Lesson 5 Part 1 PDF
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
Tags
Summary
This document discusses insider threat metrics, employee training, and control measures in an organizational setting. It covers topics such as identifying areas for improvement in employee training and understanding the importance of continuous improvement in controlling insider threat incidents.
Full Transcript
Lesson 5 Part 1 Welcome to lesson five. In this lesson, we're going to talk about insider threat metrics. By the end of this lesson, you should understand how to develop metrics for measuring the effectiveness of an insider threat control and for effectively communicating insider threat trends withi...
Lesson 5 Part 1 Welcome to lesson five. In this lesson, we're going to talk about insider threat metrics. By the end of this lesson, you should understand how to develop metrics for measuring the effectiveness of an insider threat control and for effectively communicating insider threat trends within your organisation. And you should be able to identify areas to improve employee training and education derived from organisational incidents. For the purposes of control measures, you should be able to evaluate the impact of control measures on reducing insider threat incidents and be able to understand the importance of continuous improvement in control effectiveness. And then finally, for steer co and working group objectives, you should be able to learn the importance of establishing a steering committee and working group to tackle insider threat issues. The first thing we need to do when developing metrics for insider threat is to list out all the possible data sources that will be available to us. So for an insider threat programme, we can have three types of data. We would have incident data, education and training and policy and any other activity related to data. So when it comes to data on incidences, we need to think about how we're handling the insider threat case. The most important job in insider threat is performing an accurate and effective investigation because bear in mind this can go to court. So to achieve this goal, the insider threat working group should monitor and focus on the following. So you need to take into consideration things like false positive rates. So insider threats receives many alerts from internal stakeholders like the security operations centre and HR. An investigator also may uncover incidences as well. So it's important to perform an accurate investigation to identify false positives and avoid making any wrong final decisions on the cases. So the types of incidences that you need to think about are where metrics should also show types of incidences that are based on various factors. So things like assets and controls. And then you need to think about intentional versus accidental because not all insider threat cases are intentional or malicious. Sometimes we've gone through that they've just sent the email to the wrong recipient or accidentally downloaded malware into their work computers by clicking on a site that they go to all the time. And this is an important metric because it can provide good insights into the worker's knowledge in practising good cyber hygiene. And you can tailor your training programme based on this. So for example a company noticed that many workers had been redirected to unwanted sites. And after the investigation the workers did not intentionally enter those sites. So based on this information the security team can then create a policy to blacklist certain sites that prevent users from accessing that site. And a declining number of accidental incidences is a good indicator of a good security control. Then you need to look at things like training and education because the effectiveness of education training programmes for the user mean that many organisations require the users to watch security awareness training programmes, tick a box at the end to say that they've done the training. But it's important to educate the workers to mitigate the risks of compromise and protect the organisation legally as much as anything else. The training completion rate, so you need to look at what percent of total workers actually completed the training on time. Because if there's workers that are persistently not meeting the criteria then you might want to look at them to see why that is happening. And if you're testing the training for workers, what percentage of the workers passed the training test? So in Mastercard we have a system of seven strikes and you're out. So if you keep repeatedly clicking and downloading malware, not just from the internet or wherever, but you're also failing the monthly phishing test, then that can actually result in termination. So what we do is we look at the application of training and we examine the workers' behaviour after the training to see if they're practising what they've actually learned. So here are some examples. The percentage clicked on the phishing emails. So if you implement a phishing test, look at what percentage of workers clicked on the phishing test in the emails? And what percentage of change in incidences occurred after the training? And that can emphasise things like locking the screens when they're away from the desk and things like that. And then we can measure the impact by looking at the percentage of change in incidences of workers who leave their screens unlocked, for example. So data loss prevention policies and various DLP policies can also be developed based on the type of assets and controls that are currently presented. So if you look at assets, what types of critical assets in the organisation need to be protected from insider threats? Because this is going to be different in different environments based on physical or intellectual properties, etc. The critical assets can be things like sales information, marketing information, customer- related data, software, proprietary information that you don't want shared outside your organisation. So for example, a pharmaceutical company would have highly confidential documents on vaccines or new drug development if you looked at Pfizer whilst COVID was going on. And if these documents were to be shared with a competitor, so let's say Johnson & Johnson or Moderna, it would weaken their competitive position in the market and harm the business's reputation. So then you need to look at control and detection. So what control and detection policies are currently in place for important assets? And it's important to examine the trend of insider threat activities that currently exist within your organisation. So how have employees been stealing data? And according to Carnegie Mellon, the institute, many employees have stolen confidential or sensitive information using email. And email is a very common vector for exfiltration. And an organisation may implement a data loss prevention policy on emails, or it may be that you prevent files of a certain size being sent outside the organisation. And OK, USBs are an old and popular way of exfiltration, but most organisations should really have those locked down. Because if you look at an example from 2016, a former Google executive who'd worked on the Waymo self-driving programme had downloaded 14,000 files from an internal password-protected Google server known as SVN, which was hosted on Google's network. And then around 14 December 2015, he transferred those SVN files from his Google-issued laptop to his personal laptop. A detection policy for high file download activities can prevent such incidences from happening. But the problem that you have now is, as technology advances, there's always going to be new inventive ways for workers to exfiltrate intellectual properties. And you need to identify new patterns and trends. So it might be that, you know, with the advent of generative AI, it can conceal things more easily from being exfiltrated or moved around the organisation. So based on all these different assets and controls, you can develop the following metrics. So you would look at overall volume of monitoring policies. And this is a good metric to follow to detect any anomaly in trends and overall changes in policy. And your company can implement an email monitoring policy involving sending a document that contains the keyword confidential to external recipients. And you can track and monitor how many workers and emails are sent out during the various periods with these tags on them. And there's the true positive rate of the policy. So this is the percentage of true incidences from the total volume. So for example, in one month, a worker had sent 100 emails to external recipients. And investigators reviewed all 100 emails, and they found that 5 were sensitive and should not be sent out to those recipients. So from this example, you can see that the true positive rate for this policy is 5% or 5 out of 100. There is also false positive rates of the policies to consider, because it's important to update your DLP policies to accurately reflect the goals of what you're trying to achieve. So when a policy is first implemented, there will always be a false positive. So for example, a policy creator implemented a policy that detects all emails that may have credit card numbers. And after the policy was created, the investigators found that 20 out of the 100 emails were not credit card numbers. They were just 16-digit random numbers. So in this example, we can see that the false positive rate is 20% or 20 out of 100. Okay, so it's important to think about what the goal of your insider threat program is. And as your organization changes and expands, obviously, your insider threat program needs to change and expand as well. So for example, in an organization with lots of intellectual property or IP that's documented, the highest priority is to make sure this information doesn't get shared outside of the organization. And if we have a company that, let's say, recently developed a vaccine for senioritis, and any information leaked on this data would damage the reputation as well as create a large financial loss, the senior executive has set protecting this information as the highest priority and asked you to create metrics.