Insider Threat: Focus on Suspicious Behaviours

Transcription

1 Insider Threat: Focus on Suspicious Behaviours Michael Berk President & CEO Alton Corporation

2 1 Contents What is Insider Threat?... 2 Existing Approach... 3 Focus on Suspicious Behaviours... 5 Identifying Psycho-Physiological Indicators... 6 Selection and recruitment... 7 Access and movement monitoring... 8 Periodic performance evaluations... 8

3 2 What is Insider Threat? The risks posed by Insider Threat are on the rise, yet many organizations are ill prepared to cope. Considering that Insider attacks are costly, averaging $412K per incident ( 1 ), adoption of deterrence measures and early detection tools is seen as the most viable approach. However, one of the biggest problems with existing countermeasures is insufficient information about possible malicious intent and tools detecting it. Unlike external threats, where malicious intent is assumed, the situation with insiders is more nuanced. The most worrisome scenario includes authorized users (e.g. system administrators) abusing trusted privileges to do unauthorized things. As a privileged user, insiders with authority to access all company data or make changes to the company network also have fewer controls. They often have the ability to easily get around controls that restrict other non-privileged users and they sometimes abuse what should be temporary access privileges to perform tasks. It should be also noted, that while such employees present the highest concern, as many as two-thirds of those who access sensitive or confidential information that isn t necessary for their jobs are simply driven by curiosity. 2 So, why is preventing Insider Threat such a problem? Contrary to external hacking where strong and layered defence systems can be utilized to deter or prevent them, Insider Threats pose a more serious challenge to organizations due to the difficulty in identifying would-be perpetrators before a crime is a committed. To put it plainly, external attacks are expected; insider threats always seem to be a surprise. 1 Insider Threat Kill Chain: Detecting Human Indicators of Compromise, Tripwire.com webinar 2 Results from the 2014 Ponemon Institute s Insider Threat and Privileged User Survey,

4 3 Most employees executing insider attacks joined the organization with no malicious intent. Over time, however, an unexpected opportunity or growing resentment can lead to the perfect storm for an insider attack. The sheer number of contextual, sociopsychological and economic factors related to a business environment or personal circumstances which may influence a decision to engage in sabotage or fraudulent Figure 1 Bayesian network for Insider Threat factors activities is quite substantial (see Fig 1, Source: A Bayesian Network Model for Predicting Insider Threat, E.T. Axelrad). Which of these factors are more important? How do variations in each one of them affect the others? Given the complexity of influencing factors and differing circumstances in our respective lives is it even possible to create a valid prevention matrix? How can corporate security distinguish false positives from real signs of an impending insider attack (especially, given such diversity of personalities in the office)? Existing Approach Unfortunately, existing approaches to Insider Threat deterrence, detection and mitigation remain largely lacking. The main focus of corporate security to date, with respect to human behaviour, has been on monitoring and auditing network activities. Physical security layers are mostly aimed at preventing unauthorized access by external intruders, whereas the job of biometric devices limiting personnel access is simply to confirm an identity, not possible malicious intent. Smart video analytics solutions focus on pattern recognition and can be easily circumvented with enough preparation. Periodic screening of personnel for Insider Threat potential occurs largely in places with

5 4 higher security clearance only. While recognizing the threat, many organizations have a difficulty in adopting comprehensive measures aimed at proactive management of Insider Threat scenarios since it requires a systemic approach across all departments. In the last decade, a number of commercial tools, techniques, and procedures have been developed concentrating on the detection of malicious activity on a local network. Most of these technologies and processes were designed with hackers in mind (i.e. external penetration). The problem, of course, is that their utility is limited to identifying suspicious network activities when they occur, if not after the fact. While providing a certain deterrence capability (to all but the really determined ones) and being instrumental in post-event investigations, they are not effective at preventing crimes related to insider threat. The problem is further exacerbated given that inside attackers often have legitimate access to the network and, as a result, their activity may go unnoticed for a long time because it may be perceived as an authorized day-to-day activity. If a privileged user identifies ways of hiding his malicious activity by accessing information from various computers or asking colleagues to perform certain acts instead, the task of identifying them becomes even harder. Another problem with many existing tools is that they monitor network activity without providing additional information to put events into context. The two biggest challenges companies face when addressing insider threats are not having enough contextual information provided by security tools (69%) and security tools that yield too many false positives (56%). 3 As a result, many false positives demanding resolution scatter corporate security s focus, clog the system and increase chances of real Insider Threats slipping through unnoticed. Understanding these limitations, a more effective emerging approach to mitigating privileged user abuse includes: 1. The development of a comprehensive and layered counter-insider Threat strategy; 2. Implementation of best practices, involving both process and technology; and most importantly 3. A better understanding of human behavior, including psychophysiological factors and socio-economic influences. 3 Insider threat detection tools: Hard to find, Harder to fund,

