Proactive Compliance for Insider Threat Protection

Transcription

1 Proactive Compliance for Insider Threat Protection By Larry Knutsen, co-founder,

2 Proactive Compliance for Insider Threat Protection -2- Executive Summary Cybersecurity and the loss of sensitive data seem to appear daily in the media. On February 12, 2013, President Obama signed Executive Order 13636, Improving Critical Infrastructure Cybersecurity. This outlined the Administration s priorities. This executive order highlights the importance and critical need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. Two years later, on February 13, 2015, President Obama signed Executive Order 13691, Promoting Private Sector Cybersecurity Information Sharing. This Executive Order calls out the National Industrial Security Program to include amending Executive Order 12829, dated January 6, 1993, which established the National Industrial Security Program to safeguard Federal Government classified information that is released to contractors, licensees, and grantees of the United States Government. The conversation has moved to encompass not only cybersecurity and Information Assurance (IA), but also insider threat, which today is one of the most prevalent threats to our nation s security. In this paper, we explore the mandated compliance guidelines, from Executive Orders to policies that address insider threat, along with the anticipated changes to the National Industrial Security Program Operating Manual (NISPOM) expected to be released this fall. We will discuss the impact of the insider threat to an organization, the importance of doing a risk analysis, how to identify gaps, and what organizations can do to create and mitigate the risk of a malicious insider by adopting appropriate security measures.

3 Proactive Compliance for Insider Threat Protection -3- Policies in Place Now The Federal Government has put forth a number of important mandates over the past few years in the effort to bring security standards to a baseline for both cybersecurity and insider threat. Cybersecurity has this Administration s attention, with accountability and deliverables outlined in several Executive Orders. I think we will all agree; we are only as strong as the weakest link in the digital cyber world. These federal compliance standards must be leveraged as a framework to create a robust security posture to protect sensitive information. Beyond this basic framework, different organizations may require additional security needs. So long as these basic standards are met, you are off to a good start, and you can grow your security program as needed. Something is better than nothing and doing your homework up front, discovering your gaps, and taking steps to mitigate them are critical before you purchase anything. In my view, not all organizations require the same level of protection and some can manage sufficiently and safely with a basic program. The important thing for each organization is to strike the balance between security and risk mitigation. Doing nothing is no longer an option. What impact could the NISPOM have on you? If you have, or expect to have, government contracts, your organization will be expected to have an insider threat program. Your program should be based on published policies, linking requirements together into a robust program that includes continuous evaluation, continuous monitoring, and a holistic insider threat detection program. You can wait for the requirements to unfold or you can begin taking steps to do your homework now. At the very least, you should ask yourself, what is your company s intellectual property worth? What is your company s reputation worth? What would you say to your stockholders and employees if tomorrow s media headlines read Data Breach Occurs Insert Your Company Name Here? Senior leadership must understand you cannot guarantee there will be no leaks or prevent a trusted employee from going rogue. What you can do is know what happened when, how and by whom. Most importantly, you can limit the timeframe of bad behavior. Insider Threat Detection and proactive holistic analysis is possible if you build it into your program and you should start planning now.

4 Proactive Compliance for Insider Threat Protection -4- Getting Started When determining what is right for your organization, there are some key questions to ask yourself before you start building and investing time and money in your cybersecurity posture. This is the homework and due diligence phase. 1. What are your goals? What are you trying to Eight Questions You Should Ask protect? You cannot guarantee to leadership that your organization What are your goals? Are your HR and employee regulations supportive of what you want to create? 3. What are your current technical capabilities? won t fall prey to a 4. Who should oversee your program? malicious insider, but you 5. Bring your own device (BYOD) do you allow it? can monitor the rumble strips within your perimeter and strive to identify suitability issues early while they are small. Think of the rumble strips as those found along How good is your user activity monitoring system? Can you merge your employee information gathered from due diligence as part of the hiring process with other data your advisory panel has authorized for use within your cybersecurity program? Is your insider threat program on a private network? most major highways. When you hit them and the noise begins, your full attention is turned to your primary mission Safe Driving. For example, if a user logs onto two computers and prints in two different locations miles apart, shouldn t you ask yourself, Is this user sharing their corporate login? Mitigate suitability and network issues when they are small. 2. Are your HR and employee regulations supportive of what you want to create? Review existing policies, guidelines, and employee handbooks, and engage legal on day one. Do you have consent and disclosure for what you are trying to create? What policies need to be updated, and what is the timeline for that? Engage leadership, HR, legal, security, the CISO, and the CIO to answer these questions as you establish a path forward for your Insider Threat Detection program.

