Insider risk and trust

Insider risk is a well-known challenge, with few digital tools available to fully support organizations. A topic I’ve written about frequently.

A related topic that hasn’t been discussed as frequently however is the impact of increased security measures on employees. While the people committing insider cyber attacks are typically brazen and not concerned about security, the good guys often get rattled with an Orwellian feeling of ‘Big Brother’ watching.

The question is, how does a company protect its assets while assuring employees their every move is not being watched? My best – and proven – advice is to involve your employees in the solution. Make them your first line of defense.

The following are examples of the many security options available to companies today. Each has pros and cons.

Firewalls and filtering software

Many organizations have tried to use traditional security tools like firewalls, blockers, and filters, but have consistently failed. If we are to understand why these technologies fail, we must understand the philosophy on which these technologies are built. They are built to block known external threats such as hackers, spam, phishing, etc. In this situation, the adversary is anyone not authorized (external) to the organization.

DLP solutions

Data loss prevention (DLP) solutions are built on the blocking philosophy. DLP solutions block the movement of information based on classification or hard restrictions such as complete blocking of a specific media (e.g. a USB port). The biggest challenge to using this sort of solution occurs when communication and work styles change. The best current example being the sudden surge in the remote workforce due to COVID-19. Lack of easy classification mechanisms results in a never-ending battle between IT security and end users who are required to provide the correct classification. DLP solutions are complex and have a tendency to create an extraordinarily high workload for IT and/or security teams caught in the middle mitigating false positives without any recourse for user behavior monitoring.

SIEM solutions

Security information and event management (SIEM) solutions are an excellent blend of security information management (SIM) and security event management (SEM). As such, they are exceptionally useful as a log collection and aggregation platform for identifying and categorizing incidents and events. SIEM solutions digest multiple data sources and excel in retrospect network analytics. This said SIEM solutions are not a great option for real-time behavior analytics. The visibility into the endpoint – the user’s interface – is normally limited and they fail to address the more complicated challenges related to insider threats.

UBA/UEBA/UBM solutions

Behavior analytics systems are based on the concept that it is too cumbersome to block so it is better to trust users and allow different forms of communication media with visibility into all transactions. Monitored information is analyzed using various behavior analytics and machine learning techniques to pick up anomalous user behavior. Although pure play behavior analytics systems are starting to prove their worth in tackling insider threats, they mainly focus on malicious insiders and seldom provide a good solution for the greatest risk, the unintentional insider. There is always a balance between security measures and privacy when implementing cybersecurity solutions. Privacy is a major issue for pure play behavior analytics systems and often likened to Big Brother systems.

Human-centric security

A human-centric security solution provides a drastically new way of addressing insider threats. The system is built on the user behavior principles of educating, empowering, and trust. Using this approach, organizations can address the majority of use cases related to insider risk with the help of the employees themselves. The cornerstone of this principle states: All issues arising from insider threats are related to internal users therefore the solution to the problem should also start with internal users.

In practice, employees and/or internal users are given responsibility for securing information along with relevant education and accountability.

My company, Ava Security, combines the best technologies from DLP, behavior analytics and SIEM, and adds security policy monitoring and awareness training into a single comprehensive human-centric security solution.

The following are examples of key characteristics of Qush Reveal including how it mitigates challenges in managing insider risk by involving employees in the protection of the organization.

User behavior monitoring with user empowerment

Reveal is built on visibility rather than blocking (optional) and is based on a principle of trust. It incorporates behavior monitoring capabilities rather than relying on IT security operators. Trust is extended to each user in the company empowering employees to make the right digital choices. If employees are performing potential risky activities, our incident-based training will inform and educate the employees enabling them to adjust their actions. Empowerment helps employees understand the value of the information and why the specific event in question is a potential breach of policy. Ultimately the goal is to enhance the organization’s security culture.

Protect employees from being the source of a data breach

Today, more than ever, it is important to implement solutions that help employees avoid the breach of security policies. The goal is to help employees maximize productivity, without being a risk to themselves or the company at large. Reveal guides and trains employees to make the right digital choices and in turn, improves the general cyber hygiene for the whole organization.

Enhance the organization’s cybersecurity culture

Beyond the cybersecurity solution, it is important to find a cybersecurity partner to walk alongside you as your organization’s cybersecurity culture evolves. For instance, at Qush, our Security Analysts deliver a complete risk assessment. The resulting report provides a foundation for the initial security policies implemented. Internal and external policies like ISP, AUP, ISO, GDPR, and PCI can be mapped to policies in Reveal. Training ensures end users are educated so they can more easily adapt to the organization’s security policies and at the same time, serve as the first line of cyber defense. Periodic reviews with Qush Cyber Analysts help tune policies while adaptive training evolves and enhances the security posture and cyber hygiene of an organization.

_{This post was originally published in July 2020 and has been updated for comprehensiveness.}

Meet insider risk with trust