6 5 Focus on Suspicious Behaviours (real, and virtual) A comprehensive Insider Threat program should focus on deterrence, followed by detection of suspicious behaviours by employees and indicators of possible malicious intent. To be truly effective, the program must span the entire cycle of an individual s employment with an organization, starting at the selection and recruitment stages when a socio-psychological baseline can be established. All relevant departments, as stakeholders, should be involved in both establishing the framework and ensuring its coherent implementation. The cornerstone of such a program is a layered monitoring system that incorporates both technical (network, biometric data analysis, video analytics) and non-technical indicators (HR, legal, other support departments) derived from a clear understanding of possible adversarial modes of operation (AMOs) that relate to Insider Threat scenarios. Once threat scenarios focusing on Insider Threat crimes and corresponding AMOs have been determined during an initial Threat & Risk Assessment, a comprehensive list of suspicious indicators must be developed. A matrix of indicators, prioritized and scaled by risk tolerance for analysis purposes, coupled with a centralized database that receives technology- or human-generated alerts would allow dedicated corporate security personnel to focus on suspicious behaviours in real time. It is not enough to simply record transgressions, but any monitoring and assessment tools should also provide context for the situation. Furthermore, an early detection capability would be greatly enhanced by deploying video analytics tools that focus on identifying psychophysiological states of employees in real time, especially in high-security areas (e.g. data centre, server room), that differ from a normal behavioural/emotional pattern for that location. Almost all insiders involved in acts of sabotage displayed behavioral indicators prior to committing their crimes. Examples of such behavioral indicators include, but are not limited to: 1. Conflicts with co-workers or supervisors; 2. Improper use of organization information assets; 3. Rule violations and/or security violations; 4. Observable signs of stress or changes in typical patterns of behaviour. Depending on the enterprise security levels, legal, privacy or human rights concerns, a comprehensive focus on employees could extend beyond tracking their apparent work behaviours (work schedule, badge swipe, USB usage, phone, IP address, projects works on, trails and pattern of activities), and include information related to a person s context (financial, travel, other reports) and psychophysiological profile.

7 6 Once an indicator has been detected in real time, a company s HR, legal and/or security departments would analyze the information in context and have a number of follow-up choices to choose from depending on the existing SOP policy: A. A security officer could be dispatched to observe and/or interview a potential suspect (depending on the level of indicator severity). B. Continue to monitor a potential suspect s performance online through their personal signature and/or in real time through CCTV cameras for additional indicators or until an established risk threshold is surpassed. C. Inform relevant departments (e.g. HR) about the identified indicators for additional investigation or follow-up (e.g. a targeted urine test, polygraph examination, personal interview or another assessment). As part of such an approach, relevant policies and procedures aimed at enhancing deterrence capabilities would be introduced, transforming an operational environment into one where becoming an inside attacker is very difficult. Elements of positive social engineering (for example, alerting people if they are about to access sensitive information or commit a transgression would give them a chance to make the right choice) and user training campaigns informing staff of existing detection capabilities might discourage employees from committing Insider Threat-related crimes. Identifying Psycho-Physiological Indicators of Insider Threat To manage Insider Threats in a proactive manner, before incidents occur, a corporation would do well by adopting technologies and procedures aimed at identifying suspicious indicators associated with abnormal behaviours occurring in real time. One such technology is VImage PRO, offered by a Canadian firm specializing in behaviour analysis and detection, Alton Corporation. The software uses existing or recorded videos to analyze and identify human micro-vibrations associated with elevated levels of stress, anxiety/tension, aggression, fear and more. Changes in microvibration parameters registered between two consecutive frames are analyzed over a period of time (0.5-2 seconds or more) to single out individuals who exhibit psychophysiological indicators of a higher than normal emotional status. In operational deployment at various international airports, public areas, sport events and high-risk facilities since 2006, VImage PRO demonstrates a consistently high degree of detection accuracy (4-9% false positives, depending on set-up and configuration, and 10-6 false negatives) and has been adopted by a number of national police forces, corporations and security agencies as a tool of human performance evaluation.

