Attended a good brief by Patrick Reidy, CISO for the FBI at Black Hat last week on combatting the insider threat. The insider threat is someone on the inside of your business who is stealing or releasing information and/or physical goods to the detriment of your business. The FBI, of course, has an even greater responsibility since they are protecting not only their own information, but that of the nation as well. As such, there is an expectation that they will take the insider threat seriously and develop effective countermeasure for it. In any business, the insider threat is generally far more likely to result in losses than an outsider breaking into your systems.
In summary, Mr. Reidy emphasized 5 strategies for combatting the insider threat, some counter-intuitive.
Focus on deterrence, not detection. In other words, create a culture that deters any aberrant behavior so that those who continue to practice that behavior stand out from the “noise” of normal business and the limited investigative resources that you have can be focused on them.
- Know your people, know who your weak links are and who would be most likely to be a threat. Use your HR data to narrow down threats rather than looking for a needle in stack of needles.
- Identify information that is most likely to be valuable to someone else and protect it to a greater degree than the rest of your information.
- Monitor ingress and egress points for information (USB ports, printers, network boundaries).
- Baseline normal activity and look for anomalies.
As Mr. Reidy notes, any organization has a limited number of resources that can be deployed to detect and investigate internal threats, so it is critical to focus those resources as narrowly as possible. Interestingly, many would label what Mr. Reidy is proposing to do here as “profiling” risky employees. This term, of course, is a flash point for anything having to do with law enforcement due to the potential for an amoral government entity, local or federal, to use profiling as a way to control or oppress segments of society. Profiling has been noted most recently, of course, by that government agency known as the Internal Revenue Service for targeting for audit specific political groups. Whether profiling employees in a company from an insider threat perspective will hold up under legal scrutiny remains to be seen as inevitable court cases arise, but it does appear to be effective for the FBI in containing their own insider threat and the commensurate threat to national security.