Booz Allen Hamilton

The Accidental Insider Threat: Is Your Organization Ready?


Meet the Panel

Meet The Panel

Raynor Dahlquist, Booz Allen Hamilton, Panel Moderator
Tom Kellermann, Trend Micro
Angela McKay, Microsoft

Michael C. Theis, CERT Insider Threat Center

Read More
Bill Fox

Raynor Dahlquist, Panel Moderator

Vice President, Booz Allen Hamilton. Ms. Dahlquist is the Director of the Booz Allen Cyber Solutions Network™ capability, which uniquely addresses cyber threats for clients through an integrated constellation of cyber centers and labs. Read more.Read More
Bill Fox

Tom Kellerman

Vice President, Cyber Security, Trend Micro. Within this role Mr. Kellermann is a trusted advisor for Cybersecurity. He is responsible for analysis of emerging cybersecurity threats and relevant defensive technologies, strategic partnerships, and government affairs.Read More
Bill Fox

Angela McKay

Principal Security Strategist, Microsoft. Ms. McKay focuses on driving strategic change to advance cybersecurity and resiliency. She leverages her 10+ yrs. of experience to address complex global challenges related to critical infrastructure protection and information assurance.Read More
Bill Fox

Michael C. Theis. CISSP, SSA (retired)

Chief Counterintelligence Expert, CERT Insider Threat Center. Mr. Theis uses his experience in the US Intelligence Community and in computer systems engineering to aid the CERT Insider Threat Center further its research and development of socio-technical controls in Computational Endoparacology (insider threats).
Read More

About Our Panel

 
This panel of industry experts will explore the threats posed by “accidental insiders”— individuals who are not maliciously trying to cause harm, but can unknowingly present a major risk to an organization and its infrastructure. Aired on Federal News Radio
October 2, 2012 at 12:00 PM ET


 

Read Our Expert Commentary

Page 1 2 All Next >

Posted by Thomas Chandler on October 9, 2012

Tom Chandler

Expert Reactions: Thomas Chandler, Principal
Michael addresses a couple of issues that are critical to our ability to detect and mitigate threats from insiders. The first is the importance of education and awareness, particularly related to accidental insiders. All the awareness training in the world is not going to stop a malicious insider, but it will contribute to decreasing the number of accidental events simply because people will be more aware of incidents that can cause problems on networks. The second is the importance of modeling behavior in order to identify when someone does something outside the expected norms. No doubt, modeling expected behaviors will help reduce the number of false positives in our quest to identify insider threats. However, I would expect modeling behavior to be more significant in detecting malicious insiders because “accidental” events are normally a violation of a security policy.

 
Read More and Comment

 

Posted by Anuj Soni on October 9, 2012

Anuj Soni

Expert Reactions: Anuj Soni, Lead Associate

Tom hits on one of the key issues when considering the accidental insider: the most important exploit in compromises, such as the one he mentions, is not the technical attack against a user’s browser or other client software, but the exploitation of a user’s trust. Those who would do us harm will continue to discover zero-day exploits that take advantage of previously unknown vulnerabilities, and this motivates technology companies to create more secure software and better systems to detect and respond to threats. At the same time, organizations must be motivated to develop more creative and effective approaches to educate their users about the risks they take each time they interact with e-mails and other network resources. Individuals often think twice about walking down a dark alleyway alone, but for many people, clicking on a link in a potential phishing e-mail still doesn’t justify a moment’s pause. Efforts to address a problem where people play a critical role cannot be solved without a solution that helps those people.

 

 

Read More and Comment

 

Posted by Timothy Tinker on October 9, 2012

Timothy Tinker

Expert Reactions: Timothy Tinker, Senior Associate
Angela McKay’s four-part approach of prevention, detection, containment, and response provides a useful corollary for examining the interactive effects of an organization’s operational response with their communications response. It also provides a flexible framework for improving current approaches to urgent and emergent communication during all phases of cyber incidents. When optimally combined, the operations-communications dyad can increase situational awareness and create a common operating picture that reflects the demands of a cyber incident as the event unfolds, media coverage intensifies, and public trust and reaction fluctuate depending on the effectiveness of the organization’s response. As an integral component to the broader operations response, the role of communications is to ensure that:

  1. Cyber personnel have the requisite communications skills, competencies, and training to effectively respond to the full spectrum of cyber incidents, from least to most catastrophic;
  2. Policies and actions are in place to guide the organization’s spokesperson and messages;
  3. A comprehensive and phase-based approach, consisting of communications readiness, response, recovery, and resilience, is established. When consistently anticipated, prepared, and practiced this approach provides a more dynamic and integrated method for how operational and communication response decisions are made as a cyber event unfolds.
 
Read More and Comment

 

Posted by Thomas Chandler on October 4, 2012

Tom Chandler

The government and industry spend billions of dollars a year protecting networks from outside penetrations and exploitation, yet leave the back door wide open to insider threats. While recent efforts are focused on the malicious insider, recent studies have concluded that a majority of security leaks occur due to “accidental” security breaches, inadequate access, and misuse of information by employees. Since network security is only as good as its weakest link, a “defense in depth” or “holistic” argument demands attention when it comes to security countermeasures that includes the accidental insider.

Preventing insider threats is not a “one size fits all” proposition. Government agencies and industry have different challenges and requirements. Insider threat detection should be tailored to the organization; however, the overall framework for insider threat detection is no different for malicious or accidental insiders. Triggers may vary, but the key difference between the two types of insiders is “intent.” The following steps are critical in establishing a framework to identify insider threat activity and then distinguish between the two.

  1. Understand the organization’s “DNA” — The starting place for insider threat risk mitigation is a baseline risk assessment and review of policies and procedures. This is key to creating the right network and physical security countermeasures.
  2. Establish a baseline of acceptable behaviors based on policies — In order to detect anomalous activity, you need to first define “acceptable” behaviors. Most organizations do not spend the time to map out expected role behaviors; they move immediately to defining anomalous indicators. Mapping out expected role behaviors into a profile that can be used as the basis to trigger anomalous activity will greatly reduce false positives and thereby save time and money.
  3. Start with the “Crown Jewels” — Insider threat detection is a daunting task and becomes more difficult with large, dispersed organizations. Sheer numbers create resource challenges and when triggers and alerts are not grounded with good homework and planning, you will find yourself incapable of scaling for effectiveness. Your baseline risk assessment will identify an organization’s critical assets. The theory behind this approach? Malicious insiders will typically go after or try to compromise the critical assets of an organization. Alerts around the “crown jewels” require greater scrutiny and analysis.
  4. Pay attention to business policies and procedures, culture, and the technical environment— Management must be ready to enforce policies and issue sanctions as deterrence.
  5. Focus on security awareness education and reporting — These measures are important to insider threat detection. A study by Carnegie Mellon’s CERT Insider Threat Center concluded that most malicious insiders had observable behaviors leading up to an insider attack. Increasing awareness and providing a reporting venue will help in the battle to identify these threats.
Read More and Comment

 

Posted by BoozAllen.com on October 4, 2012

Read More and Comment

 

Page 1 2 All Next >