Insider Threat

What I learned about insider threat from Sue Steinke, Mike Oehler, and Wai Woolsey

John Dillard
October 28, 2020

Every month ThreatSwitch hosts a webinar on a topic of interest to the security and compliance community. Thousands of security leaders and practitioners have attended these webinars, but not everyone has an hour to spare. That's why we'll be sharing our CEO's lessons-learned each month right here on the ThreatSwitch blog, along with the full transcript.

If you missed this or any other event you can always head to our resources page to view the recording, along with many other great speakers and tools to help you succeed.

Click here watch the event instantly.

In this month's running of our series on insider threat, I had the privilege of moderating a conversation with Sue Steinke of Perspecta, Mike Oehler of L3Harris, and Wai Woolsey of Palo Alto Networks. In a free-ranging conversation that covered human factors, tech, information sharing, and privacy I learned about as much as one can in 60 minutes. Not only leaders in their companies, each of the panelists is an important influencer in the industrial security community with leading roles at the NISPPAC, INSA and NCMS.

Below are the 3 lessons I learned from my conversation with Sue, Mike and Wai.

October Webinar Email Header (1)

1. Human resources and human factors matter. A lot.

Time and time again, our panelist highlighted the importance of human factors in an effective insider threat program. In particular:

  • The need to establish a strong working relationship between human resources and security
  • Governance structures that balance employee privacy with the need for robust human factors reporting
  • The primacy of communication and trust with employees as insider threat becomes about the whole person and not just IT activity or traditional security risk

2. COVID has affected insider threat in unexpected ways.

As expected, COVID is making insider threat harder:

  • Working relationships with government POCs, different departments, and employees are less frequent and less effective
  • See #1 above. Human factors are even more important than before as employees and their families face new stress and uncertainty
  • Adversaries are aware of these disruptions and use it to their advantage

3. Consistency, flexibility, and whole-person are insider threat words for 2021.

The last question asked each panelist to share their "one word for 2021:"

  • Consistency: Wai highlighted the need to focus on consistent execution of what we built in 2020.
  • Flexibility: Mike noted the unpredictability of the coming year and the need for our insider threat programs to roll with the punches
  • Whole-Person" Sue cheated a little bit by using a hyphen, but she came back to the the need to see insider threat as a mix of complex organizational, human, and technological factors that need to be integrated to tell the whole story

If you missed the panel you can always head to our resources page to view the recording, along with many other great speakers and tools to help you succeed. Below is a list of selected resources from the webinar, and full transcript of the event.

ThreatSwitch puts employees at the center of your security and insider threat program.
Schedule a demo to find out just how different we are.


Selected links from the episode:


Rough Transcript (unedited):

John Dillard: Good afternoon, everyone, and thank you for joining us for the next in thread switches series on insider threat on I am John Dillard founder and CEO of ThreatSwitch. I'm delighted to welcome to our webinar today. Three awesome panelists Wai Woolsey who is senior manager of governance risk and compliance at Palo Alto Networks. Susan Steinke, who is director of government, industry relations in the risk decision group at Perspecta and Mike Oehler senior manager of industrial security at L3Harris.

We have a pretty exciting conversation today on insider threat with three folks that I've had the pleasure of getting to know through in CMS and insert or doing fantastic work on this topic.

And for those of you who have our new to our webinar series ThreatSwitch is software product that helps enterprises manage compliance related to CMMC and NISPOM

And related topics. So before we get started a few administrative notes that I just want to touch on for everybody's benefit.

You can submit questions throughout the webinar, using the Q &A a feature in the panel. So if you look at your zoom panel. You should see a Q &A button.

Just post your questions in there and we will be sure to get to them if we can't get to all the questions within the

Within the webinar, we will do our best to follow up afterwards. And as usual, for those of you know our, our typical process will share the

slides and the recording and because this is a panel will also have a transcript available of the webinar which will

Be available both to attendees and if anybody missed it, but you know you'll be able to share with them as well.

So with that, I'm going to stop sharing my screen and just jump right into the images because you guys are here to see the panelists. I want to welcome three really interesting guests today.

The first is Wai Woolsey and bought by is again manager of governance risk and compliance at Palo Alto. She's got 15 years of experience in federal compliance and industrial security.

And in addition to her role at Palo Alto. She's the chairperson of the NCMS insider threat subcommittee, which many of you know is doing phenomenal work.

On the government, industry partnership on insider threat and how to get it right. She's also a member of the NIS back in the insider threat. Working Group at INSA

Which brings me to Sue Steinke who I've gotten to know a little bit through her work in the INSA insider threat subcommittee.

She's the Director of Government industry relations at the risk decision grid but Perspecta and has been in Perspecta, since they acquired Key point back in 2018

Really interesting work at this subcommittee especially recently with a couple of white papers so very excited. As soon as she was also with the Department of the Air Force as a chief of plans and Program Division

She has held a variety of industry leadership positions in technology and security, including several years, the CIA. So thank you for being with a suit.

And last but not least we have Mike Oehler, who is currently with L 3 Harris's senior manager of industrial security.

As many of you know because I mentioned there are a lot of NC message out there Mike's a current board member and in NCMS and chairs the government and industries committee.

For the board previously served as the mentoring committee chair before Mike was on the board. He ran the chapter out Wright flyer, which

For those of you who don't know the Wright flyer thing. It's in Ohio, named after the Wright brothers. So an Ohio guy button is now in Texas.

Mike also served as the name in the Navy as a crypto logic technician, you know, really hardship duty out in Hawaii for a while so

He's, he's been able to enjoy that, but has been around the block for a while, so I couldn't be more excited to welcome the three of you to this conversation.

