It’s no secret that insider threat often rears its ugly head in the digital domain. So it makes sense to use technology to prevent and detect digital misbehavior. But don't confuse the tool for the solution. The capability to capture analytic indicators of insider threat is not the same as knowing what to do with them. How can a story about fishing help make sense of this?
Baiting the Hook with a Boot
One day, like that guy in "Office Space" you decide to blow off work and go fishing. But you don't have a rod and a reel so you stand on the bank and grab at fish with your bare hands. You go home hungry.
You conclude that you had the wrong tools for the job. What to buy? A commercial fishing trawler, speargun, or maybe some dynamite? You choose a basic rod and reel, and that weekend you catch a few trout. But the trip is still a bust. You never learned how to gut and cook fish.
The right tool was important, but only the first step in a process toward you goal of a satisfying meal.
Data Collection Does Not Equal Security
Just as a fishing rod won't clean, season and grill your catch, you shouldn't expect a software program to independently integrate, analyze and adjudicate the data that it captures. NISPOM Conforming Change 2 requires your company to have the ability to collect volumes of information that may be useful in preventing different types of attacks from insiders. But what good is the collection of this data if you have no way to synthesize and take meaning from it? As we learn more about the nature of insider threat, it has become clear that one factor separates an effective insider threat program from a compliant one: a company's ability to actually use the data.
There is no one-size-fits-all solution for insider threat mitigation, and Conforming Change 2 allows you to tailor your program to your particular needs. Your staff won’t need to struggle to accommodate requirements that simply don’t work for your business. Designing the right program for gathering, sharing and analyzing relevant insider threat data requires a delicate balancing act between your organization's unique needs and its capabilities (factoring in available technology, personnel, and funding).
Fortunately, there is a lot of flexibility in what technology to use; you probably don't need to invest millions in a massive big data software implementation to invest millions in a massive big data software implementation. At minimum, you’ll want to have the ability to do the following (as recommended by the CERT Division of the Software Engineering Institute at Carnegie Mellon):
- Scale processing and storage capacity
- Handle structured and unstructured data
- Support streaming and ad hoc queries
- Utilize existing security analytics and applications
- Use flexible tool interfaces
- Import and export data
- Protect the organization from system admins manipulating user logs
If the list above makes your head spin, you’re not alone; the rapid growth and evolution of insider threat risk has left many executives feeling lost as they gaze up at a seemingly insurmountable challenge.
Here's the secret: you don’t need to be a tech guru to effectively protect your company from harm. You just have to know exactly what your "crown jewels" are, and what processes you currently have in place to protect them. Once you understand these critical elements of your business, it will be easy to identify weaknesses and gaps in protection. With this information, you can confidently seek out the right tools you'll need to enable the processes that make up an effective and efficient insider threat program.