icon-carat-right menu search cmu-wordmark

Challenges Facing Insider Threat Programs and Hub Analysts: Part 2 of 2

Jason W. Clark

In the first post in this two-part series, we covered five unique challenges that impact insider threat programs and hub analysts. The challenges included lack of adequate training, competing interests, acquiring data, analyzing data, and handling false positives.

As you read the new challenges introduced in this post, ask yourself the same questions: 1) How many of these challenges are ones you are facing today? 2) Are there challenges in this list that lead to an "aha" moment? 3) Are there challenges you are facing that did not make the list? 4) Do you need assistance with combating any of these challenges? Let us know your answers and thoughts via email at insider-threat-feedback@cert.org.

Challenge #6: False Negatives

In some regards, a more difficult challenge than dealing with false positives is dealing with false negatives. A false negative is where someone is indeed a threat, but the analyst lets that key indicator pass by without flagging it or escalating it as a concern. Additionally, the anomaly detection algorithm may fail in regards to detecting the behavior of concern. In some insider threat programs, this is one of the most devastating consequences that can arise. Often the balance is trying to reduce false positives to a manageable number through computer automation while simultaneously involving human analysts that peruse alerts to ensure that no threats get through the door in the form of false negatives.

Quick Win #1: Ensure that you understand what the organization (or insider threat program designated approving authority) considers to be a risk. The organization should have completed a risk assessment at various points during the implementation and operation of its insider threat hub. Similarly, ensure that your critical assets list is updated and the organization has a firm understanding of what the "crown jewels" are and their associated protection requirements.

Quick Win #2: Incorporate tabletop exercises and mock scenarios into your insider threat hub to see if related indicators are noticed. These tools have the added benefit of better training analysts to more efficiently determine if an indicator is worthy of further investigation. Ensure that all players know what is considered a false negative and ensure they can balance the number of alerts to determine which events are most urgent and damaging in a timely fashion within the organization's risk appetite.

Challenge #7: Measuring Effectiveness

How does an insider threat program measure success? How are insider threat analysts assessed? Is it simply based on the number of items cleared from whatever tool analysts are using? Are analysts measured by how many inquiries lead to an investigation? The challenge is coming up with fair and useful metrics that measure the effectiveness of the hub and the analysts that support it. We have seen situations where leadership has come to the insider threat program with the question, "How many bad guys did you catch today?" This problematic approach is further compounded by the fact that it takes time for an organization to properly set up its program, and many organizations are struggling to determine how to measure effectiveness. While many programs are able to protect critical assets and intellectual property, some organizational components may not directly see the benefits of a program and instead see it as a burden that requires additional data calls and analysis.

Quick Win #1: Leverage an internal resource or trusted third-party to complete an insider threat program evaluation and/or an insider threat vulnerability assessment. This type of evaluation helps reduce risk to critical assets by determining the efficacy of your insider threat program.

Quick Win #2: Strive to determine the criteria for benchmarking or evaluating your insider threat program. This may require capturing certain baselines ahead of time. For example, you may consider basic metrics, such as the number of inquiries that led to investigations, number of alerts that were reviewed, number of false positives reduced, or any number of related criteria. However, more advanced metrics that are carefully constructed and reviewed often yield the best results and support for the insider threat program.

Challenge #8: Tools or Combination of Tools to Implement

Over the past few years, there has been an influx of new tools that claim to be the silver bullet in solving the insider threat problem. The difficulty for insider threat programs and their analysts is navigating the tool landscape. It is crucial for the insider threat program to understand how each tool it uses works and how the tools work together. Where are there gaps and overlaps between the different tools? What combination of tools works the best and why?

Quick Win #1: Partner with other organizations to exchange ideas and best practices when it comes to tools. Related, attend conferences such as RSA that have multiple vendors available to demonstrate the latest and greatest tools.

Quick Win #2: Contact the SEI to discuss the new tool-testing environment, Needlestack, at the National Insider Threat Center. The landscape of tools is increasing at a rapid pace and is often as wide and varied as the insider threat program itself. We have done the legwork for you to help explore a variety of features and functionality through a combination of tools. Each insider threat program is different and there is no silver bullet solution available; some require combinations of tools to create a defense-in-depth strategy. However, through our robust tool testing environment, we can recommended categories of tools that would be a useful addition to your insider threat program.