On, especially given the work that you guys have done in the, you know, really as volunteers for this public private industry partnerships, so

Looking forward to it. And what I want to do is a little different from those of you who have attended our panels in the past or our webinars. The past, rather than a bunch of slides.

I'm going to start off with a question for each of the panelists and let them tackle it and turn as their opening statement and that question is you know 2020 2020 being what it is.

It's been a weird year for you, your company and what you've seen an industry in your volunteer roles and in CMS and inside and elsewhere. How has how has 2020 and this particular year.

Affected insider threat. What, what is the biggest change that you've seen, and I'll, I'll start with Mike because he's on my left hand zoom and let him go first. So Mike, what's different this year.

Mike Oehler: Well so 20th and an interesting year for me because, you know, both personally and professionally, because not only

You know, trying to deal with the challenges of adapting to this code is lives.

In the workplace and the interruptions, but I decided to

change careers and move cross country in the middle of it all, which had its own challenges associated with, you know, uprooting a family selling a home by

All those those little bits and pieces that you kind of forget about that you have to do and you relocate to a new area and doing that with all

The restrictions and the you know the traveling and you're trying not to not to get sick myself and obviously in to be careful about the help my family, my children.

But we survived that we've been knock on wood healthy everybody's been doing on adjusting. Well, Texas.

My previous organization, you know, working from home was a real adjustment for me trying to manage the insider threat program.

You know, just trying to make sure that we could set up the tools and in because you know we had a pretty locked down for our

Our system we use to analyze data, right, we really, we had to lock down to, I could not log on to the system was I was sitting on my desk in new ones where I was on in the building.

And that was to protect the information that we were dealing with on a daily basis, you know, because we were collecting data sources for my key HR physical security and instead we really, we were really enhancing that that security around that.

So we had to make some exceptions, obviously, so I could move home and and work from that type of environment.

The other challenge I think with the insider threat programs, you have to become real intentional with setting up meetings, you can no longer stop by have casual conversations. So it was just an adjustment for me because I've never experienced the work from home.

Process. Since coming to L three Harrison, Texas.

We've we I've been in the office every day since starting in June and so and majority of our workforce is here, just because of the security requirements with the work we do.

So it's more probably about 70% of the people come in for us. We do do some staggered schedules and things like that, but

It seems more like getting back to the kind of businesses normal, other than the wearing a mask and getting your temperature taken and going through screenings every day.

But again, knock on wood.

We've been really successful and at not having outbreaks your work or interruptions in the workplace.

As far as, again, the, the programs that I've seen, you know, again, we I had, I had a well documented program on my previous organization. I think we were just trying to

Hold it together. Right. You know, I would have never thought when this all started march that we'd be here in November and which still be in this kind of like clause I locked out state.

So, and then coming here and being new to the organization was really, again, just trying to keep the keep what was documented, make sure we're meeting the requirements may attend to the program and never performing our due diligence when it comes to insider threat.

You know there were some, there's some interesting tidbits about how we do interviews now.

We've had to do interviews with employees. We have to, you know, we just apply the interview team in having. Do you know me with the person one on one. We've had to adjust and do that online and having me sitting there baby presenting them with

Evidentiary document and things like that. And then, of course, just the ability to read lips and facial expressions have been impacted by the wearing of the Gators and mass that we do every day.

But overall I think we've been really I've been impressed how resilient the workforce has been and how the team has been going through this process and we're just trying to continue to operate.

The program, just as they were before the code that like t. So we haven't really tried to make enhancements.

John Dillard: The two things that are fascinating about that to be our one I think everybody has, has heard about, you know, obviously workhorses remote and that's or but the people who are running the inside of her program. Oh no, to and if all your data is on site, how do you get to it.

And that's a, that's a problem. I, I imagine, this is pretty common, especially as the program to get bigger.

And I hadn't thought of being able to read facial expressions. But when you're trying to discern sort of little cheese about people who might

Be at risk for whatever reason you have to can't see their face or their own his name or their only all the time. That's

That's. Those are interesting observation. So that's, that's, that's pretty cool stuff to it. How has this year been different for you. What’s your take on 2028 insider threat.

Sue Steinke : Well, good afternoon, everyone, and thank you. Can everyone hear me all right, got it. Okay, thanks. JOHN thank you threats which for putting on this panel. Really appreciate it. And so far, enjoying it very much with my two colleagues up here.

So a 2020 well there are a lot of words, we can use to describe it. Let's just say it's been interesting and different

Mike you had Your own set of challenges by having to relocate know I've had to relocate to every single day from my kitchen to my office and sometimes there is a lot of traffic so

It can get tough that way. Um, so great question. JOHN. And I think the answer really is very dynamic on how covert has impacted our insider threat program.

So from a technological side. Yeah. We've seen some changes we've seen an uptick in bandwidth and CPU usage.

People are working remotely. Now, a lot more at home screen time a lot more opportunity to just say, you know what I'm going to just roll back into the office and work a little bit more

People are on zoom calls lots of CPU and bandwidth issues there. So there's more data captured. There's more data stored

More data needs to be managed and analyzed, whether that's through another two or three humans. So the technological side of things. Yeah, we're seeing that that increase there.

But I think something we need to really consider and I'm gonna read you a quick quote. So the incident insider threat subcommittee recently published a paper. I think the title is HR

And insider threat mitigation a powerful pairing. It's a great piece. So the aim of a comprehensive inside of thread program is not just to identify potential bad actors.

But also to help employees through difficult times, enabling the company to reduce it susceptibility to insider risks and to retain talented personnel.

