How to Track and Prevent Insider Threats: Exclusive Interview with Former NSA Deputy Director

7 minute read
Track and Prevent Insider Threat

The true security of any business―the ability to maintain competitive advantage, manage the organization’s reputation and retain customers―depends on mitigating risk. Yet, most enterprises are unprepared for cyber security threats, and underestimate the amount of damage they can do.

On average, it takes companies a full month―even longer if an insider is involved―to resolve security incidents once they are identified. In fact, a recent report from the Ponemon Institute found that 75 percent of U.S. organizations are not prepared to respond to cyber attacks.

We had the opportunity to interview John Chris Inglis, former NSA deputy director and chairman of the Securonix Advisory Board. In a two-part interview, Inglis shared his insights into how enterprises can find and thwart threats.

In part one of our interview, we explore Inglis's thoughts on how you can manage, mitigate, and respond to insider threat.

Read part two of our interview on FOCUS Security: “Incident Response is an IT Essential: Exclusive Interview with Former NSA Deputy Director."

Part One: How to Track and Prevent Insider Threats

Forsythe: As a coach for large enterprises, what do you see lacking in enterprise security in terms of defending against insider threats?

John Chris Inglis: The insider threat doesn't rank high enough on most corporate agendas. It’s not because enterprises are complacent. Rather, it’s because the insider threat wasn’t always on our radar. It’s much more visible in today’s threat landscape, but enterprises spend a majority of security resources trying to manage outsider threats and compliance. These two things occupy a lot of time and attention, in addition to executing your business on a daily basis.

The insider threat hasn't made it to boardroom discussions with the same electrifying outcomes. It’s underestimated, both in terms of its probability and its consequences. 

When enterprises consider insider threats, they take an unduly conservative approach. You have to ask and answer the tough questions:

  • How can we detect insider threat?

  • How can we mitigate it?

  • How can we respond to it? 

It’s important to collaborate on these strategic points within your organization and it is critical to be upfront when talking about security and privacy. You want your employees to be proactive in understanding and tracking insider threats on their own. Bring them on board early so they support your security policies. Have a conversation with your people so they understand exactly what you're doing and why. You don’t need to solve the problems one by one. You can solve them collectively and collaboratively.

Forsythe: How should we talk about insider threats in the boardroom?

Inglis: Don’t start by talking about IT or why you need thousands of dollars to buy a new tool. If the board doesn’t have context around the issue that means something to them, they'll have a hard time understanding the importance of IT security in connection to business goals.

Start the conversation in business terms: discuss the goals that your organization wants to achieve and how IT security can facilitate a successful outcome. Think about the business results for your organization and bring those to the table.

Map the discussed business outcomes to IT, people, or processes. With these allocations laid out in front of everyone, you can talk about the opportunities and risks associated with them. Describe whether your current investments will allow you to cover your risks and pursue your opportunities. Then discuss the investments you need to reduce your risks or take advantage of new opportunities.

By speaking the language of the C-suite, you are more likely to elicit engagement from the board. They will ask you questions, rather than look at their watches and wonder when your presentation will end.

Forsythe: What is the biggest mistake that IT leaders are making today?

Inglis: The biggest mistake IT leaders make is thinking of insider threat as solely an IT problem.

Adversaries – whether they're inside or outside your system – look for opportunities across all of your information technology, people and processes. They will likely find weak links somewhere in your organization and they will take advantage of those first.

The majority of the problems we find aren’t technology flaws. They are human practices that an adversary has taken advantage of. So dealing with insider threats can't simply be delegated to the IT folks. You should think of it as an operational issue that touches people, process and technology. Directors and managers in each department must own responsibility for these risks. Their teams use the business technology and must therefore understand how to use it responsibly.

Forsythe: How do you educate people inside your company about insider threats?

Inglis: Explain that you're trying to protect an equity that they care about. In the case of the NSA, for example, we would set expectations by saying, "Look, we have to act differently now with respect to detecting this threat. Not because we don't trust you, but because, first and foremost, we need to make sure we protect and sustain our ability to defend the nation."

When you appeal to the larger business principle, everybody in the room will say, “I agree. That's why I'm here."

Make sure to define in plain terms what your strategy or tactic means. Be transparent about what you're going to do and why. Explain that you will respect their privacy. Then, allocate them a piece of the responsibility so they have an active part in helping to achieve your goals.

If you’re not transparent about your security policies, your people will eventually find out what you're doing anyway and they’ll think that you don’t trust them. They may even choose not to participate or work counter to your strategy.

Forsythe: We go to great lengths to find the right people for our teams. How do we give trust while protecting ourselves from insider threats?

Inglis: You need to find people whom you can trust to exercise responsibility, initiative, creativity and innovation. Even when they do the right thing―and 99.9 percent of the time they will―you want to make sure that they've applied the right values to their choices and decision-making process. Understand who your people are and make sure they align with your values before you bring them into the company.

You should also verify in near-real time that they’re making choices correctly. It helps if they see that you’re assisting them as much as you’re giving them the right to exercise accountability. If they make a well-intended choice that has a negative consequence, you'll catch it early. If their privileges are stolen without their knowledge, you'll find out quickly and save their reputation. And, when somebody tries to do the wrong thing, there's a known deterrent that says, "I will catch you."

Forsythe: How does the maturity level of a company’s people and processes impact their security approach and capability to solve today's complex security problems?

Inglis: The more mature companies and IT organizations have already brought cyber issues into the boardroom. These companies don't micromanage related topics there, but it's on their radar for discussion and management. They also have established IT or cyber committees that provide oversight, as well as a connection to the folks who execute the company's strategy.

That sort of maturity then defines a top-down strategy that says, "Do we understand how we allocate our business proposition to the people, process, and technology of cyber components? Do we understand the risks or opportunities inherent in doing so?”

A lot of companies have not thought through these two questions. For example, a person may leak information from a location you didn't know it was stored in or an employee may exercise a privilege they didn't know they had. It’s only after an accident like this happens that companies will understand the risk they took by making choices based solely upon their business proposition, as opposed to factoring in the associated opportunities and risks.

The more mature companies strategize from the top down, and then empower and delegate from the bottom up. They don't simply collide in the middle. They’re consistent and prepared.

Forsythe: How quickly are things changing, and how can companies keep up?

Inglis: A really clever insider will understand your norms and limits, as well as how to stay under them. By staying within your limits, an adversary can do a low-and-slow attack.

Low-and-slow attacks are your ultimate challenge. You can stop one by understanding, in near real-time, the privileged behaviors inside your system. What is anomalous? Are you prepared to step in and do something about it? 

The key is to continually change your perspective so that you can operate at the same speed as your adversary. For example, you shouldn’t focus on how we could have stopped the last Edward Snowden. Cyber attacks constantly evolve; you need focus on how to stop the next Edward Snowden. 

Read part two of our interview on FOCUS Security: “Incident Response is an IT Essential: Exclusive Interview with Former NSA Deputy Director."

Leave a Comment

You Might Also Like

About the Authors

Popular Today

Slideshows

Videos

@ForsytheTech