8 7 The following sections demonstrate how VImage PRO software could be deployed at various stages of an individual s employment cycle as an early detection tool of wouldbe Insider Threat perpetrators: Selection and recruitment The first layer in the proactive management of possible future threats begins at the selection and recruitment stages. By utilizing VImage PRO software as part of a behaviour-based interview to analyze a candidate s psychophysiological state in response to questions related to past performances and current expectations, HR and security professionals can detect areas of possible concern in real time. An Insider Threat-focused questionnaire is available to Figure 2 VImage profile: aura, micro-vibrations histogram and data on psychophysiological profile of a potential employee. In this example, the person s aura and histogram showing wide vibration frequencies distribution indicate a high degree of emotional and cognitive stress. specifically focus on the potential for this kind of AMO. If a candidate s reactions to questions change in relation to their own baseline established at the beginning of an interview, a suspicious indicator of potential malintent is identified. Additional questions focusing on this subject would be posed with the aim to refute aroused suspicions before the interview can proceed further. If the selection panel does not obtain satisfying answers, which could be corroborated by information from a CV, references or security background checks if necessary, the selection process moves on to the next candidate. Throughout the interview, video footage with VImage aura analysis and numerical data reflecting real-time changes of 10 critical psychophysiological parameters can be

9 8 recorded for future review, training, legal and/or quality control purposes. Using technological tools, such as VImage PRO, eliminates human bias from the selection process, allows the acceleration of interviews by focusing on critical issues first and adds a considerable degree of accuracy in determining the likelihood of a candidate to perform well on the job. Access and movement monitoring To address one of the biggest concerns associated with the Insider Threat phenomena a privileged user gone rogue an enterprise can opt for enhancing its CCTV operation with a VImage PRO software to detect individuals exhibiting signs of elevated stress, aggression, tension above and beyond a normal baseline in the office (e.g. Data Centres). Figure 3 Networked VImage operation showing people in various frames (red box) whose emotional level exceeded a threshold. Alarm sounds and the incident is recorded. Figure 4 Access control: normal (green box) vs. abnormal (red box in the left bottom corner: a still image is captured for operator s follow-up) stress levels After a baseline threshold for a higher-risk location at an organization is established, any employee appearing on a CCTV monitor with elevated levels of stress would be automatically detected requiring a Security Operations Centre operator to initiate follow-up procedure. Given that IP cameras settings can be controlled remotely, different rooms in a building can have their own threshold levels corresponding to expected psycho-physiological levels. Periodic performance evaluations Monitoring for Insider Threats must be part of an enterprise s continuous deterrence and mitigation strategy. If introduced as part of a periodic performance evaluation process, and conducted in line with existing legal and privacy policies, a short interview focusing on unauthorised sharing of sensitive information or suspected fraudulent activities would provide a clear indication of someone s involvement in these activities without the need of a full-blown investigation. Such non-intrusive interviews could be conducted in under 10 minutes on a planned or random basis to increase the

10 9 deterrence value. In addition, each opportunity may provide the company s HR personnel with information related to an overall performance evaluation if additional sets of questions are added. Figure 5 VImage examination focused on Insider Threat detection. In this example, the With new technologies and the need to focus on human intent as manifested through behaviours, Insider Threat can be mitigated at an organisational level. With the stakes so high, the only question is, what are you waiting for? For additional information regarding the VImage PRO technology, its applications and science behind it, please contact Alton Corporation.