So helping it's helping the workforce through difficult times, we are absolutely living the ultimate example of that right now.

And what that brings to mind is the human side of insider threat not the technological necessarily those face to face meetings, Mike, you were talking about.

The daily interactions. The drive bys I used to have a commander. When I was a civilian with the Air Force. He called them. How you doing,

Was a one word and it was announced, like people are tired. I'm going to go do some. How you doing,

So we're missing out on the. How you doing this in person, where you can observe behaviors you can observe attitudes, you can see if something's a little bit off. See if you can help. We don't have that right now. You know you can do it to a degree on zoom, but it's not the same.

So we're missing some pieces there. But on the plus side, I think if there is any sliver of silver lining with coven. It's that it's been a force multiplier. It's really moved forward a lot of employee wellness programs.

HR and other stakeholders involved in insider threat and other areas of the company have rolled out programs at Perspecta that have been very, very helpful.

You know PTO management and in in usage programs because there are people that can't go to work because of facility closures.

Town Hall discussions from the grassroots on up to the CEO of the company very authentic.

Good, well received discussions, a corporate mailbox for issues and concerns on covert and anything else.

For people to send in either anonymously, or if they want a response. And let me tell you, we have some very strict SLA is around the response time and that people would

Ask and get answered within maybe 24 maybe 48 hours, our internet is chock full of coven information regional rules and regulations corporate rules and regulations, all sorts of things like that.

Mask reimbursement program, which was really well received very, very detailed cleaning protocols, you know, heavy duty cleaning on call as needed immediately.

we've had, we have something called a site ambassador program where at each facility. We've got a site Ambassador overseeing covered related efforts on site and can handle things locally.

Sue Steinke : And then even beyond coven you know 2020 has been what it is and other issues have arisen and you know we've even started amping up, it's been it's a very good thing our programs around

Diversity and inclusion and we're certainly hoping, those are going to continue to grow and add a great deal of value.

So all of these types of programs are directed at Employee Wellness and most definitely impact insider threat in the supportive actions really make a difference when it comes to insider threat.

John Dillard: Outstanding. I mean, really, this human factors, particularly I happen to have watch the social dilemma. A couple of nights ago with my kids. I don't know if you guys have seen it.

We're all at home. There's a continuing resolution. There's an election and social media is probably amplifying all of our anxiety, all the time.

John Dillard: Although it turns into an insider threat problem. And I don't know that that's really fully appreciated say that the HR paper was awesome at that so appreciate you touching on those themes

By. How about Palo Alto. And what you're seeing in business back and it didn't CMS and from other companies that you've worked with what's what's been different this year.

Wailohia Woolsey: 2020 I think everyone can agree it's it's really one for the record books. But first, I do want to say thank you to you. JOHN AND and Kristen for for getting us all together.

I think that, and this is really speaks to what su su and Mike have already talked about. I think 2020 has really prioritized

Insider Threat risk management employee assistance programs for many companies.

I think for large, large companies from an insider threat perspective, the move from on prem to perhaps cloud solutions you know maybe really highlighted some depth.

I think for small and medium sized businesses, I think that there is an emergency and I knew me for dedicated insider threat resources. I think that really has become apparent.

I think that 2020 overall has just really highlighted opportunities, just all around to focus on technical solutions, perhaps like continuous monitoring of potential risk indicators again education of the workforce that human element as to why insider threat is a risk to organizations.

I think that the human element. Again, as you said, is something that we've focused very particularly on at Palo Alto networks because

Of course, you know, we are nothing without our employees. And so making sure that they have the tools and resources available to them, whether that's getting masks to them or whether that's

closing down the offices until we really do a full risk assessment in coordination with local law enforcement and federal regulatory compliance to make sure that it's safe to be open.

You know, these are all things that that we've all kind of come together as an organization to work on. So it's nice to hear that that we're not alone in this.

One of the interesting things that I do want to point out is that a Palo Alto networks, along with some other Silicon Valley companies like zoom

We've entered into a partnership called flex work, which basically gives options to employees to determine

And be a little driver for how they want to interact with the companies moving forward. Do they want to do, potentially part time at home, part time in the office. Do they just want to confirm

Didn't want to be completely remote and just really kind of engage and support the employees as they need, because we're all going through this and we all have different needs. We all have different you know childcare dependent care responsibilities.

And so it's something that we want to make sure from flexibility perspective that we can support, support companies are so support on place.

John Dillard: Awesome stuff and you know really the diversity of the different companies that you guys represent. I think it's interesting to hear some of the common themes and the things were a little bit different, just depending on the perspectives.

And just kind of picking up on the on the comments that really all three of you touched on for the human factor and how it's affecting people for a mask wearing to just general mood and anxiety.

One thing that I think all of you here that I certainly here is that people view insider threat programs is a little bit punitive

As something that's being done to them and it feels a little invasive for a lot of folks and you know good companies communicating well and certainly part of it.

But especially now when folks are remote. They've got a lot of stressors, as you all have discussed

How're How are your companies and how what are other companies that you're seeing and organizations, you're a part of encouraging tactics to make insider threat feel a lot less punitive to the employees.

John Dillard: And maybe it's a what's in it for them. Or maybe it's just a matter of good communication, but how do you overcome that initial fear or resistance from the employee base on insider threat. Really, why don't we start off with you soon. Sure.

Sue Steinke : Happy to jump into. It's a great question. And again, that that paper I referenced earlier does touch on that a bit.

A big piece of making the insider threat program more supportive versus punitive is by really stepping up the employee assistance programs by

Pretty much marketing them in talking about them and making people feel comfortable with the fact that they're there.

