The Enemy Within: Building an Effective Insider Threat Program - Bill Lisse

alright ladies and gentlemen we are going to begin the final presentation of the day so come on in bill Lisi is a senior principal consultants with Forsyth and he's going to talk about the enemy within building an effective insider threats program take it bill and if you have is you have your attention please so bill can speak please so I'm not sure if this isn't the worst time of the day to speak or the best time of the day to speak so you're all want to get your your your oh you know surprises and go home and Rapids and go home and go to a happy hour so I'm gonna move quickly through this but I'm gonna really get

very detailed in certain portions so my background is I'm a purple squirrel I'm gonna channel a number of the presentations that you got this morning that throughout the day and that's one of the challenges I've had throughout my career is the fact that I've been a purple squirrel so when we start talking about insider threat we need to start talking about information security as a whole so the one thing that Manning and Snowden and the others have taught us is that you know we've got gaps in our information security programs and those gaps need to be addressed most of the time when I talk to security people they refer to themselves as IT security or

technology security very few people talk about information security and what's the value to the organization so we started them this morning with Omar saying you know and this discussion about the business doesn't care about security well that's not true the problem is is how we're interacting with the business is a fail I have talked to so many security engineers who say well the CEO needs to learn our language it doesn't work that way we have to learn the language of business help the business understand there is not a dialogue with security it's a monologue and its security projecting at the executives in the organization telling them what the world is going to end if they don't do this another

discussion was on risk management and that's really what this gets down to is what's the acceptable risk we as security professionals are not responsible for accepting that risk we're responsible for identifying measuring and monitoring risk and reporting it to those executives in the enterprise who help okay information security is about information irrespective of it reef it resides in the information system or in somebody's drawer in a notebook wherever it may be on a on a whiteboard in the office so we need to get out of this you know discussion some of the things that I've heard about you know the the CISSP CBK right I'm telling you plan a has failed how many people believe that there if you're

you've either been breached or you're going to be breached okay that's a fatalist view it's a fatalist view because it means we serve no purpose whatsoever and every one of us should start looking for another job because there's nothing we can do about it and we can do something about it but it's having rational discussions and it's understanding that information security is about engaging the team within the enterprise it's about the relationships that we develop it's about how we come together in order to protect the assets of the organization in order to execute the mission we've been assigned okay you know when when I talk about information security I really talk about philosophically people process

technology in that order so people are our greatest asset and an HR will spout that all the time the CEO will spout it everyone will spout it except security because security seems to think that all the users are our you know the bad people and we have to keep the users from doing dumb things well the other thing that I heard that's very disturbing is we talk about the business like it's something else it's not something else we are the business we are a component of the business we're part of the business process that's where we have to shift from the monologue to the dialogue and we can't you know feel like if the organization doesn't do what we

recommend as a best practice that we're done so you know what I'm going to talk about is is a little bit different dimension that doesn't get a lot of talk with and a lot of attention within the the realm of information security and that's the the human aspects okay that all of those employees the the you know on-prem contractors all those people that that you know execute the work that the business does that we all do collectively and how we help the business to be successful in achieving its its its ultimate goals so you know every time I talk to security people they tell me they tell me about their firewalls and they tell me about their

their their IDs and IPS and they tell me about all the great toys that they've bought but not how they've actually moved the organization forward in ensuring that they're protecting their intellectual capital okay we talked about classification policies but we really don't you know it's more like a shelf where and a exercise in futility just to be able to have auditor candy so that you know we can get past the audit as opposed to building that as the foundation so one of the things I would challenge all of you is you know take some of the the lessons that you know from the information you get throughout the day synergize that and bring it to

your organization to make the organization better and change that discussion from a monologue - a dialogue so why do we care about insider threat 59% of people who are terminated either voluntarily or involuntarily it will take information with them okay how many people know someone or may of themselves don't raise your hand have have hoarded information from you know work product from that you've created somewhere so that you can take it with you to your next job or the possibility that you know you're going to be terminated I worked in I worked I know of a company where they were transitioning to AI tez BPO they were offshoring all of the the IT staff and

one of the administrators emailed out to themselves to their Google their gmail account all the usernames and passwords and all of the system accounts for the mainframe okay so when this person was asked why did you do that well just in case you know you come back later and say I need to understand I need to be able to have a conversation about that pretty lame excuse it lost his severance and a whole bunch of things 25% of employees will email information out of your domain to their personal email account so most common Gmail just think if it went to Yahoo it's gone 51% of those people who've been involved in insider threat activities are repeat

