Lesson 6 Part 1 PDF
Document Details
Uploaded by CooperativeJacksonville
Nanyang Technological University
Tags
Summary
This document discusses various mitigation tools available for an insider threat program. It details the capabilities and limitations of different tools, and the importance of understanding which teams use them. The document emphasizes the importance of identifying critical assets and understanding the organizational environment.
Full Transcript
Lesson 6 Part 1 In lesson six, we're going to talk about the various mitigation tools that will be available to you as part of your insider threat program, particularly a comprehensive insider threat program. So at the end of this lesson, you should be able to understand the capabilities and limitat...
Lesson 6 Part 1 In lesson six, we're going to talk about the various mitigation tools that will be available to you as part of your insider threat program, particularly a comprehensive insider threat program. So at the end of this lesson, you should be able to understand the capabilities and limitations of the tools that can be used in insider threat detection strategies. So even if your insider threat program is mainly going to sit under a detect and respond capability of the cybersecurity framework, it's important for your team to also have access to tools that cover the areas of identify, protect and recover. And that type of arsenal of tools will be crucial for the program to strengthen their detection and response, but also to ensure that proper controls are in place without affecting the business. And some of these will cover multiple areas. So all of the detection and response tools are not specifically designed for insider threat programs. And this is why it's important to understand which other teams use these tools and collaborate with them. Under the heading of identify, these tools are crucial for your program to have a clear view on your organization. And they'll allow you to understand your critical assets to inventory them, data sensitivity, the business risks, business environment, strategic policies, company members and staff, contingent members, etc. Or third party supply chains that are linked into your organization also. And the advantages of this is it gives a clear understanding of the who and the what. But the disadvantages are that most of these tools are databases. So they're more a source of information than a tool that will allow you to take any action. And these types of tools tend to be owned and maintained by different departments. So for example, human resources, IT, etc. And there may be the potential for the lack of consistency and updates. And there is a challenge for connecting the data together. So you need to consider is it preferable for your program to not have full access to these tools, but a read access, whether that would be enough. And that will protect your team from the wrong type of manipulation, because insiders can also hide in the insider threat team. Protect. So protection tools allow insider threat programs to implement appropriate security controls without breaking business continuity. Now, these controls would apply on things like assets, data and users. And the advantages are that the controls are important for insider threat programs to limit the risks, but also to identify any potential suspicious behavior. But the disadvantages are a wrong or inappropriate setup of these protections could have results to that would impact the business negatively generate frustration for the end user, because they're just simply too onerous. It can also open the organization to breaches that the end user can abuse. So what you need to consider here is it's recommended to have dedicated teams that are managing these tools. And the insider threat program will then act as a consultant providing recommendations based on the identified risks. And then if we look at detect, so these tools allow you to detect and monitor different activities at various points in the system. But given the complexity and the diversity of most organizations system infrastructure, there is a chance that you may have different tools in different places. And the main challenge with these tools is the amount of data or logs that you're going to get. You could get quite a number of logs, which will swamp and overwhelm you. And that's why it's important to get strong understanding of them, but also to have the capability to filter these to only what you're interested in seeing. So the advantages are they give you the history, what happened before and after. They identify unusual behavior, but also tendencies. It could also highlight potential breaches in security controls. And they can generate alerts when unusual or unauthorized action is detected. But the disadvantages are that raw data logs can sometimes be very, very technical. They require the insider threat team to translate them and have them understandable to your stakeholders. The quantity of data could also be a challenge for your insider threat team to identify what is not relevant. And then there's the need to cross-check data from different sources to actually get a proper picture of what's going on. So what you need to consider is, is it preferable to designate or identify a subject matter expert for each of these tools in order to have them be as effective as possible? Penultimately, we've got response. So respond tools will give the capability to an insider threat team to maintain and or mitigate incidents. These will also allow you to deeply analyze the incident. And most of the detection tools have a quick response functionality. On the side, the insider threat team should also have a complete incident management tool to record and track all incident details. So that might be a case management system. And the advantages of this are when detection tools have that functionality, it's easy and quick for your insider threat team to take the appropriate action. Some of it could be mapped to templates based on past behaviors. And a lot of it could be automated as well. And when it comes to containment action, it could be taken directly without impacting the end user or the business. So again, it might come back to a template that you can deploy. And the insider threat team can then take the necessary time to deeply analyze the incident without increasing the situation or making it worse. The disadvantages are a wrong response could have serious impact for the business, but could also let the subject of the investigation become informed that an investigation is ongoing. And some analysis tools are mainly orientated for digital forensic examiners, so require a strong technical knowledge. The market is still quite immature in terms of incident threat detection tools. Endpoint detection tools have a very strong base, but when you sway it towards the insider, it can sometimes be a little bit tricky. And some incidences could turn into an official legal matter where there's actually going to be court action. So this is why it's really important to preserve data and logs and make sure that these are not corrupted. And the chain of custody and chain of evidence integrity is really, really important. It's so important you document from start to finish exactly what action has been taken in terms of an insider threat incident. And the things that you need to consider as well is that in some situations, that this is recommended that your insider threat team work in collaboration with a digital forensics team or an e-discovery team. And then finally, we have recover. So this is your insider threat program where it will be mainly involved in the communications and improvement. With an arsenal of tools that describe or prescribe strong analytics, the program will then be able to work with management and security awareness, et cetera, because it's really important to improve existing controls and communicate and report findings and tendencies.