To support them. There might be financial counseling. There might be other types of counseling available.

All tools to help support an employee through a difficult time. That's the key here the insider threat program needs to be seen as something that is going to support an employee through a difficult time.

Rather than bashing an employee or getting rid of them. And there's there's likely a calculus around that I certainly haven't done the numbers, but someone out there may have

The cost of onboarding the cost of getting someone a security clearance. The cost of keeping an employee through the course of his or her career.

Lot of costs, but they pale in comparison to the cost of one single event. So make it a long term.

Investment for our company and really invest in protecting all your resources, the physical the IP and your people.

And to make it really work is got to be in lockstep and you have to make it supportive. You've got to make it a good thing in touted as that in not just you have to walk the walk though. That's key.

John Dillard: Excellent, excellent by. How about. How about you guys. So what have you seen in terms of making employees feel a little safer well

Wailohia Woolsey: And I completely agree with everything that's been said, I'm one of the things that that we've been trying to accomplish is we've been actually trying to bake insider threat into everything that we do. So it's not a

It's not confrontational. It's actually just part of security every day. So we've really been looking at implementing

Insider Threat across all our policy all training. So that is just something natural, that happens. Hey, you know, if you see something that's kind of out of the ordinary.

It's okay to say something. And here's how you do it. I'm just kind of making sure that everyone realizes that, you know, security is something that that we all need to think about, especially in our

Industry. Our company is a cyber security company. So we want to make sure that security is at the forefront of everybody's of everybody's thought process.

But really just taking, taking into consideration, again, that human element you know if there's something that you want to talk about if you're having a struggle. Don't wait.

Come talk to us. We have resources that can help you. And so that's kind of how we are approaching insider threat at Paula to network is we're just making sure that it's baked in.

Kind of sprinkled around organization around the company everywhere so that everyone knows where the resources are and what they can do and where they can get help.

John Dillard: It's a really interesting point in and see. I know you are CIA for a while to one of the things that I think government in general has always done a little bit better and industry.

John Dillard: Is that when I was a CIA and certainly at NSA and elsewhere that gap if there's or organizations was just top notch.

And that was part of this is part and parcel of security for only just intimately in the plot so interesting to hear the way your friend mean by, as you know, almost like a support mechanism like an AP as opposed to, you know, looking man so my our, our

Wailohia Woolsey: You're going to get people reporting right

John Dillard: Exam.

Sue Steinke : Actually, one quick point, Mike. Sorry to jump in there. But another piece. Some companies are getting away from calling it insider threat maybe call it inside a risk or make the name nicer.

Exactly. It's a little bit of a pejorative ring to it to some

John Dillard: It certainly and I'm also not sure it's really exactly accurate we're focused on Saturday, but that don't get me down that rabbit hole long I'll spend 15 minutes on. So, Mike. What about you guys. How do you avoid being the boogeyman

Mike Oehler: I've always had this this theory about just security in general. Right. I wanted, it's good. You know, I always call it building a reputation for being helpful when I kind of

Described as having empathy for others even even be on insider for like understanding what are the business pressure is a program manager may be facing

In why, you know, we'd like to say that everything looks fine. Later they always come to this last minute. But you know what's driving that and understanding that and maybe not.

throwing more log on and see if maybe we can douse little fire by a little water onto it and help them with that in. So I've always taken that same approach when it comes to

You know insider threat programs personnel clearances like Vi the individuals.

You know that, you know, and so just passing them through and letting them you know somebody who's smoked marijuana in the last 12 months. It says

passing them through and sending them off to our clearance, which, you know, they're not going to get right. And they're going to end up

Didn't denied maybe going to Doha becoming a legal process. It's sit them down and said hey right let's wait for 12 let's wait a year to pass. You know, you know, stop.

You know, give them some sound advice and say let's hold off on somebody here now until you know we can address that issue in and I

A lot of people I think are afraid to take that activity. And because they're like, well, it's really not my business, but I'm like, it really is our business. Our businesses to try to help

Our employees through these processes and make sure they understand because I don't know if you're coming out of college and

You know you're living in a state where it's legal to smoke. We didn't know you're going to take a job necessarily were, you know, they weren't gonna be able to do it. So, you know, you could save someone

Hears have kind of a headache going through the clearance process and then not having to carry it out under clearance

But I see insider threat, the same way, it's right. Our goal is once again we want to keep our best employees because they assume that it takes a lot

Mike Oehler: To bring them in and get them trained and up to speed and and we know the cost of having the to

The time and effort it takes for someone new, and they get them re engaged into that process. So we've taken that same approach. But I also think on this. And we've kind of learned to adjust and be more flexible.

Because we've been forced to write and it's a good lesson for us all. Because there are, you know, I have to school age children and right and so we have people are dealing with the same

Issues, or they, you know, they're kind of serving its teachers during the day and they're having to work late hours at night. There's a lot of stress.

Just about trying to get your kids to school and getting the log on the zoom and zoom meetings and things like that so

But I think we've all learned to adjust and survive it. And we're still getting the work done, which is important. So, empathy, being the word that you use there. And I think is the one

John Dillard: Probably underused in our business.

Well, switching gears just a little bit and Mike. I'll stay with you on this one.

threats and vulnerabilities is obviously things that were an election year, there's a lot of stuff in the news about obviously election very boring and it seems like every couple weeks. Somebody gets arrested for

Fasting information seems to be disproportionately affecting universities, universities, but this is for us all stuff that we kind of

Our you know accustomed to hearing and it's part of our, our, our industry. But what if you look forward to the next year. What in your view, are the

Threats that are really the ones that industry should be most concerned about and in turn, you know, you look at the vulnerability started. Where do you feel like industry is weakest with respect to how their positions.