5 Proactive Compliance for Insider Threat Protection What are your current technical capabilities? What technical and non-technical programs are in place that can support a proactive insider threat detection program? What information and capabilities do you currently have that can be leveraged and where are the gaps? What, where and how are your network defenses deployed? Are they reactive or proactive? Break down the stove pipes! For example, are there processes in place to revalidate privileged users accounts and their continued need for privileged access? Are your removable media devices locked down? Do you allow unencrypted files to exit your network including those stored on removable media? Where are passwords or other sensitive PII information being stored? Are you monitoring network activity? If you see terabytes of data going out of your network after hours, do you know where is it going and why? Are you leveraging all your existing network defenses? Has complacency set in? When you have completed a basic inventory exercise, you will discover gaps in technology/capabilities that may require investment. You will also discover you already have capabilities in place to support the early stages of both a reactive and proactive insider threat program. 4. Who should oversee your program? C Suite engagement and legal is critical; CISO, HR and CIO are a must. Establish a senior advisory board to oversee the program. This board will be responsible for deciding things like what type of data can/should be used, how long data should be retained, where should the copied data reside, how can this data be used to create proactive triggers, who knows what about the program, and how to inform the workforce of its existence. Most importantly, this group must decide how the data can be used and agree on anomaly detection triggers. User privacy and the privacy of the investigative threshold are critical. Build partnerships! If you could tell your CIO how many applications exist and the frequency for which they are being used on your organization s network, this will assist your CIO in network migration. This has cost savings potential because you can weed out applications no longer being used.

6 Proactive Compliance for Insider Threat Protection Bring your own device (BYOD) do you allow it? Is there an agreement in place to obtain the necessary user attribution activity on a timely basis? Policies about BYOD should be decided by your senior advisory board (see step 4) and become an integral part of employee education efforts around security. This should also include a review of company-provided devices and policies. Should you travel to questionable countries with devices loaded with company IP? How do you spell Corporate Espionage? 6. How good is your user activity monitoring system? How close to the user does it get you? How do you monitor internal encrypted connections? Should they be monitored? You need to know who did what, when and where, and the closer you can get to user endpoint activity the better. You can t go back and collect something that occurred in the past. Plan now and only collect information you need. 7. Can you merge your employee information gathered from due diligence as part of the hiring process with other data your advisory panel has authorized for use within your cybersecurity program? This is important as it provides a holistic view of your employees. Background information on an individual, collected during their hiring process, may weigh positively or negatively on certain user activities or anomalies, and granting privilege user accesses. How often should this due diligence be initiated? Ask your advisory panel (see step 4). Context will always be the key. Just because someone works after-hours or on weekends doesn t equate to nefarious activity. Does it mean that person is working on a deadline? 8. Is your insider threat program on a private network? It should be, and with restricted access. Administrators on your primary network should not have access to this private network. This isn t about a lack of trust, it s about knowing if a privileged user account is compromised or used in a nefarious way on your primary network. This same account cannot delete or modify computer activity records. Forensics and the ability to recreate activity is a must.

7 Proactive Compliance for Insider Threat Protection -7- Once you have documented the gaps and developed a timeline on how to mitigate these gaps, you will know the level of investment needed to get your organization to the next level, especially if this level is below your threshold of risk mitigation. Your next step will be to select the correct technology and tailor it to your specific needs. Remember that the goal is to balance acceptable risk against potential damage to your organization s reputation, loss of IP, and the loss of employee/stock holder confidence. Taking the time to consider these questions will help you expand on existing capabilities or establish a program based on the needs and culture of your organization, without threatening morale or potential litigation. It will also prevent you from buying unnecessary hardware, software, and capabilities you don t need. Building Your Insider Threat Detection Program (ITDP) It is important to remember that insider threat detection and information assurance (IA) are two different missions with some overlapping areas of data and tools. An insider threat is an individual who uses his/her authorized access to wittingly or unwittingly do harm. To meet this challenge, you need more than traditional IA tools. You need a holistic program that leverages audit data from office-issued computers to include user activity computer monitoring. This needs to be merged with internal (HR, security, training, etc.) and external records (gathered during your due-diligence pre-hiring process) to create an Insider Threat Detection Program (ITDP). Avoid creating a data retrieval system. Instead, your ITDP must be reactive and proactive. Reactive allows you to respond to authorized queries about activities within your organization. Proactive requires you to create anomaly detection trigger rules based on your senior panel s approval. For example, on the information highway you have rumble strips along your perimeter and if a user or activity hits the rumble strips, your ITDP will be alerted. The activity would be reviewed in context to determine if this is a false positive or an activity that warrants a closer inspection. If it s a false positive, review your anomaly triggers to proactively correct the issue. At no point should your ITDP engage in fishing or individual profiling. Fishing would involve identifying an individual and trying to find bad behavior based on curiosity versus on an authorized investigative requirement. Protecting a user s privacy is paramount and should include treating all individuals in the same way. Do not hide the existence of the ITDP and adhere to legal, Human Resource and employee consent, plus the employee handbook (code of conduct, etc.). You must protect the anomaly triggers not the existence of the ITDP.