offenders or known to consistently not comply with organizational policies think about that you write these policies you tell people what they're not supposed to do you got somebody that's consistently you know bypassing security cutting corners doing things the potential risk that they create for the organization 90% of IT staff say that they would take information with them if they were leaving the job 90% okay so what does that mean for from an organizational perspective and you know clearly you know you could say 78% the Stanford study said it was I think there's some more recent studies that could say upwards to 90 percent but you know fundamentally we all understand that the insider threat is real and it's not just

about you know individuals who are recruited by another by a foreign intelligence service or by another company to commit corporate espionage those are actually smaller numbers although they do happen the most common if you so if you pay attention to some of the breach reports Pony Monde Verizon dbi are the spider labs you know consistently you know one of the most significant challenges is errors and negligence you know people clicking on phishing links you know accidentally not you know setting open configurations problems with you know access and authorization you know over permissioning people you know exposed systems so you know we also you know we also have to talk about you know fishing from the standpoint of

those employees who are exploited those who you know elicitation so it's really funny you know most of your employees will talk out in public how do you have conversations with them about hey where should you have those conversations and where should you have those conversations you know if there's a common place where everyone goes if somebody's interested in that information they'll go to that location listen and listen to what people are saying so it was really funny this morning I was in the the restaurant and the seaso panel was meeting and they were talking about what they were gonna say and how they were going to go about this so you know you get some some insights one of the things

that that they said that I thought was interesting was you know how did you get into information security very few people come in to information security outside of technology we need to break the mindset that information security is just all about technology by the way the way I got into information security was I was running leads in Germany on the Hanover hackers so really it was you know a seminal moment and hey this is the world way the world was going to go so you know I moved into that direction so I'd like to give some credit to the software engineering Institute while the government has been doing insider threat programs and and counterintelligence for

four decades you know it really wasn't brought out to the commercial sector and put in an organized format until the software engineering Institute started putting together things like you know the insider threat program so you know it's a resource you have in your own backyard I highly recommend you take advantage of that as much as possible but the goals of it of an insider threat program an ITP are to prevent so you know it's then to detect if you can't prevent and then the ability to respond those are different than traditional areas because they involve a lot of laws especially with monitoring employee user behavior conducting surveillance on employees some other areas that that really become some challenges and what

it really comes down to is creating a collection of indicators so both behavioral indicators non-technical indicators and system indicators so you know when we talk about technical indicators we're talking about things like I've got an employee who is I can see in the SharePoint log sharepoint logs that they're calm stantly you know only seconds apart accessing files in entire site okay they're not opening those up they're downloading them so there's a good technical indicator there some of the human and human behavioral indicators we'll talk about are things like you know and some of them you will perceive as positive working late at night working extra hours you know being a loner we'll talk about those so when we

talk about building an ITP we're really talking about you know a number of focus areas or themes I am more and more you know I I would say the one thing that everybody in security needs to do is to get is to gain situational awareness we're spending way too much time firefighting and we're spending too much time buying the the latest and greatest and integrating the latest and greatest tools without understanding exactly what the business problem is or you know how we are we are laid out what people are doing why do most people bypass you know IT and do shadow IT it's because they're not serving the the constituency that they're responsible for serving and so

they're forced into I've got to find my own solution no kidding I've seen organizations where individuals purchase data center space or an AWS account and set up their own servers because they don't want to be bothered with with IT okay it's a common problem how did how do you stop how do you help that you know that becomes a combination of policies as well as making sure that you understand who the people are what their needs are and how you build security controls that enable the business most security exists to be block-and-tackle and it we used to be those people in the basement they throw peanuts at every once in a while ask a question and we come out and

go no and then go back in so we can't be the Department of no anymore we have to be the Department of hey how do we do this together because this is integral to the business you know governance the governance of this is not just security people doing security things amongst themselves this has got to involve it's a team sport security is a team sport it has to include HR other people who are interested parties and important stakeholders within the enterprise defining specific roles and responsibilities what's hrs role versus you know security is role from an incident response perspective legal role very similar to to some of those other areas if you've got a comprehensive you

