Lesson 6 Part 1.pdf

Full Transcript

Lesson 6 Part 1
In lesson six, we're going to talk about the various mitigation tools that will be available
to you as part of your insider threat program, particularly a comprehensive insider threat
program. So at the end of this lesson, you should be able to understand the capabilities
and limitations of the tools that can be used in insider threat detection strategies. So
even if your insider threat program is mainly going to sit under a detect and respond
capability of the cybersecurity framework, it's important for your team to also have
access to tools that cover the areas of identify, protect and recover.

And that type of arsenal of tools will be crucial for the program to strengthen their
detection and response, but also to ensure that proper controls are in place without
affecting the business. And some of these will cover multiple areas. So all of the
detection and response tools are not specifically designed for insider threat programs.

And this is why it's important to understand which other teams use these tools and
collaborate with them. Under the heading of identify, these tools are crucial for your
program to have a clear view on your organization. And they'll allow you to understand
your critical assets to inventory them, data sensitivity, the business risks, business
environment, strategic policies, company members and staff, contingent members, etc.

Or third party supply chains that are linked into your organization also. And the
advantages of this is it gives a clear understanding of the who and the what. But the
disadvantages are that most of these tools are databases.

So they're more a source of information than a tool that will allow you to take any action.
And these types of tools tend to be owned and maintained by different departments. So
for example, human resources, IT, etc.

And there may be the potential for the lack of consistency and updates. And there is a
challenge for connecting the data together. So you need to consider is it preferable for
your program to not have full access to these tools, but a read access, whether that
would be enough.

And that will protect your team from the wrong type of manipulation, because insiders
can also hide in the insider threat team. Protect. So protection tools allow insider threat
programs to implement appropriate security controls without breaking business
continuity.

Now, these controls would apply on things like assets, data and users. And the
advantages are that the controls are important for insider threat programs to limit the
risks, but also to identify any potential suspicious behavior. But the disadvantages are a
wrong or inappropriate setup of these protections could have results to that would
impact the business negatively generate frustration for the end user, because they're
just simply too onerous.

It can also open the organization to breaches that the end user can abuse. So what you
need to consider here is it's recommended to have dedicated teams that are managing
these tools. And the insider threat program will then act as a consultant providing
recommendations based on the identified risks.

And then if we look at detect, so these tools allow you to detect and monitor different
activities at various points in the system. But given the complexity and the diversity of
most organizations system infrastructure, there is a chance that you may have different
tools in different places. And the main challenge with these tools is the amount of data
or logs that you're going to get.

You could get quite a number of logs, which will swamp and overwhelm you. And that's
why it's important to get strong understanding of them, but also to have the capability to
filter these to only what you're interested in seeing. So the advantages are they give you
the history, what happened before and after.

They identify unusual behavior, but also tendencies. It could also highlight potential
breaches in security controls. And they can generate alerts when unusual or
unauthorized action is detected.

But the disadvantages are that raw data logs can sometimes be very, very technical.
They require the insider threat team to translate them and have them understandable to
your stakeholders. The quantity of data could also be a challenge for your insider threat
team to identify what is not relevant.

And then there's the need to cross-check data from different sources to actually get a
proper picture of what's going on. So what you need to consider is, is it preferable to
designate or identify a subject matter expert for each of these tools in order to have
them be as effective as possible? Penultimately, we've got response. So respond tools
will give the capability to an insider threat team to maintain and or mitigate incidents.

These will also allow you to deeply analyze the incident. And most of the detection tools
have a quick response functionality. On the side, the insider threat team should also
have a complete incident management tool to record and track all incident details.

So that might be a case management system. And the advantages of this are when
detection tools have that functionality, it's easy and quick for your insider threat team to
take the appropriate action. Some of it could be mapped to templates based on past
behaviors.

And a lot of it could be automated as well. And when it comes to containment action, it
could be taken directly without impacting the end user or the business. So again, it
might come back to a template that you can deploy.
And the insider threat team can then take the necessary time to deeply analyze the
incident without increasing the situation or making it worse. The disadvantages are a
wrong response could have serious impact for the business, but could also let the subject
of the investigation become informed that an investigation is ongoing. And some
analysis tools are mainly orientated for digital forensic examiners, so require a strong
technical knowledge.

The market is still quite immature in terms of incident threat detection tools. Endpoint
detection tools have a very strong base, but when you sway it towards the insider, it can
sometimes be a little bit tricky. And some incidences could turn into an official legal
matter where there's actually going to be court action.

So this is why it's really important to preserve data and logs and make sure that these
are not corrupted. And the chain of custody and chain of evidence integrity is really,
really important. It's so important you document from start to finish exactly what action
has been taken in terms of an insider threat incident.

And the things that you need to consider as well is that in some situations, that this is
recommended that your insider threat team work in collaboration with a digital forensics
team or an e-discovery team. And then finally, we have recover. So this is your insider
threat program where it will be mainly involved in the communications and
improvement.

With an arsenal of tools that describe or prescribe strong analytics, the program will then
be able to work with management and security awareness, et cetera, because it's really
important to improve existing controls and communicate and report findings and
tendencies.