The term “insider threat” has become commonplace in the lexicon of chief information security officers (CISOs).1 Events such as the spygate at Tesla, where a former employee “export[ed] large amounts of highly sensitive Tesla data to unknown third parties,”2 or the arrest of a “senior [US]Treasury Department employee charged with leaking to media about suspicious financial activity reports”3 have demonstrated that no organization is immune to these devastating breaches of trust, and that organizations need to establish a user activity monitoring (UAM) program to alert them to suspicious activity.
Many CISOs recognize the need to do something and the question is where to start. Many envision that their insider threat problem will be solved with the purchase of an automated tool that monitors their users’ activity, alerts them to potential problems and serves as a panacea for their woes. Unfortunately, this is not at all the case, as, with the purchase of any tool or control, without proper governance, planning, support and oversight, the project will fail to achieve its objectives, leaving the CISO to explain the wasted expense on a costly solution.4 Moreover, organizations just starting to address the insider threat problem may not have sufficient capital to purchase an additional UAM tool and may need to establish a proof-of-concept with their existing infrastructure before they can achieve buy-in from the board of directors or the chief executive officer (CEO).
Fortunately, starting from scratch might be a benefit for CISOs, as it gives them time to establish the governance around their new UAM program. One of the first things that CISOs must recognize is that their UAM program must be built around the triad of people, processes and technology, which form the umbrella of protection for their organization against insider threats. In this model, people serve as the top of the umbrella (the part that does the protection), processes serve as the shaft and technology serves as the handle (figure 1). If any of these aspects are not functioning, the umbrella will fail.
Establishing Governance
The first step in building any UAM program is establishing governance on how the program should function. An organization’s UAM program should be implemented to address unmitigated or under-mitigated insider threat risk. These risk factors can take the form of data loss from employee theft or negligence or may also take the form of workplace violence or self-harm. Organizations that face such risk can implement UAM programs to identify suspicious behavior from their employees and intervene before a serious incident occurs.
By monitoring employees’ browsing histories, file access, data transfer, login/logoff, building access and emails among other data points, organizations can begin to form an idea about the continued suitability of employees. For instance, employees searching for new employment opportunities may pose an enhanced risk to the organization for data theft. Likewise, employees who have been passed over for promotion or those who have recently received poor performance reviews may have a desire to seek retribution from the organization, their coworkers or supervisor. Having the ability to monitor for early warning signs of behavior that deviates from the norm is a valuable asset in preventing and mitigating insider threats.
This type of analysis implies that to find evil, it is important to understand what is normal, or what is normal at least for the employee, that employee’s work section and the organization. Therefore, an organization needs to establish baselines for normal behavior, which is made easier by using machine learning or artificial intelligence. At the very least, an organization can establish a thorough acceptable-use policy and monitor for violations of the policy, and it can also establish a series of triggers, such as job hunting on company time, in which it assumes an employee may be at a higher risk of becoming an insider threat.
However, before implementing such a program, one of the first issues that needs to be addressed is, “What will the organization do when it discovers an insider threat?” There are many options, such as contacting law enforcement, terminating the employee, counseling the employee or doing nothing. Regardless of the action(s) taken, the organization must determine—before a breach occurs—what it is going to do and/or what it is required to do. It must then codify those processes just as it did with its incident response plan. The establishment of processes (see figure 1) is an essential element of any UAM program. It is imperative that the governance structure is established and tough questions asked and answered before wading too deep into collecting and analyzing users’ activity.
Additionally, before beginning to monitor employees’ activities, CISOs must obtain input from their legal counsel on their employees’ privacy rights. Organizations may have to pay special attention to avoid collecting sensitive data such as health records, financial information, or protected communication with clergy, lawyers or health professionals, for example.5, 6 Understanding legal and privacy constraints before establishing the program can save an organization time, money and the expense of having to undo unlawful collection activities. It also helps reduce the risk of legal implications such as fines and lawsuits.
Lastly, the governance process should establish priorities for protection and monitoring. In the initial inception of a UAM program, it may not be possible to monitor everyone all the time. CISOs will have to prioritize which persons have priority based on their level of access, suitability and susceptibility to insider threat activity. Establishing these priorities also helps shape the requirements for training personnel to conduct UAM and will guide in identifying triggering behaviors and selecting appropriate tools and data sources.
Implementing Processes and Technology
Once the organization has decided what to monitor, the CISO can begin selecting technologies to provide warning of suspicious behavior. The identification of suspicious behavior should be rooted in the types of activity the organization hopes to deter and change. For instance, if an organization is worried about the loss of intellectual property regarding their development of “Project X,” the CISO can begin to create triggers related to the loss of such data.
