Building an Insider Threat Program: Five Important Categories of Tools (Part 1 of 2)
This is the first part of a two-part series that explores open source, free, or low-cost solutions to help you get the technical portion of your insider threat program started. As defined by opensource.com, open source software is "software with source code that anyone can inspect, modify, and enhance." Free tools are available at no cost, but the source code is "closed," meaning that it cannot be examined or modified.
Information security programs in small- to-medium-sized organizations are often challenged by budget constraints and competing projects. It can be a struggle to purchase a much-needed tool that will benefit their program. Insider threat programs are no different and often face the same challenges. Organizations can get a jump start on building the technical side of their insider threat program by considering open source, free, or low-cost available tools.
There are five categories of tools that organizations can use to build a successful insider threat program, though not all are required:
- User Activity Monitoring (UAM). According to a 2014 report published by the National Insider Threat Task Force, UAM is "the technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing U.S. Government information in order to detect insider threats and to support authorized investigations."
- Data Loss Prevention (DLP). DLP tools control how users interact with data and what they can do with it. In a report by SANS and Securosis, DLP is defined as: "Products that, based on central policies, identify, monitor, and protect data at rest, in motion, and in use, through deep content analysis." For example, DLP tools could be used to prohibit data from being printed or copied to removable media.
- Security Information and Event Management (SIEM). As cited in Gateway Security Devices, "[A] SIEM system provides an additional method for collection, aggregation, and consolidation of logs from many types of devices. The SIEM leverages baselining and configurable rules to correlate the logs and provide real-time incident-based alerting."
- Analytics tools. Such tools extend the query and alerting functionality of the SIEM. They may leverage advanced machine-learning and statistical capabilities to alert on anomalous activity.
- Digital Forensics tools. These tools help an organization conduct an investigation by properly preserving, collecting, and analyzing digital artifacts on a system or device.
Commercial tools are available in all of these categories, but they may be cost prohibitive for some organizations. Such costs may prevent an organization from starting an insider threat program. However, there are low-cost tools that organizations can leverage to get their insider threat programs off the ground. Please see Part Two of this blog post for examples of these tools. Before you select a tool, though, consider the following:
- Many low-cost tools have implementation costs that are easy to overlook. A tool may require additional hardware, software, or other resources before it can be implemented and function as intended. Additionally, personnel may need to be trained and dedicated to maintaining the tool. These steps can consume additional human resources.
- Organizations should test tools before they implement them in a production environment. It's important to understand how a particular product functions and identify additional risks to the confidentiality, integrity, and availability of the system and data.
- Open source or low-cost software does come with some tradeoffs. For example, commercial software is usually supported by the company that developed it, and that company may work with your organization to implement the software in your environment. Additionally, commercial software may undergo a formal quality assurance process. Open source software is typically developed by one or more software developers who produce the product on their own time and with their own resources. Open source tools may not have pre-defined maintenance and support options, and implementation and configuration assistance may not be available.
- Organizations should consult with their general counsel before deploying a new technology that could impact the privacy and legal liberties of individuals. Organizations should also review software licensing agreements to ensure they are in compliance with the agreement. As with any project, it's best to involve all stakeholders, including legal, early to help minimize costs, ensure compliance, and get buy-in.
- Organizations should be mindful about where the software was developed and who supports it. Working with software that was developed or supported by countries that do not have good economic or political standing with the organization's home country could present unnecessary risks to the organization.
In the second part of this series, I'll explore some of the specific tools that are available in this space.
If you have experience with other open source or freely available tools that could be leveraged in an insider threat program, I would like to hear from you. Please get in touch with me using the links provided below.