Mike Oehler: So one of my concerns from just a weakness is configuration management on our networks on our systems and understanding where our data is residing I think there's

It's always been, that's been a real concern of mine and understanding, especially as we start to talk about moving to cloud based systems. And you know what is what our capabilities to monitor the movement or exhale of data.

Activities in those because

They, they do make things very convenient. You know, I can log on my laptop here at work, but I could also log on using my personal computer at home but you know that opens the door for us to be able to actual data.

And then when it comes to the bigger picture configuration management, you know what, what kind of

Are we doing the robust security reviews of hardware and software before adding into our network. So we do, we have a test network where we can set up a set them up and see if it's going to ring home.

You know, you plug in this router. It's been a dial out somewhere in the world that you wouldn't necessarily wanting it's connecting to it, those types of things. That's something that it's been a focus on both

Really been a focus for me on are on kind of configuration management, our class my name was but then

Now, you know, that's my big concern about our class Fi networks because it does, it opens up vulnerability value for the external hackers, but it creates vulnerabilities that insiders can take advantage of to it, I would imagine.

John Dillard: Especially this year when you know People were just trying to Figure out a way work yet. And so they're probably adding hundreds of new tools to the mix. You know, in the corporate environment involving corporate data separate companies, big as yours on that. That's a lot of stuff. So Wai. How about you, what's what. If you think about the threat environment and Mike's mentioned configuration that might be the same. Few months you guys might be different. What's the, what's different about the threat environment. This year, what kinds of insider issues you think are most important for companies to be paying attention to?

Wailohia Woolsey: Our Insider Program is is is we actually caught inside a risk syndication and and you know if Kobe has shown us anything. It really is. It really has kind of blurs the line between work life and home life. And so I think that, you know, organizations really

Need to ensure that they have a solid, you know, policy like a good acceptable use policy incorporating teleworking rules.

BYOB endpoint implement security and then offer training. You know, I think everyone all organizations had to kind of like

quickly understand. Okay. Everyone's at home. It could be using like my set, it could be using your homework cockpit could be using their work laptop. Let's start offering training about safe cyber practice I letting you know. Fishing. Fishing. Fishing all the machines.

And then kind of assessing internally. Are we actually practicing what we preach. I think from a technology perspective again, as Michael said, you know, network connectivity data flow. Where's the data going

Especially with regards to employees contractors third party. And then, of course, you know, reviewing and enforcing identity access management.

At least privilege and making sure that that people only have the access that they need to have

: And making sure that those policies and controls are up to date so that you actually know who has access to your data. I think those are those are some really key things that that companies are probably looking at now. If not, if not already in place. Got it.

John Dillard: See how about on hearing what it, what are you seeing

Sue Steinke : It's such a That's such a good question. JOHN and the technological side that Mike talked about in the training and tech that if I talk about very critical really important. I was thinking of it in the larger picture of things and I may begin to sound like a broken record but

Thanks to 2020 we've got just a plethora of stressors out there, tons of new ones. You know, I'm no psychologist and definitely didn't play one on TV, at least to my knowledge, but you know kovats and comb. It's really just part of the story.

One of our insider threat subcommittee members Val the telly. I don't know if you're out there, Val or a very interesting article recently.

In his contention was the changes in behavior and attitude brought on by smaller events like let's say pre code.

Are very observable and they can be indicators of how someone would react to greater stress like covid and the other things that we're experiencing now.

And right now we have that greater stress with everything that we've talked about already in companies need to be aware of how these stressors could negatively impact the workforce is again the APS help and how you doing help if we could get back to them.

But the thing is the new stressors are new with the new stressors haven't really introduced new vulnerabilities.

But the stress or some more like super catalysts on the vulnerabilities that that we see the financial issues.

The medical bills dealing with elderly parents. You can see the homeschooling all of that and that you know all of that has just been hypercharged by the stressors that we have now.

So I think keeping an eye on that and understanding that, you know, yeah, there, there are more technological things that need to be tracked, but on the human side again.

I don't want to say same old, same old because it's a whole different breed of the stress of the vulnerabilities, we've seen before because of current stressors. But another thing that we do have to keep our eye on is our craft the adversaries out there.

Sue Steinke : They, they, they are out there. They've been out there. They see the stressors, they know what's going on. And they are licking their chops and they're getting incredibly

Aggressive and sophisticated in the way they're going at this and another shout out to incite insider threat another paper on mitigating advanced persistent insider threat.

It's a much longer title, but that's all I remember also talks about this in great detail. It's a great paper.

So our adversaries, you know they're using advanced data analytics, they're figuring out

Ways to exploit open source information that can find the information that's going to tell if Mary Lou is working on a sensitive program in what her vulnerabilities might be. And then there are ways for them to determine if those vulnerabilities are exploitable so

The vulnerabilities have been there. They've just been supercharged I think right now, we really just need to stay very vigilant.

Wailohia Woolsey: It's almost like

Has put a magnifying glass on everything. And, you know, if you hold it up to close to the sun, it's going to catch fire and that's

The way that that it that it feels, you know,

John Dillard: Yeah, exactly. And, you know, you mentioned adversaries. Obviously all three of you work for companies that are well known to our at

Which you know it's sometimes it's nice to work for a little company that nobody's ever heard.

But you guys don't have that luxury. I am curious and you know you, I'm sure, you cannot disclose reporting patterns for your company.

