Tero Vesalainen | Dreamstime

3 Keys to a Comprehensive Insider Threat Monitoring Strategy

April 2, 2020
Critical manufacturing suffers the highest number of attacks of all critical infrastructure.

A few years ago, a former employee of the Dow Chemical Company named Wen Chyu Liu was sentenced to 60 months in prison for stealing trade secrets and selling them to China. Liu became a poster boy for the dangers posed by insider threats. His case was cited in an implementation guide for insider threat programs, an updated version of which was released by the DHS's Cybersecurity and Infrastructure Security Agency (CISA) late last year. The guide emphasizes critical manufacturing, which suffers the highest number of attacks of all critical infrastructure.

Insider threats don’t require a malicious employee like Liu, though. Imposters can also steal an employee’s credentials—the insider threat that gets reported least but costs the most, according to the Ponemon Institute. In the wake of heightened tension with Iran, CISA recently recommended extra vigilance around critical infrastructure, as Iranian cyber threat actors have historically used spear-phishing and other tactics in an attempt to gain inside access.

Insider threat programs are an unfortunate reality in the manufacturing sector. And yet, a fire-and-forget implementation is insufficient; you need to take proactive and ongoing measures to ensure your organization is protected.

Here are three steps to ensure your company is doing more than just checking the box with its insider threat program.

1. Run through possible scenarios. Many organizations recognize the risk of insider threats but see the solution as simply purchasing technology that will help them monitor and mitigate cybersecurity incidents. While technology is a critical component of any cyber defense system, organizations should first invest in significant planning, which entails running through what-if scenarios with key stakeholders. Cybersecurity efforts can’t solely be driven by IT. Bring human resources, ethics, security, and other key players into one room. Present them with several scenarios. Help them understand the importance of the threat. Get them involved in the company’s risk mitigation efforts.

Let’s say a rogue developer puts a backdoor into a piece of software enabling an outside user to take down a network system or assembly line, or a privileged user takes their credentials and walks out the door. Who is responsible for access control? How would each group respond if a threat was realized? What would be the waterfall impact to the organization as a whole? These important conversations must take place upfront and should continue to be part of the ongoing review process of any comprehensive insider threat monitoring program.

2. Implement dynamic user protection. In the case of Liu, there were many red flags, evident in hindsight, that something was amiss, such as accessing information that he didn’t need to know, unnecessary foreign travel, and unexplained affluence. Organizations need to be proactive about identifying these red flags, which often manifest in unusual behaviors. That means instituting continuous user activity monitoring combined with adaptive risk management across the entire swath of your organization, from people working in-house and on-premises to remote users relying on the cloud.

Full visibility across your user base allows for a full understanding of what normal behavior looks like based on metadata (network & endpoint), external data sources, forensics, and video context. With this information, you can monitor critical systems and analyze related user actions for risky behavior and anomalies that could indicate potential fraud or cyber sabotage. Most importantly, you can mitigate such risk accordingly—and without having to shut down operations and penalize the entire organization when something looks amiss. Dynamic user protection lets you target just the suspicious high-risk individual, which means non-suspicious low-risk users can still get their work done efficiently and securely.

User activity monitoring programs are really no different than a credit card company monitoring for fraudulent behavior and notifying consumers of a potential compromise—monitoring that most people welcome, not fear. It’s important to teach that insider threat programs benefit everyone who works for the company, and for individuals to understand how they may be at risk.

3. Engage with your employees. Indeed, employees remain the best resource for identifying a potential breach before it happens. By engaging employees, they become part of the solution as opposed to part of the problem. 

Some employees may be more susceptible to a security breach simply because of their role and proximity to sensitive information. For example, a CIO might be more of a target than someone who does not routinely access proprietary data. On the one hand, agencies should take into account non-cyber data sources like a users’ proximity to sensitive data and daily behavioral patterns when they respond to anomalies. But they also should engage with employees, particularly those with privileged access, so they understand the importance of risk management and their responsibility in protecting sensitive data and systems.

In critical manufacturing, a comprehensive insider threat program is crucial--and it begins with the people within the organization. Technology is great and essential, but human beings make the best cybersecurity firewall. Educating everyone within the organization about the potential for insider threats—and complementing that education with the right technology—can go a long way toward stemming the tide of security breaches.