The FS-ISAC (Financial Services Information Sharing and Analysis Center) Summit is a show where security-minded individuals can attend interactive sessions, presentations, roundtables and networking events. The show aims to provide attendees with actionable information and sharing opportunities designed specifically for financial services institutions. As attendees took home concrete takeaways from various thought leadership, ObserveIT's contribution was best practices for building an insider threat program.
We were fortunate that our CEO, Mike McKee, was asked to speak at the show. Here are five key takeaways for building an effective insider threat program in case you missed our session.
It's All About the Mean Time to Detect and Remediate
It's no secret that prevention tools aren't 100% effective. Security programs are starting to shift more towards detection and response. Going from reactive to proactive. At the end of the day the majority of security incidents involve users in one way or another. When it comes to insider threats it is crucial to have comprehensive visibility on people. Whether it is an insider account that has been comprised, a malicious insider, or an insider that makes a simple mistake it is essential to quickly detect this behaviour and respond fast.
Think Beyond Privileged Users
When addressing insider threats, it is not only about users that have privileged access (I.E. System administrators, DBAs, IT Staff) It is now about users that pose the biggest risk to the business. Some examples we’ve seen include:
- development resources with access to source code
- business users that have access to files containing corporate strategy
- users who have given 2 weeks’ notice,
- new employees to the organisations unfamiliar with company policy
- New employees as a results of M&A
People, Process, Technology
This probably sounds strange coming from a security vendor, but no technology or tools will ever be a silver bullet to a problem. To build an effect insider threat program you have first elect a champion and build an insider threat team. Figure out the key stakeholders and everyone that should be involved with the program. Consider Human resources, Legal, Security, Internal Audit, Privacy, Compliance and other senior leadership.
Build an Incident Response Playbook
Building an insider threat incident response playbook will help state how incidents are detected, reported, contained, and remediated. Insider threat incidents will usually include several business units. That being said, the playbook should be clear about scope. It should define what insider incidents. A good place to start is to leverage existing response plans already built out such by IT Security and Human Resources. Once completed having a roundtable to run through mock scenarios will help to test and refine processes.
Integrate Technologies
Once the team is built and processes are clearly defined, building an integrated insider threat technology hub will empower administrators to quickly detect, respond, and remediate issues. Key insider threat capabilities include:
- Data collection (Users, Machines, and Networks)
- User Monitoring
- User Analytics
- Education & Awareness
- Access controls
- Prevention Controls
In the coming years, the majority financial services organisations will face an insider threat related incident. To combat this threat and stop data loss, organisations must put together a plan that outlines the processes that best align with protecting the business and uses the power of various technologies to detect insider threats, streamline the investigation process, prevent data loss, and effectively respond.
ObserveIT has over 1,600 customers globally, including 500 Banking and Financial Organisations.