So don't feel like you should do that. I'm assuming foreign travel important respects is probably going down.

But I am curious what you have heard from the other companies and work with if you if you've heard of any patterns in reporting increases or decreases.

Or patterns that industry should be aware of that are worth noting in reporting, whether that's third party reporting self reporting or general traffic that you think is notable. So what do you guys, what are you seeing across your relationships.

John Dillard: I like to go last at first.

Sue Steinke : Like that. Um, I'll be I'll be, what do they call that missing relevant is that the last, the last pick of the draft is called relevant

Anyway, um, you know, we go to your point, we know we're not going to resign any of our company stats or anything, but we haven't seen a dramatic.

uptick in any of this, but everyone is remaining incredibly vigilant on this because of all the things we've already talked about. And we're keeping our eye on the technological tells that are you know really the black and white have it all. And it's the gray stuff that

You know, that's where we're trying to really get our fingers on that because we're missing so much by way of face to face.

So, you know, the short answer is, we haven't seen a whole lot. I haven't heard a whole lot about any kind of industry trending. I'm curious to hear what my fellow colleagues have to say on that though.

John Dillard: By this might come up with a nice back from time to time or in same as what are you hearing

Wailohia Woolsey: You know, there really hasn't been a lot of feedback from from industry from and CMS perspective about an increase or decrease in in reporting, I can say, though, is that

You know, at the beginning of company. We had a security operations center that was on from

A you know a couple dozen people, you know, monitoring and things of that nature. We actually had to shift that all all to the cloud. And that was a really, that was a really remarkable thing. I think some people don't really realize how difficult it is to shift a stock to the cloud.

Wailohia Woolsey: And I think that once

Once kind of that initial shift happened. I think there was kind of like a big increase in reporting, but I think it was just to reflect

The fact that people were all connecting through different gateways, you know, and like what things kind of settled down over like the course of 30 days it was like, oh, OK. Back to business.

So I think it was just kind of like the initial you know first couple weeks. I think we all kind of felt it. How are you going to do this and

And you know what is working from home look like. And, you know, what do we do, and and so I think after the you know the first couple weeks, everything just trailed off in there really hasn't been any, anything

Considerable or significant Simpson. Got it.

John Dillard: And how about. How about you guys. Mike what are you hearing

Increase, Decrease in reporting.

Or just about the same.

Mike, did we lose your audio.

I think we might have lost Mike's audio will pause for one second. Well, I'll what I'll do is, you know, that question is related to my next one.

Which is you and all of you said something similar and operate a lot, too, is that you haven't necessarily heard a lot of changes in reporting patterns.

From either government or industry. And my question is really, whether we're having that conversation enough

One of the things that you know I hear a lot of the insiders right community is about government not necessarily being great at sharing information about possibly risky employees back to industry.

So that we can take action on and especially if maybe it's a minor thing. But when piece together with what we know about that employee on the industry side could in fact be quite meaningful. So

and I'm curious what your thoughts are on the government, industry partnership on insider threat and whether or not the information you sharing is where it needs to be. And if not, what the heck we need to do about

And while we're waiting for Mike's audio to pick back up. Why don't we start with vile network by what do you think

Wailohia Woolsey What can we revise the Privacy Act of 1974. Is that possible. Can we get that done today.

I don't know how much time we have left. But that would be that would be a great

Great starter for us in the conversation. Um, I could see see laughing, but you know, I, I'm sure we're kind of aligned on this. And I think that that we are having those discussions about information sharing not only

within different government agencies, but also from government to industry. And I know that from an impact perspective.

It has been brought up in the working group that hey, you know, in order for us to better partner with went to more closely partner with you. We need more visibility.

Into the reporting and the results of, of, you know, the investigations or the detail that you all are putting together so that we can not only

Help our employees if it is an employee assistance issue or if it's a larger issue and we need to be aware of from an IP protection perspective.

So I know that that from an impact perspective, these conversations definitely are happening.

John Dillard: Good, good. Mike, it looks like you're back with us. I saw your face, but I couldn't hear you. I wasn't

Mike Oehler: We everybody in the world is

Used to this now so

I don't think anybody.

John Dillard: No sweat it. So what do you see on government, industry communication in partnership, especially

on threat and vulnerability information and whether or not we're sharing that effectively.

Mike Oehler: I think it's been a real challenge in it's related directly to the code, you know, I used to be.

With the FBI on a monthly basis, we would meet the launch. We talked about suspicious contact reporting in other things that they were saying, or we were saying in the workplace.

But since, you know, March and March, April timeframe we just had not able to get together I, you know, and it was kind of eerie I remember I got invited over to the

Field Office in the city where I was in, and even just approaching the front door right like I'm like

Do I wear a mask or do an hour, you know, I'm like I'm approaching the FBI here like so. You probably approach and and how you deal with that. And then even since moving here to the you know the Dallas, Fort Worth area.

Gone back and forth a lot by email and tried to set up a time, but it's just, it's really complicated to try to do that. So the, the activity has decreased. It's just that feedback loop.

As is has really been I think harmed by that. So it's, it's hard to see trends and understand what's going on, kind of outside of our, our own little

You know facility here interesting observation, because

John Dillard: Usually when you hear about that problem in terms of just data push back industry sort of overall way.

And what hasn't hadn't really occurred to me until you mentioned it was, you know, a lot of their government folks from VCs and FPS becomes embedded with larger companies like yours and others.

And I imagine those have suffered and that contact with staff is probably a factory that does not help him into the information sharing already needed to work on sister. Say what, what are your thoughts on this one in terms

Sue Steinke : Yeah, I think.

