Just Enough Insider Threat Defense 

At a recent conference for IT leaders, I addressed the theme of, “How much cyber security is enough?” We all probably have had to answer the broad question of how much budget is appropriate relative to our peers, but a discussion about risk and value should quickly follow. 

This one dimensional question of “how much?” is necessary at certain times, but it should not be where the conversation on security investment ends. This sort of thinking arises out of necessity or lack of focus for a variety of reasons, and usually gets answered in the following ways: 

1. Expressing target budget for a security program in terms of percent of IT budgets 
2. Attempting to buy as much cyber insurance as possible to cover as much cyber liability as possible 
3. Building a security program that attempts to follow proscriptive regulation 
4. Getting various certifications 

These are all attempts to simplify the problem and externalize as much of the analysis as possible to outside parties. Most of these solutions are actually more complicated to execute than they first appear. It is not that these strategies are bad in and of themselves, but they lack a willingness to think more in-depth about security risk. In the end, they will not relieve the burden of needing to think about a risk adjusted portfolio of security investment. 

Two-dimensional thinking begins when we start to ask, “What sort of information security investments should I make?” This is that transition we often make when talking to a personal financial advisor. At first, it is a chore, and we just want to know, “How much do I have to save every month?” The advisor’s reply is usually some version of, “It depends.” One of the things it depends upon is the composition of your portfolio and what sort of results you can expect with different investments. 

Three-dimensional thinking about security begins when we start to ask, “What combination of security investments will reflect my desired risk appetite?” This is where we start to understand that there is a trade-off between investment and performance. 

Let’s look at the diagram for a hypothetical example. You could invest in something relatively less expensive like building awareness content to be distributed utilizing current training resources, and because of your receptive culture, see substantial security gains in security performance metrics. You would be placed in the upper left hand corner and above the curve. Likewise, you could spend a relatively large amount on a new solution, but not have the right maturity in place to maximize that investment and end up in the lower right hand corner. 

One way to determine where you want to be on the investment/performance curve is by establishing goals on a maturity matrix. A maturity matrix will outline maturity levels on an x-axis and technical and governance elements on a y-axis. A maturity matrix inherently represents a total package of investments and performance metrics you measure as you progress towards goals and spending. Determining how each organization should shape their security programs along a maturity roadmap is the craft of security leadership.

Consider this question from the perspective of insider threats and developing an appropriate response to insider threats in your organization. Security leaders realize the damage that insiders can do, but they have a hard time imagining a cost-efficient strategy to deal with the issue directly. 

Very often I hear, “I’m not dealing with insider threats exactly, but we have a suite of holistic controls and they are covering insider and outsider threats.” The problem with that is that insider threats are often operating below the radar of normal technology controls. Insiders have all the permissions they need to do most of the things they want to do. Their activity is very subtle and hard to detect, and beyond the reach of most controls. 

Alternatively, some security teams try to simply purchase an “insider threat” tool, like user/entity behavioral anomaly (UEBA) detection to solve this problem of finding subtle activity. The challenge with this is that UEBA tools require a certain level of process, technology and skill maturity in order to get the most out of them. Log management should be in place, including application logs. Role management should be developed in order to create meaningful baselines. Case management teams should be trained on how to handle insider investigations. This investment in UEBA technology alone is not sufficient.

We focus on coordinating a security team’s current assets into a strategy based on deep knowledge of critical assets, threat modeling, and goals of the organization. 

In our research we develop a maturity matrix, based on a list of functional elements, to provide a capability and outcome roadmap. Each organization is different in terms of its target levels of maturity, but the result is essentially a risk posture. At the end of the day, you should end up with something like this:

But how do you know what levels your organization should target for each of the four functional elements listed on the y-axis of the above matrix?

Leaving the insider threat example and thinking again more broadly about all parts of a security program, there is a consistent set of themes we’ve found in our focus groups that dictate how enterprises shape their programs and shoot for different maturity levels:

1. Value of data and extent of vulnerability on the data. Determining this will influence how aggressive of an insider threat program you need. 
2. An organizationally broad implementation, or a focused implementation. Will you roll out an implementation strategy across the entire organization, or at a single division, or in conjunction with a single project? The broader you go, sometimes the less deep you can go in terms of maturity.
3. Cultural elements. Do you have a culture that values both the sharing and protection of data? The answer will alter how much you invest in training and awareness. Also, remember most organizations aren’t a single culture, but a collection of cultures. Messages should be tailored to the sub-culture. 
4. Level of effort available from the security team. Security teams are taxed. The amount of time that is available for the effort will dictate how mature different functional elements will become. The preference is for uniformity of maturity across functional elements; but it’s not wrong or bad to be out of stack-sync if they have a reason.
5. Risk appetite of culture. If an organization embraces risk, then maybe their risk management functional element should be high, while other elements are not as mature. If risk appetite is low, then all functional elements should broadly be attempted to be mature. 

Once these questions are answered, and maturity targets selected, choosing metrics should not be difficult. There are plenty of catalogs with applicable metrics available. The hard part is making the metrics relevant to your customers by putting them in terms that are important to your organization. This usually involves putting measures into a ratio, with a denominator that is meaningful for your organization. While the metrics need to be tailored, they also need to be general enough so they can be trend-able and benchmarked over time. A metric that is tailored to be relevant for one quarter is less trend-able than a metric that can be observed for years. This is a difficult task when the data is coming from your dynamic IT ecosystem. 

Asking the question of, “How much cyber security?” is a place to start a conversation. Eventually though, you want to be able to measure the success of managing a risk adjusted insider threat strategy that balances people, process and technology to secure your environments.