In particular, especially when resources are limited, the CISO may want to only monitor employees who have access to Project X data, thus reducing the amount of hay they would need to sift through to find a needle in a haystack. CISOs may also want to establish data loss prevention (DLP) protocols by using either existing DLP within the environment or by feeding logs into their security information and event management (SIEM) tool(s) to provide alerts of suspicious behavior. Examples of suspicious behavior include users inserting blank disks, printing documents related to Project X, printing excessively, or using removable media such as thumb drives and external hard drives. When considering questions such as “Where am I likely to experience a risk?” and “How do I monitor for that risk?” the CISO should also examine the data sources illustrated in figure 2.
Further, the CISO may want to establish triggers that provide warnings regarding the logon and logoff times of employees to indicate times when employees are working outside of their regular work hours or to indicate if an account may be compromised. The CISO may also want to monitor for employees who email Project X data outside of the organization (particularly to a competitor) by feeding email data into the SIEM. They may also want to monitor employees’ Internet browsing data to see if employees with sensitive access are hunting for a new job and possibly planning to take sensitive data with them, or if they are engaging in high-risk behaviors such as inappropriate browsing or downloading malicious software onto the network.
Whatever trigger is developed, its use should correspond to an identified risk, and the result of the trigger should serve as a detective or a corrective control to mitigate the behavior.7 The data related to these triggers should also be used to provide information to the CISO about the types of behavior that exist within the environment so the CISO can identify trends in employee behavior. The CISO can put this knowledge into practical use by developing additional interventions to reduce undesirable behavior.8
The Right People for the Job
People are essential to an effective UAM program. Implementing the process and technology requires specific skill sets, and the analysis of the events also requires special analytic skills such as intelligence or counterintelligence analysis. Although it may be possible to find an employee who has a combination of these skills, it is more likely that a CISO will need to round out their UAM program with the skills of several employees.
Fortunately, many of these skills already exist within the security operations center (SOC) with existing employees who already have network familiarity. Most SOCs have some form of SIEM in place that is configured onsite to the needs of the security team. SOCs are also comprised of analysts who have experience looking at cyber-related events. Many SOCs also have fusion analysts who are experienced in general intelligence analysis. Additionally, there is a multitude of training resources available to help analysts become familiar with the insider threat problem. UAM techniques are also available from vendors such as Carnegie Mellon University’s Software Engineering Institute and the US National Insider Threat Special Interest Group. After all, it is through good analytic work that organizations will identify an insider threat.
Building a UAM team does not require the hiring of substantial numbers of additional staff. However, it might be wise to augment existing staff with a few additional professionals who are familiar with UAM operations, mainly to help establish the governance process or identify triggers. However, an important consideration to keep in mind is assessing how much additional work UAM may put on the existing SOC team.
Implementing a UAM program could easily overburden a SOC team, especially in the earlier stages of development and also later during event analysis, which could easily double the number of events or alerts a team must investigate. Using existing SOC infrastructure is an effective way to establish a UAM program quickly; however, using existing tools also comes with its own set of challenges, two of which a CISO should be cognizant of before deciding on a course of action.
The first is that using existing infrastructure tools generally requires more manual analysis, as shown in figure 3. The second is that more manual analysis will require more specialized analysts, or it will at least require more from existing analysts due to the level of effort that is necessary. Neither of these factors is insurmountable, but they must be taken into consideration when developing the program.
As the UAM program matures, CISOs can implement other tools designed explicitly for UAM, such as data loss prevention (DLP), custom UAM tools and user entity behavior analytics (UEBA) to streamline the analytics process and provide analysis cells the ability to review large and disparate data sets for indicators of insider threat activity. DLP tools specifically look at data and focus on protecting data from exfiltration, while UAM and UEBA tools look more holistically at the environment and leverage large data-set analysis to identify anomalies.
These advanced tools are more focused and are a force multiplier for both monitoring and analytic efforts, thus reducing the burden on analysts while simultaneously increasing UAM performance. For instance, DLP tools can provide alerts that an employee is removing sensitive data from the environment and can take action to prevent data loss. UEBA tools utilize machine learning or artificial intelligence to create baselines of normal behavior and help identify when an employee deviates from the norm. While these specialized tools require their own engineering efforts, support staff and training, they may be worth the additional cost and effort if the organization is serious about mitigating the risk of insider threats.
Conclusion
Insider threats are not a new phenomenon, but their prevalence and the amount of damage they have caused highlight the need to have mitigation strategies in place to thwart their effects. One of the first technological mitigations an organization can implement to identify and correct insider threat behavior is UAM. Although there are sophisticated and expensive tools explicitly designed for UAM, CISOs can leverage existing tools within their environment as they begin to develop their UAM program by establishing good governance, identifying the specific tools they will use to protect their organization, and building a competent staff capable of identifying and mitigating insider attacks.
Endnotes
1 The term “insider threat” refers to any trusted insider who uses their access, wittingly or unwittingly, to harm the information security or physical security of their organization through unauthorized disclosure, data modification, espionage, terrorism, or kinetic actions resulting in loss or degradation of resources or capabilities.
2 Kemp, T.; “What Tesla’s Spygate Teaches Us About Insider Threats,” Forbes, 19 July 2018,