Consider these three things when developing an insider threat program, experts say
The bad news is that cyberthreats aren’t just on the outside, trying to get in. Employees, former employees and contractors can expose valuable information or sensitive networks, sometimes unintentionally. The good news is that it’s possible to develop a program to spot such activity, leaders from the National Security Agency, the Secret Service and Carnegie Mellon University said Wednesday.
The first step is to develop an understanding of what your agency’s high-value assets are, said Michael Theis, the chief counterintelligence expert and technical lead for Carnegie Mellon’s insider threat research program. The reality, Theis said, is that everyone is working with limited resources. In a world where it’s impossible to protect everything to the same level, agencies have to make decisions about what’s most important.
“Prioritize based on what your mission is,” Theis advised as part of a panel on “insider threats” at the Forcepoint Cybersecurity Leadership Forum produced by CyberScoop and FedScoop. Sean Berg, the senior vice president and general manager for Global Governments & Critical Infrastructure at cybersecurity company Forcepoint, led the discussion.
Theis, together with NSA Deputy CIO Mark Hakun, also spoke about the importance of understanding what baseline user activity looks like so that cybersecurity teams can notice when activity changes.
“You have to know what’s normal before you can detect a deviation from normal,” Theis said.
Retired Brig. Gen. Kevin Nally, the CIO at the U.S. Secret Service, made a pitch for the importance of innovation. Hiring a “forward thinker” who’s job it is to think about the big picture and strategize around emerging technologies as well as emerging threats has been very helpful, Nally said. Artificial intelligence, for example, holds a lot of promise in allowing for less labor-intensive monitoring of network user habits and patterns, Nally added.
Hakun, meanwhile, stressed the importance of authentication. Specifically, making sure that access is controlled and users only have the access they actually need. “Administrators don’t need to have access to every box just because they’re the administrator,” he argued.
“Even though cybersecurity is evolving, networks are evolving, it’s still the basic premise that you’re dealing with people on the network … you want to know who’s on your network,” Hakun said. “No matter what.”