know information security management system this needs to be integrated into that these lessons aren't just for insider threats exactly what is your insider threat treatment program so we'll go through what what areas will populate that but anybody in here a defense contractor okay your defense contractor dealing with classified information than the NIST palm and and the the far is and D far make it absolutely clear you're obligated to do an insider threat program but you shouldn't just do it because you're obligated to do it you should do it because it's the right thing to do if your money's if your company is spending investing large amounts of money in research and development that Martin D

is going out the door and the company is losing its competitive advantage that's why you should be doing it it should be the business value and that needs to be communicated and that needs to be a part of your goals the other thing is monitoring and reporting you know exactly how are you going to monitor and how are you going to report what's that structure going to look like and then how does this integrate in with your incident response plans because this is a little different because it may involve you know this involves people okay this we often talk about Incident Response from the external attacker who you know is nebulous and we need you

know they're they're invisible this is somebody who sits in the office that there needs to be some plan for how do you distinguish between are they doing something that's that's malicious are they just negligent you know what does that actually mean and most of that won't make it out to you know law enforcement unless you find that you know it does involve corporate espionage or those so types of malicious activity and then specifically training I mean you know we talk about training and I know Bruce Schneier had this his his tirade about training is useless training mostly is useless from a security perspective because it's not tailored to the organization it's not meaningful how many people here are our

training training specialists then why in the name of God are we trying to become the experts on doing security training you know there are people that do this they do curriculum development you know there are marketing people who can help you to make the message a little bit more palatable to everyone you know reinforces what's going on you know almost every time I see within you know small and mid-sized enterprises you know the approach to training is it's more like canned stuff and it's so dry that they either avoid it or they forget it minute they're walking out because they're probably looking in text messaging so I mean how do you make it engaging how do you make it now from an

insider threat program it means also training supervisors on what are those behaviors that you know we're going to be indicative of somebody that's going to have you know potentially be pose an insider threat so I had talked about you know the governance so who's involved in an insider threat program and you can see here it's a full range from legal so you may have different flavors of attorneys within your own organization if you're a large enterprise you may contract out but you're definitely gonna have to talk to your HR attorneys because some of these are gonna be some real solid decisions about what you need to do and whether that same person is your privacy attorney especially if

you're a multinational organization and you've got employees who are in in different countries you know what is legal what not legal what are your what are your options from the standpoint of you know your ability to surveil your ability to monitor the activities of those users it includes you know IT from the standpoint of how do we ensure that those controls are implemented so there's a number of players in this space and you really again I can triage the fact that this is not you know that security is a team sport and this is an enterprise issue not a security issue so what are the key components I talked about situational awareness all the time you know asset

management is is probably the the most critical piece to this because it sets the stage for everything else I mean how many people here have a good solid CMDB and they know where all their technology assets are and they've got a service catalog and you know all of those those very important ITIL kinds of things I don't see any hand I see one one hand up okay now from a security perspective that is not a complete inventory a complete inventory includes your intellectual cap or you know who are your high risk people is it finance yeah absolutely finance because if they click on a phishing link the good possibility is is that you could have a financial

loss HR they click on a phishing link guess what happens all your employees personal data is potentially exposed ok somebody in in in now I'm not saying all research and development and is is critical to the organization but the organization knows where it's where where it's most critical Rd is being done and those things that need to be protected more than the average kinds of things so when you really get down to it you know I talked about Wild Bill Donovan who started the CIA had an expression that he used which was if I protect my pencils like they're diamonds I'm gonna lose less pencils but I'm gonna lose a hell of a lot of diamonds

okay what it means is focusing your resources on what's really important within the enterprise not applying you know ubiquitous security controls across the organization that people will find a way to bypass anybody that's been around for a while and ever read you know Tom Peters is books from the the 70s on you know in search of excellence he had one thing that he said that made the most amount of sense to me make the minimum amount of policies necessary that are absolutely important to the organization because if you make a whole bunch of them people will spend most of their time trying to figure out how to get around them okay so focus we're all

over the place from an information security perspective from a standpoint of technology you know it's how do we take this together so the other aspect is again from a data classification standpoint what's really important what are you protecting and why are you protecting it that will help you to communicate and change from dial from monologue to dialogue well we've got to do this well why do we have to do this because it's a best practice I told guys who worked for me I said you're not allowed to use the term best practice they scoffed at me they said well how were you supposed to explain it I said explain it in a way that that

