Lesson 5 Part 1.pdf

Full Transcript

Lesson 5 Part 1
Welcome to lesson five. In this lesson, we're going to talk about insider threat metrics.
By the end of this lesson, you should understand how to develop metrics for measuring
the effectiveness of an insider threat control and for effectively communicating insider
threat trends within your organisation.

And you should be able to identify areas to improve employee training and education
derived from organisational incidents. For the purposes of control measures, you should
be able to evaluate the impact of control measures on reducing insider threat incidents
and be able to understand the importance of continuous improvement in control
effectiveness. And then finally, for steer co and working group objectives, you should be
able to learn the importance of establishing a steering committee and working group to
tackle insider threat issues.

The first thing we need to do when developing metrics for insider threat is to list out all
the possible data sources that will be available to us. So for an insider threat
programme, we can have three types of data. We would have incident data, education
and training and policy and any other activity related to data.

So when it comes to data on incidences, we need to think about how we're handling the
insider threat case. The most important job in insider threat is performing an accurate
and effective investigation because bear in mind this can go to court. So to achieve this
goal, the insider threat working group should monitor and focus on the following.

So you need to take into consideration things like false positive rates. So insider threats
receives many alerts from internal stakeholders like the security operations centre and
HR. An investigator also may uncover incidences as well.

So it's important to perform an accurate investigation to identify false positives and
avoid making any wrong final decisions on the cases. So the types of incidences that you
need to think about are where metrics should also show types of incidences that are
based on various factors. So things like assets and controls.

And then you need to think about intentional versus accidental because not all insider
threat cases are intentional or malicious. Sometimes we've gone through that they've
just sent the email to the wrong recipient or accidentally downloaded malware into their
work computers by clicking on a site that they go to all the time. And this is an important
metric because it can provide good insights into the worker's knowledge in practising
good cyber hygiene.

And you can tailor your training programme based on this. So for example a company
noticed that many workers had been redirected to unwanted sites. And after the
investigation the workers did not intentionally enter those sites.
So based on this information the security team can then create a policy to blacklist
certain sites that prevent users from accessing that site. And a declining number of
accidental incidences is a good indicator of a good security control. Then you need to
look at things like training and education because the effectiveness of education training
programmes for the user mean that many organisations require the users to watch
security awareness training programmes, tick a box at the end to say that they've done
the training.

But it's important to educate the workers to mitigate the risks of compromise and
protect the organisation legally as much as anything else. The training completion rate,
so you need to look at what percent of total workers actually completed the training on
time. Because if there's workers that are persistently not meeting the criteria then you
might want to look at them to see why that is happening.

And if you're testing the training for workers, what percentage of the workers passed the
training test? So in Mastercard we have a system of seven strikes and you're out. So if
you keep repeatedly clicking and downloading malware, not just from the internet or
wherever, but you're also failing the monthly phishing test, then that can actually result
in termination. So what we do is we look at the application of training and we examine
the workers' behaviour after the training to see if they're practising what they've actually
learned.

So here are some examples. The percentage clicked on the phishing emails. So if you
implement a phishing test, look at what percentage of workers clicked on the phishing
test in the emails? And what percentage of change in incidences occurred after the
training? And that can emphasise things like locking the screens when they're away from
the desk and things like that.

And then we can measure the impact by looking at the percentage of change in
incidences of workers who leave their screens unlocked, for example. So data loss
prevention policies and various DLP policies can also be developed based on the type of
assets and controls that are currently presented. So if you look at assets, what types of
critical assets in the organisation need to be protected from insider threats? Because this
is going to be different in different environments based on physical or intellectual
properties, etc.

The critical assets can be things like sales information, marketing information, customer-
related data, software, proprietary information that you don't want shared outside your
organisation. So for example, a pharmaceutical company would have highly confidential
documents on vaccines or new drug development if you looked at Pfizer whilst COVID
was going on. And if these documents were to be shared with a competitor, so let's say
Johnson & Johnson or Moderna, it would weaken their competitive position in the market
and harm the business's reputation.
So then you need to look at control and detection. So what control and detection policies
are currently in place for important assets? And it's important to examine the trend of
insider threat activities that currently exist within your organisation. So how have
employees been stealing data? And according to Carnegie Mellon, the institute, many
employees have stolen confidential or sensitive information using email.

And email is a very common vector for exfiltration. And an organisation may implement
a data loss prevention policy on emails, or it may be that you prevent files of a certain
size being sent outside the organisation. And OK, USBs are an old and popular way of
exfiltration, but most organisations should really have those locked down.

Because if you look at an example from 2016, a former Google executive who'd worked
on the Waymo self-driving programme had downloaded 14,000 files from an internal
password-protected Google server known as SVN, which was hosted on Google's
network. And then around 14 December 2015, he transferred those SVN files from his
Google-issued laptop to his personal laptop. A detection policy for high file download
activities can prevent such incidences from happening.

But the problem that you have now is, as technology advances, there's always going to
be new inventive ways for workers to exfiltrate intellectual properties. And you need to
identify new patterns and trends. So it might be that, you know, with the advent of
generative AI, it can conceal things more easily from being exfiltrated or moved around
the organisation.

So based on all these different assets and controls, you can develop the following
metrics. So you would look at overall volume of monitoring policies. And this is a good
metric to follow to detect any anomaly in trends and overall changes in policy.

And your company can implement an email monitoring policy involving sending a
document that contains the keyword confidential to external recipients. And you can
track and monitor how many workers and emails are sent out during the various periods
with these tags on them. And there's the true positive rate of the policy.

So this is the percentage of true incidences from the total volume. So for example, in one
month, a worker had sent 100 emails to external recipients. And investigators reviewed
all 100 emails, and they found that 5 were sensitive and should not be sent out to those
recipients.

So from this example, you can see that the true positive rate for this policy is 5% or 5
out of 100. There is also false positive rates of the policies to consider, because it's
important to update your DLP policies to accurately reflect the goals of what you're
trying to achieve. So when a policy is first implemented, there will always be a false
positive.
So for example, a policy creator implemented a policy that detects all emails that may
have credit card numbers. And after the policy was created, the investigators found that
20 out of the 100 emails were not credit card numbers. They were just 16-digit random
numbers.

So in this example, we can see that the false positive rate is 20% or 20 out of 100. Okay,
so it's important to think about what the goal of your insider threat program is. And as
your organization changes and expands, obviously, your insider threat program needs to
change and expand as well.

So for example, in an organization with lots of intellectual property or IP that's
documented, the highest priority is to make sure this information doesn't get shared
outside of the organization. And if we have a company that, let's say, recently developed
a vaccine for senioritis, and any information leaked on this data would damage the
reputation as well as create a large financial loss, the senior executive has set protecting
this information as the highest priority and asked you to create metrics.