8 Proactive Compliance for Insider Threat Protection -8- Users can also be evaluated, and anomaly triggers can be defined holistically. To reiterate, these three steps will help you create a robust program benefiting your employees and your organization: Three Steps to Create a Robust Insider Threat Program 1. Establish a central repository for all company provided computer/it audit records to be stored on a private network. 2. Obtain a copy of internal data based on guidance and approval from your oversight committee. 3. Integrate data used during the hiring process. First, establish a central repository for all company provided computer/it audit records to be stored on a private network. This will benefit both IA and ITDP missions. It is critical to make sure your endpoint monitoring gets as close to the user as possible to meet your user monitoring requirements as approved by your senior advisory panel. Second, obtain a copy of internal data based on guidance and approval from your oversight committee. You will need to have an identity resolution process in place to ensure data accuracy. Third, integrate data used during the hiring process. Due diligence should include thorough background checks and external research of potential employees (e.g. financial information such as bankruptcies, arrest records, education confirmation). Interviews should include questions that probe a candidate s moral compass, and this information should not just reside in HR files but be included as part of the ITDP. Your oversight committee should determine the frequency for which the due diligence process should be repeated. Obviously greater frequency will ensure any issues are addressed in a more timely process.

9 Proactive Compliance for Insider Threat Protection -9- These steps will help you to focus on maintaining good employees and ensure you only collect and retain information you are authorized to have Everyone makes mistakes based on your defined purpose. Everyone makes and if an employee mistakes and if an employee missteps and an missteps and an anomaly anomaly trigger sounds an alarm, a quick and trigger sounds an alarm, proactive examination of the incident with the a quick and proactive ITDP tools will tell you whether an action is malicious or not. Establish mandatory training examination of the and education courses for users so they incident with the ITDP understand what to do and what not to do with tools will tell you whether company hardware, data and personal devices. an action is malicious Train employees to be alert for phishing attacks or not. and educate them on how to be responsible in protecting company intellectual property. It is my belief that companies spend a lot of time and effort identifying and training employees and employees want to do a good job. Suitability issues happen, and if you mitigate them early, you can save a good employee who just made a mistake before her or she crosses a line of no return. Remember, the purpose of your ITDP is to retain good employees, protect your IP, and quickly mitigate nefarious employees. Citation of privileged user statistics 1 : 73% of privileged users believe they are empowered to access all the information they can view 1 65% say these same people access sensitive or confidential data out of curiosity 1 57% indicate background checks lacking within organization before issuance of privileged credentials 1 1

10 Proactive Compliance for Insider Threat Protection -10- Data Breaches 2 Nearly 200 million records or 93,000 records per hour were stolen between January and March of 2014, an increase of 233 percent over the same quarter last year, according to the recently released SafeNet Breach Level Index Protection: How To Confidently Mitigate Insider Risks Once you have an ITDP in place, you cannot guarantee all insider threats will be stopped, but you can confidently mitigate them and limit the period of time they have to inflict damage. Data leaks are on the rise and are the lead story more often than we care to see them, but with so many happening, are we becoming numb to them? If so, this could be disastrous. Organizations would be smart to remember the extent of the damage that can be done to a company s reputation, stock prices, and customer confidence. An Incident Response Plan that activates immediately when a data breach occurs is critical to handling and responding to the loss of sensitive data. It may still be possible to recover stolen records or even limit what is being stolen if you act swiftly. A published Incident Response Plan is paramount to ensure collaboration, teamwork, protection of individual privacies, and that the incident is handled in accordance with approved company guidelines. Discovery and escalation come first. An incident response team must move quickly to alert the C-Suite and authorities if the data breach involves the loss of personally identifiable information or company IP. Does notification include regulatory bodies? Lost business may be an immediate issue and the company needs to have a plan.

