We have a lot of programs in information security. We have programs for operational security, like SecOps and incident response, programs to measure and understand risk, such as risk management and vendor risk management, and programs to manage programs, like road maps and future project management.
Another program, with several unique facets, is insider threat management (ITM). For one, the success of an ITM program is completely dependent upon involving stakeholders beyond IT and information security. Since anyone in your organization could become a source of insider challenges, you need representation from all parts of your organization. Also, you need to communicate and understand how your own organization works, how to define organizational success, and what risks or barriers could undermine your program’s success.
Proofpoint has a guide to setting up an ITM program that’s a helpful starting point for establishing and building your own program. However, the benefits of having an ITM program can be hard to discern. With that in mind, here’s a closer look at three distinct benefits of an ITM program:
Benefit #1: Building a defensible security program
We all know there’s no such thing as perfect security or perfect protection. However, that’s no excuse to ignore the insider threat problem.
Insider threats are challenging—and managing them involves gaining an understanding of people’s intentions. This can be messy and complicated, and the decision to “allow” or “block” isn’t always binary.
Insider threats touch so many areas of IT and compliance that if nothing is done to address them, or done properly, it creates an obvious gap to your defensibility argument.
The first step of defensibility is to run your ITM program as a separate program, not just another activity your security operations center (SOC) function supports. You must also build effective communication channels with different areas of your organization as well as with the human resources, legal and privacy functions.
To build trust and defensibility, you must also establish a solid understanding of your ITM program’s scope, what you can and can’t do, the use cases you can solve for, and the threats you can detect and mitigate.
Benefit #2: Improve your overall approach to incident response
Most security programs are rooted in the principles of your security incident response program—either NIST 800-61 or ISO/IEC 27035. However, since insider threats involve people, and understanding a person’s motivation is vital to understanding insider threats, we need to determine if a user is careless, compromised or truly malicious in their intentions.
From the “2022 Ponemon Cost of Insider Threats Global Report,” we know that 56% of all insider threat incidents are rooted in carelessness, negligence or accidental behaviors. So, from a volume perspective, most cases you’ll likely need to handle will be “good users making bad decisions with good applications and data.” However, as Ponemon’s research also shows, in 44% of cases, that won’t be the situation.
On a per-incident cost basis, the most expensive incidents will be those involving compromised accounts and credentials. That means you can’t count on an ITM program that only detects the problem and doesn’t interoperate with other capabilities to respond or recover from threats.
Understanding user intent and context, and not focusing only on the data-centric problem, is harder to do (IT and infosec teams must have an open dialogue with app and data owners) but more worthwhile to right-size security and reduce the time to contain insider threat incidents.
Benefit #3: Contribute to a stronger security culture
As previously mentioned, research shows that more than half of insider threat incidents are due to carelessness and accidental usage scenarios. Building a sustainable security culture that drives behavior change is therefore critical to remediating these incidents and evolving your ITM program to focus on more complex insider threat scenarios.
There’s also a distinct difference between monitoring and surveillance:
- Monitoring collects data and is considered asset-focused (endpoints, mobile devices, apps, etc.).
- Surveillance aims to provide a holistic picture of a specific person through their behaviors, identities and other people-centric activities.
Surveillance sounds daunting, and you can’t simply throw products at the issue. Instead, you need to start with a well-thought-out program and have good technologies to support it.
Users and organizations, and even works councils, are willing to accept monitoring and surveillance activities given that they understand “why” and agree with the “use case” constraints for monitoring and surveillance activities. This is also why it’s critical to integrate your security awareness training with your ITM program—especially for dealing with the high volume of careless events.
Learn more
During Insider Threat Awareness Month, you can find out more about best practices for managing insider threats in a Proofpoint webinar featuring Forrester. Also, be sure to check out our upcoming fireside chat with Pfizer on approaches to ITM.
If you’re looking for information about where to start, Proofpoint can help with that, too. Check out the free resources in our insider threat management hub.