systems, software, or
electronic devices.

Examples include employee behavior patterns, human resources reports, physical access
logs, and interpersonal communications. Unlike technical data, which typically includes
network logs, system access records, and cybersecurity incident reports, non-technical
data involves aspects of human behavior and organizational processes. So what's the
importance of non-technical data? Incorporating non-technical data into security
strategies enables organizations to achieve a more holistic understanding of their
security posture.

This approach recognizes that insider threats often manifest through subtle changes in
behavioral violation of company policies. These are elements that are not always
captured by technical monitoring tools. A key aspect of non-technical data's value lies in
its ability to detect insider threats.

Unusual behavior such as sudden changes in work habits or unauthorized access to
sensitive areas can serve as early indicators of potential security risks. Through real-
world case studies, it is evident that non-technical data plays a pivotal role in identifying
threats that might otherwise go unnoticed by conventional security measures. So how do
we differentiate between technical and non-technical data? Understanding the
distinctions between technical and non-technical data is crucial for cybersecurity
professionals.

Technical data is characterized by its digital origin, consisting of binary information
generated by computer systems and networks. In contrast, non-technical data is marked
by its human-centric nature encompassing the behaviors, interactions, and decisions of
individuals within an organization. The integration of technical and non-technical data
presents challenges including ethical concerns related to privacy and the potential for
misinterpretation.

Successfully combining these data types requires careful consideration of these issues to
ensure that security measures do not infringe on individual rights or ethical standards.
This section explores the combined role of communication and social media analysis in
the detection of insider threats, providing you with the tools to identify potential security
risks. By examining both internal communication and external social media activities,
organizations can gain comprehensive insights into the behaviors and sentiments of
their employees.

So what's the role of communication and social media in insider threats detection?
Internal communications and social media provide distinct but complementary sources
of information for detecting potential insider threats. Monitoring these channels allows
organizations to capture a full spectrum of employee interactions and sentiments,
offering early warnings of potential risks. Some key aspects of communication and social
media analysis include behavioral indicators.

This involves things like posts, likes, shares, and connections on social media. They can
all serve as indicators of an individual's mindset and potential security risks. Second, we
have sentiment and tone analysis.

This involves using natural language processing to analyze sentiment and tone in both
internal and external communications. And lastly, we have network and relationship
analysis, where we map social connections within and outside the organization to
identify risky associations or influences. Methodologies for analyzing communication and
social media are, one, automated monitoring tools.

Deploying software solutions that can sift through large volumes of communication and
social media data to detect anomalies are crucial. Two, we have manual oversight. This
is where we supplement automated tools with human analysis to provide context and
interpret nuances that software might miss.

Three, we have integration with other security measures, where we combine insights
from communication and social media with other data sources like HR records and
access logs. So what's the application in cybersecurity? The first one is proactive threat
detection. The utilization of analytics to monitor for signs of potential insider threats
before they manifest into actions is a relevant application in cybersecurity.

Second, we have the organizational culture assessment, where we gauge overall
employee sentiment and cultural health, which can influence insider threat levels. As
with everything, there are challenges. So what are some challenges in communication
and social media analysis? The first one is privacy and ethical concerns, where we ask
questions on how do we balance effective monitoring with respect for individual privacy
rights? And the second challenge is data management.

How do we handle vast amounts of data generated by communication and social media
channels to ensure they're being analyzed appropriately? Some ethical and legal
considerations include regulatory adherence, which means complying with privacy laws
and regulations such as GDPR and HIPAA when handling personal and sensitive
information. The second one is consent and notification, where we inform employees
about the scope and purpose of monitoring activities. Communication and social media
analysis are vital tools in the arsenal of insider threats detection.

When effectively integrated and managed with consideration for ethical and legal
standards, these tools can typically provide deep insights into potential security threats,
enhancing an organization's ability to protect its assets and personnel. In this section,
we'll be examining the role of physical security measures and environmental behavior in
detecting insider threats. It highlights the significance of access logs, physical security
alerts, workspace behavior, and the integration of these elements with behavioral
analytics.

Understanding these sources is essential for developing a comprehensive approach to
insider threats detection. So how do we define physical security? Physical security
systems such as access control logs and CCTV footage provide essential data that can
help identify potential insider threats. These systems monitor and record the physical
movement and actions of employees within an organization, offering tangible evidence
of any anomalous or unauthorized activities.

There are some key components of physical security analysis, which includes access
logs. Access logs involves examining entry and exit logs to detect unauthorized or
unusual access to sensitive areas. These logs can reveal patterns of behaviors that are
inconsistent with an employee's normal activity or job requirements.

We also have physical security breaches. This is the analysis of incidents where physical
security has been compromised, such as an unauthorized entry or the manipulation of
security systems. These breaches can serve as direct indicators of potential insider
threats.
Another key component is workspace behavior. This is the monitoring of behavior within
the workspace, including the use of common areas, interaction with secure environments
and adherence to physical security policies. Unusual behavior in these settings can be a
precursor to more serious security violations.

So how do we integrate physical security data with behavioral analytics? We can do so
through data correlation. This is the combination of physical security data with other
forms of behavioral data to form an holistic view of an employee's behavior. This
integration can enhance the detection of insider threats by correlating physical actions
with online activities or other behavioral indicators.

Another method of integration could be predictive analysis. This is typically the
utilization of advanced analytics to predict potential security breaches based on trends
and patterns identified in the physical security data. This approach can proactively
address risks before they materialize into actual threats.

Incident response and forensics is where we leverage physical security data in incident
response strategies to quickly address and investigate suspicious activities. This data is
also crucial for forensic analysis post-incident, that is, after a breach has occurred, to
understand the breach's nature and prevent future occurrences. Just like with social
media and communication, there are also challenges in physical security analysis, some
of which are similar.

The first one is privacy concerns. This involves the balancing of effective security
monitoring with respect for individual privacy, especially concerning surveillance and
personal data collection. Another challenge is data volume and management.

This is where you have to question, how do I manage large volumes of data generated
by physical security systems and ensure its accuracy and relevance for security
analysis? There are also ethical and legal considerations here, which I've broken down
into two, the first one being regulatory compliance. This is the adherence to laws and
regulations regarding surveillance, data protection, and employee privacy. Ethical
monitoring involves implementing monitoring practices that are justified by genuine
security needs and are transparent to employees.

To conclude, physical security and environmental behavior are critical components of a
robust insider threat detection program. When integrated with behavioral analytics,
these physical indicators significantly enhance the ability to detect and respond to
insider threats effectively. This holistic approach ensures that security measures are not
only reactive, but also proactive, adapting to new threats as they arise.