11 Proactive Compliance for Insider Threat Protection -11- New Federal Guidelines Heading Your Way New NISPOM standards are due to be released this fall. Don t wait until they show up to see what you need to do to be compliant, especially when you can start now and be ahead of the game. First, take inventory of where your organization stands in terms of the recommended standards. If new requirements demand increased standards and if they are linked to contract obligations, it is important to start leveraging what you currently have in place and build from there. Will this affect current or future contract obligations? Anticipate the areas you will need to build out and proactively engage your company s resources to include available government resources to help you build a program tailored to the needs and culture of your organization. And, don t stop there. The fact is, in the face of the current threat to national and industrial security, NISPOM standards may not be enough for your risk mitigation model. In my view, guidelines should be your starting point and based on leadership requirements to include your business strategy, you may require additional protection. Doing nothing is no longer an option. Act now. Disclaimer: The views and opinions in this paper are based on Mr. Knutsen s personal experience and do not express the views of any government agency or former employer.

12 Proactive Compliance for Insider Threat Protection -12- About the Author Larry Knutsen retired from the CIA in 2012 as a Senior Intelligence Service Officer after 30 years 10 years abroad. He was responsible for creating the vision, acquiring resources long before audit/insider threat was the topic of today. Mr. Knutsen led the Agency s sophisticated CI and Security Technical Insider Threat Detection Program, which became recognized as the gold standard for the Intelligence Community. He was requested by the White House to lead an interagency team of technical and policy experts in response to unauthorized disclosure from Wiki Leaks. As a result, recommendations related to the insider threat and protection of classified information were adopted and later resulted in providing the framework for an Executive Order that was published in October Mr. Knutsen recently started a small company called Strongbox Cyber Solutions with a partner. Strongbox Cyber Solutions provides consulting services that leverage his expertise in CI and Security to guide data analytics and developers to create tailored anomaly triggers and algorithms based on unique customer requirements. The company helps organizations establish an insider threat detection program based on their risk mitigation strategy. Government Awards Mr. Knutsen was awarded the National Intelligence Superior Service Medal from the Director of National Intelligence in 2013, Distinguished Career Intelligence Medal from the Central Intelligence Agency in 2012, the National Counterintelligence Award for Community Excellence from the Director of National Counterintelligence in 2010, and the National Intelligence Meritorious Unit Citation in recognition of outstanding achievements.

13 Proactive Compliance for Insider Threat Protection -13- Appendix: Policies in Place Now The Federal Government has put forth a number of important mandates over the past few years in an effort to bring security standards to a baseline level for both overall data assurance and insider threat. We are only as strong as the weakest link in the electronic cyber world. Executive Order (EO) Promoting Private Sector Cybersecurity Information Sharing - dated February 13, 2015 to address cyber threat to public health and safety, national security, and economic security of the United States, private companies, nonprofit organization, executive departments and agencies and other entities must be able to share information related to cyber security risks and incidents and collaborate to respond in as close to real time as possible. Executive Order (EO) National Industrial Security Program dated January 6, 1993 established a National Industrial Security Program to safeguard Federal Government classified information that is released to contractors, licensees, and grantees of the United States Government. Executive Order (EO) Structural Reports to Improve the Security of Classified Networks and the Responsible sharing and Safeguarding of Classified Information - dated October 7, outlined policy, general responsibilities ranging from designating a responsible individual, implementing an insider program, to self-scans. National Industrial Security Program Operating Manual DoD M, 28 February 2006 Incorporating change 1 dated 28 March It prescribes the requirements, restrictions, and other safeguards to prevent unauthorized disclosure of classified information. National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs dated November 21, outlined capabilities to gather, integrate and centrally analyze and respond to key threat-related information; monitor employee use of classified networks; provide the workforce with insider threat awareness training; and protect the civil liberties and privacy of personnel.

14 Proactive Compliance for Insider Threat Protection -14- Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management dated November 18, 2013 helps agencies improve cybersecurity performance by focusing on efforts on what data and information are entering and exiting their networks, who is on their systems and what components are on their information networks, as well as when their security status changes. Executive Order (EO) Improving Critical Infrastructure Cybersecurity dated February 12, 2013 Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. Presidential Policy Directive (PPD)-21 on Critical Infrastructure Security and Resilience - dated February 12, 2013 advances a national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure. NIST SP Rev 4 Security and Privacy Controls for Federal Information Systems and Organizations dated April covers the steps in the Risk Management Frame work that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. This includes selecting an initial set of baseline security controls based on a FIPS 199 worst-case impact analysis, tailoring the baseline security controls, and supplementing the security controls based on an organizational assessment of risk.