I'm pretty close to it. Both of these both Mike and I have talked about. I mentioned the Privacy Act of 1974 and that is that's the kicker.

We are you know what a standing between information sharing from government to industry, which would

Clearly, improve everyone's insider threat programs is is illegal act that would take well literally an act of Congress to change so

You know there's that time limitation, but there. I don't know that there's much of an appetite to do that. But what was encouraging was, I think, was in last year's intelligence Authorization Act. There was a provision about information sharing

I can't remember the details of it, but it didn't make it through, because the idea was carried along with the NDA. So I don't know that we've seen a whole lot of difference or any type of pilot program or anything but a lot of a lot of ears and listen to this and they understand

What's at stake, and they understand that insider threats aren't nearly as effective without this information sharing, but we're still a little bit behind the eight ball because of the legal issues. Excellent.

John Dillard: Well, now, now is about the time, usually about 45 minutes and we'll, we'll pause for a second. I want to encourage everybody in the audience to use that Q AMP a button, submit questions.

John Dillard: While you're formulating your questions. We typically will launch a quick poll which I just did.

For everybody to indicate whether they want to hear about threats which from us, as most of you know our product is designed and in part to help this problem of insider threat. So you will hear from us list. Now, if not that's totally cool.

And do you use that Q AMP. A but on any question you want to hear from him will shift to audience questions.

Once we give the poll about 30 or 45 seconds to run through

And really on anything you want. I think these guys have covered the waterfront and want a number of things on insiders. Right. It's a big topic.

So looking forward to kind of jumping in and seeing some of these. So the first question that I'll pick up when we let me in this poll here for a second and then we'll jump into the audience questions.

First question, which is on governance actually is related to how you guys run your programs. How is that structured

It's a big and you know all of you working for pretty big programs.

What, what have you learned in especially this year in terms of how your program is structured for insider threat what the governance looks like what's working well what what you think companies can do better.

Mike. Mike, how do you guys do things and what are some lessons that you've picked up on governance and decision making.

Mike Oehler: In my previous organization. We were very centralized, you know, had a predator program that's coming out of the main corporate facility.

And we had a small group that involved legal HR, we call it investigative committee, right, we would develop Lee using our tools.

And we didn't want to have to get a big group of 15 of like your traditional inside for working together to decide whether we're going to follow up on any of these lead. So we would get HR legal physical security and see so

And we would make those determinations really HR and legal were the two

You know, kind of the hurdles that we were going to leave in a negative way because they were always very easy to work with.

And then here at the

With my current organization, you know, we went through a merger.

And so regarding for man we manage the day to day at the at the business sites of the insider threat programs and then have direct line reporting up through the corporate

Structure, because right we're still trying to kind of get all of our computer systems we're going through that that transition stage of just getting everybody talking on the same computer systems.

And so

It's been, it's been interesting on both sides, but it works on their side because they're, they're both well documented.

In solid programs.

John Dillard: By. How about you, how's the structure. What do you think is particularly it's

Wailohia Woolsey: So potent over networks, we've really taken a very information security focused approach to inside a risk mitigation. So what we've done is we've actually built on the foundation of the NISPOM compliance.

Wailohia Woolsey: Government security program. And we've actually extended it across the enterprise. So we've expanded our working group to again to include much like Mike the corporate investigations team other stakeholders.

We've actually incorporated insider threat specific controls into our common control framework in our governance risk and compliance organization.

So we're actually able to leverage the data across various regulatory requirements. So like ISO 27,001 stock to fed ramp. Some of the NIST control so that we can see across the enterprise.

Where we're meeting controls were there still opportunities for improvement. I'm

One of the benefits of this type of approach is that it provides us with data actionable data and a means to like pinpoint risk across the enterprise. It's something I really don't see a lot of companies doing

But it's, it's something that's really working for us. And what we're in the process of doing now is actually automating some of those controls so that they are incorporated into our security operations center. And we can actually get live updates.

So that's something that that we're doing.

In addition to obviously like a regular assessments at the at the business unit level. Excellent.

John Dillard: So how about perspecta, what, how are you guys working on. What do you think

Sue Steinke : works particularly well i think

We're probably a cab would say combination of very sound technological

Tools looking similar. I don't know if they're similar to Wai's. I'm not in the weeds on any of that. But I know that we've got some very strong technological solutions.

But again, that that human side and all of those wellness programs that we have and had prior to this year, they work.

Uh, you know, those two are the foundation of any really good program, I think. And we've managed to use those to our benefit.

The program is dynamic. I think everyone's is you always have to stay ahead. You always have to look at the tech side and you have to look at the human side and stay nimble and

Kick out what's not working, bringing new things and I think one of our homework says that we are very nimble in this regard. Yeah, excellent, excellent.

John Dillard: And follow up for users, specifically from somebody in the audience, you mentioned the gap programs. And I think all of us might have had some exposure this yeah bees are intended to be confidential for employees.

So how, what are your thoughts on how especially HR and maybe waste of paper, you know, they're dealing with a situation where they have to be a trusted resource for the employees, but sometimes they're brought things that can be material insider threat issues.

So how do you balance the need for that confidentiality and privacy with inside of rebel quantities.

Sue Steinke : That that's a, that's a great question. And it's one of those. It's one of those thin lines and it's a

Balancing the privacy of your employees versus well you know it's do we want to be big brother. We don't want to be big brother, but some people can view it that way, it's, it's a really

It's a really thin line. And I think one of the best tools you can use to put people at ease is transparency, you have to be incredibly open about the program about what you're trying to do.