Challenge #9: Malicious vs. Non-Malicious (Does it even matter?)

One of the biggest challenges facing insider threat programs is the ability to discern whether or not an insider is acting maliciously or if the threat was unintentional. This is an important distinction that could have a tremendous impact on policy, process, and training improvements. For some insider threat programs, there is no difference between malicious and non-malicious, as both impact an organization's ability to complete its mission. In fact, they argue that the intent of the employee should not factor into any decision to investigate, only to prosecute. It is also vitally imperative to view each potential concerning indicator in the appropriate context. Each of these threats can be equally devastating.

Quick Win #1: Review the SEI Common Sense Guide, especially Practice 9 "Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees." This practice is useful because it can encourage employees to identify potential actions or ways of thinking that could lead to an unintentional event. For example, someone willing to take more risks that the norm, who multi-tasks and is more likely to make mistakes, who posts large amounts of personal information on social media, and who has a general lack of attention to detail.

Quick Win #2: Review the SEI paper Unintentional Insider Threats: A Foundational Study. This paper is recommended because it examines the problem of unintentional insider threat and how it compares/differs from malicious insider threat. It explores cases, frequencies of occurrences across several categories, and presents potential mitigations and countermeasures.

Challenge #10: Navigating Privacy, Civil Liberties, Legal Issues, and the Impact of GDPR

It is imperative that insider threat analysts follow privacy, civil liberties, and legal guidance, including international considerations such as the General Data Protection Regulation (GDPR). There are many potential challenges that an insider threat program may need to consider. Below are a few interesting scenarios to illustrate that point. Think about how your organization and insider threat program would respond or want to respond to each of them. Do you have the right governance in place and policies defined so that the insider threat program staff knows what to do in each situation?

Scenario A: A manager suspects that her employee is watching basketball videos while at work. Furthermore, she suspects that he is leaving for two hours around lunch time. She asks the insider threat program to provide a report of his Internet usage and his badge-in and badge-out records. Should the insider threat hub provide this information to the manager?

Scenario B: The insider threat program has determined that an employee is the "victim" of a scam; perhaps the alerts show she is sending money via Western Union in the hopes of a multimillion dollar windfall. Is it the insider threat program's responsibility to intervene?

Scenario C: The insider has been absent from work more frequently than normal and has been withdrawn from her peers when they previously attended after-work events together. The insider has also been updating her will during work hours. Should the insider threat program intervene? If yes, how would the staff do so in an appropriate manner?

Given these situations, it is imperative that the organization define its policy and determine how it will react to different situations before program operation begins. It will also need to be flexible to address new issues and concerns (e.g., such as discovering suicidal behavior) as the program grows and expands.

Quick Win #1: Always work closely with your privacy, civil liberties, and legal counsel. If you need further guidance, contact the National Insider Threat Task Force (NITTF).

Quick Win #2: Provide training to the insider threat analyst hub so its members understand what authorization they do and do not have. Establish written policy and ensure that the policy is followed according to the legal guidance.

Quick Win #3: Review the SEI blog post, "GDPR and Its Potential Impacts for Insider Threat Programs." In this blog post, the author considers what the GDPR means for some of the best practices discussed in the Common Sense Guide to Mitigating Insider Threats, 5th Edition. The author covers the best practices that are most important or most impacted by the GDPR. As was the case in the first part of this blog series, we highly recommend that you consider each of these challenges and have the appropriate conversations with the members of the insider threat program and specifically those working with or in the hub.

Each of these challenges can be explored individually; however, it is a culmination of these challenges that can derail an insider threat program if not addressed properly. Therefore, it is important that these challenges not linger and are resolved as soon as possible, involving as many insider threat program stakeholders as required.

We want to hear what you think. Please send questions, comments, or feedback to insider-threat-feedback@cert.org.

Get updates on our latest work.

Each week, our researchers write about the latest in software engineering, cybersecurity and artificial intelligence. Sign up to get the latest post sent to your inbox the day it's published.

Subscribe Get our RSS feed