InTP Series: Prevention, Detection, and Response (Part 7 of 18)
The underlying network infrastructure is a critical component of any insider threat program. In this seventh in a series of 18 posts, I will introduce a few concepts of how to use your enterprise infrastructure to prevent, detect, and respond to insider threat events.
My name is Derrick Spooner, a member of the technical staff of the CERT Insider Threat Center in the Software Engineering Institute (SEI) at Carnegie Mellon University. Previous posts have introduced several critical components of a formal insider threat program. Today, I discuss supporting infrastructure controls in the following areas:
- Network Defenses
- Host Defenses
- Physical Defenses
- Tools and Processes
It is important to approach the development of the infrastructure with the knowledge of the list of critical assets previously identified by the Risk Management process. This list should be used to determine how each asset must be protected and how use-cases for those assets should drive alerts and protection. For example, are critical data assets regularly copied to local workstations or must they remain on a data server?
Network defenses include protection systems such as data loss prevention (DLP), intrusion detection and prevention (IDS/IPS), proxies, packet inspection, and email monitoring. Your organization may already have such systems in place to defend against external threat actors. However, with some additional configuration, these systems can be used for insider threat prevention and/or detection purposes as well. For example, web and application proxy logs are an excellent source that can be used for monitoring employee activities and alerting of those that may be of concern.
Host defenses include protections such as session timeouts, access control, and application logs. These defenses can be reconfigured to protect against insiders attempting to access systems or information outside of their need-to-know.
Physical defenses include components such as badging systems and physical media destruction, which can establish physical movement patterns and help safeguard physical systems and storage media.
Tools and processes include components such as account creation, deletion, and expiration policies and configuration management baselines, which can be used to ensure that privileged users are not abusing their level of access.
Overall, a robust insider threat program should have a strategy and implementation plan for its infrastructure that includes methods and configurations for preventing, detecting, and responding to insider threats.
If you want to learn more about preventing, detecting and responding to insider threat using your enterprise infrastructure, consider earning our Insider Threat Program Manager Certificate. The training provided as part of the certificate program covers all the important steps of implementing an insider threat program in your organization.
If you have questions or comments on this post or the series, please send us your feedback.