The key point being, we're protecting all of the company's assets and you're an asset Euro. Euro flesh and blood asset of this company and we want to protect you.

As well as the other things that we always come so talking honestly getting out in front of what the program is sharing it from the highest levels.

Sue Steinke : Down to the grassroots and having people just get more comfortable with the whole idea of it. There is a there's a big hearts and minds piece to this.

For that very issue. So I don't know that there's a black and white answer but communication transparency and in that kind of thing can only help. Excellent.

John Dillard: Via Mike, anything to add on them and and balancing this need for privacy and confidentiality and trust with the fact that you know companies discovered things in the course of their European HR programs that are really quite risk.

I'm sorry, go ahead. Mike.

Mike Oehler: Okay, I've never seen. So, no problem. I've been involved with is actually gotten information from the gap program. And I think it's important that employees realize that

You know there are reporting requirements. Somebody had to clearance and they're going in for certain counseling or taking advantage of those

To live they're required to report, but as far as direct reporting from the AP we've never received that and then I you know I know a

Lot of discussions that take place when you're setting up these programs and in trying to enhance these programs and it goes around their revolved around kind of those employees stressors in life events in. How do you collect that data, whether it's appropriate to collect that data.

And then what do you, what are you going to use that data for, you know, you know,

You get into these discussions about it would be nice to know somebody has an alcohol or drug problem. So that's your push them into an EP program right but what

What's the scenario, if you say, hey, we'd like you to consider this VIP program because you have an alcohol.

Problem and they and they declined that. So then once the company going to do with that is that terminal offense. Right, so you get into these discussions like this sometimes better not to know and so it's just a really it's a challenge. And I think it's

The appetite of the organization and how comfortable they are with gathering that type of very sensitive information and then what are you going to do with it once you have it by trade, collect data, but then you gotta do something with it.

Wailohia Woolsey: I was just gonna say I completely agree. I think it's, you know, the risk appetite of the organization. I think it's how the program has structured and develops their potential risk indicators. I think the great thing about insider threat. And one of the things that we always try and communicate

Through the SMS so petty and certify separately and also Palo Alto networks is you're not doing one mistake. You're not just one thing. You're not defined by some one thing that happened. It's always

The whole. And it's not just like government, education, it's the whole person. It's the whole environment. It's the whole scope of what has happened over the course of

Time, a certain, you know, time period if if you want to go that route. So I think that, again, you know, we really haven't had anything referred to us from an AP program.

But again, I think it's, you know, incumbent upon insider risk insider threat practitioners to make sure that they communicate that it's not just one thing.

It's a collection of things that have happened that may indicate something could occur.

And it's just, it's all kind of supposition, but you really have to ensure that you're consistent and fair in the application.

Of those PRS. And I think that's what people want to hear. And I think that's speaks to Sue's point with regards to transparencies, we just want to make sure that application is consistent and fair but that people also know what's going on. Um, so yeah. Excellent, excellent.

John Dillard: All right, we're coming up on the hour, but I have one more question for you guys. And that's if you could pick one word that you were about to 2820 is about to be behind us. This is possibly a good thing.

By 2021 will bring a different set of challenges for insider threat.

Or insider risk is the case may be. We're going to, we're going to start the cost of renaming everything as right off this webinar. That's our number one priority.

John Dillard: If you had to pick one word or one concept that you think industry really needs to focus on in 2021 for insider threat. What is that thing, and I'm going to put by you on the spot. First, what do you, what's the one thing for 26

Wailohia Woolsey: Well, that's a big question. Um,

Or 2021. What do you think

I think that for 2021 it's going to have to be consistency. I think we're gonna just have to be consistent in in what we have built in 2020 and see how we can make it better.

John Dillard: Excellent. Mike 2021 you had about 15 seconds to think

Mike Oehler: I think flexibility because right now. What's 2021 go live. I mean, right, I can

It's hard for you to predict, it's gonna be hard for me to predict what the workforce situation is going to be, you know, I kind of assumed based on the type of work we do that.

Majority of people are going to come back at the office. But, you know, assuming has gotten me in trouble in the past. So I think it's, you know, being being prepared, one way or the other, whether we're going to have a

More remote workforce, or whether people are coming back in the office. So having, having being prepared. Either way, and being flexible.

John Dillard: All right consistency flexibility.

Sue, you get the last word. What's the word for 2021

Sue Steinke : It's a hyphenated word. So don't hold that against me whole person and by you said that a minute ago, the whole person.

The technological side, the human side the organizational factors we really didn't touch too much on those. We have to keep those in the forefront as we assess insider threat outstanding.

John Dillard: Well, um, I want to thank you guys for what is I think that a fantastic conversation. I certainly feel a whole lot smarter than I did when we got here.

And, you know, really would encourage everybody who's out there to share on the webinar with others because I think it's been a good one. And really appreciate the time you guys have spent

With the audience to get us a little sharper on this topic we do these as everybody knows every month, next month, we do want to drill down

On ThreatSwitch and insider threats specifically and how our software works through some of these things. But I would encourage everybody to give back and check out the last one insider threat we had the lead of locking counterintelligence program, we had the end of

The day the native talk for an hour with us about the government perspective. So we've got a really good collection of

Speakers and conversations on insider threat that I think all around the incentives written, which is nice, nice bonus. So check it out. November 19

And we'd be happy to have enjoys. With that, I'll thank you everybody for coming, really enjoying the participation that might think to see you. Thank you. I appreciate you being here.

Don't forget that we will be sending you the transcript and the materials afterwards. So everybody. Have a great week.

Keep Reading

Posts by Topic

Subscribe to our