anybody can understand it Einstein said if you can't explain it so that a six-year-old understands it then you don't understand it yourself okay we need to learn to speak the language of business and help them to understand why this is important to the business not because security is doing its thing that that is not useful and that's why most executives don't want to listen the next piece is you know establishing what those acceptable behaviors are how many people have how many in the room have information security policies written documented coordinated how many of those you know that they're being enforced and people have read them and understand them yeah that numbers a lot less so so policies

become shelfware how do you make them real how do you help people to understand what are acceptable behavior but also how to reinforce those acceptable behaviors the other one is you know let's talk about how do you mitigate those risky behaviors so things like I'll show you you know looking at exposure services so things like how many people have scanners that you can do scan to email do you block it is that acceptable you know do you have any way to measure what's going on I have heard more times everybody talk about well we have a directive control because our policy says we can't do it but you have no enforcement no we just tell everybody

that they can't do that well it ain't working so where do you need to do that where are you going to measure and monitor you know for anybody who works in manufacturing and whether your lien or Six Sigma you know quality requires that you do measuring and monitoring to determine whether or not your process is in control why is it security is the only one this is well we write a policy and then we kind of hope you know we we pray a lot you know and then there's the the next piece which is detecting that unacceptable behavior so how do you figure out you know weed down to you know unless you've got a big data

environment where you can collect all that data and you know build a reliable model that helps you to identify you know what that acceptable behavior is and isn't but there's time I mean if you're measuring collecting everything how many people have extra cycles yeah you don't so just because you're collecting it doesn't mean anybody is looking at it I constantly have this conversation about the difference between auditing and logging you know we don't we log everything does anybody actually look at it no we wait till were breached and then we'll go figure out if it means something but but there's no you know discussion about hey why are you why are you collecting this you know

what's how does this help the organization and then finally it's you know worst case scenario investigating now investigating may not mean you know prosecutable resolution or anything like that but it may be helping people you know how do you take some of those incidents integrate them into the organization and turn that into your training and go we've had these types of incidents happen so it's really funny I was working in an organization and you know I was talking to lawyers and HR and I said you know here's my well why are we putting all these behaviors in here and I said because they're things that you know can present risk and and then they said but this doesn't happen here

within the next year 100% of the things that I had put in there had happened everything from you know kid having access to mom's computer and then we got a letter from Activision saying that we were pirating downloading pirated software to our corporate systems okay - you know taking down the network for one country because somebody was streaming pictures of their kid and then the worst one though was I live in Ohio you know the Buckeyes play and you know the entire network just about comes down screaming it's insanity so you know it's got to be real so what's the prime let's let's kind of really I'm gonna summarize this real easy the Soviet Union made

absolutely clear that's many spies who came out there were four things that motivated people okay mice not money money money ideology coercion and ego guess what we see that all the time with people okay I'm I'm I'm underappreciated I'm a special I'm that little snowflake I'm don't feel the love you know and then but then those people are the potential ones that are going to seek approval somewhere else money is always going to be that one so I mean we talk about financial problems you know what are the sources of those overwhelmingly it's it's accidental okay so I've got an employee who's under a tremendous amount of stress what can go wrong there well guess what

suppose I have the entire organization knows there's massive layoffs coming what happens to people's focus they're gone they're they're like somewhere else or there or you're anybody been an acquired company yeah those of us who have been inquired companies they're sitting there going I don't understand what tomorrow brings do I still have a job what's going on am I focused on what I'm doing oh heck no yeah I am so my mind is somewhere else what's the probability at that moment at that time during that period that errors are going to start to mount very high but how many times do you have that conversation with with HR do we know somebody's you know potentially a powder keg you know we had

a conversation particular company somebody was going in and pooping in the sinks in the bathrooms now you think boy that's really stupid and childish but then we started to piece together that the number of physical altercations and the number of employees that were were documented we're going up what does that do to the risk profile for the organization it goes up so we need to be you know keeping track of what's going on and making sure so the one thing I will warn about the characteristics of an insider is that you know this looks like most IT people but but it needs to be really taken in a totality of circumstances and that's that you know hey we really you

know shouldn't shouldn't be you know jumping to conclusions but these are certainly things that will help us to to focus and help to communicate to managers SuperBot line supervisors hey what kinds of people you know what kinds of behaviors you know do you think are risky who's most likely going to do those things it gives you some my idea what's going on insider threat exposures this is really the meat of what you need to do you know when you start thinking about this what are those exposure surfaces so I recently had a conversation with with a couple of CISOs and and we had a conversation around you know just doing security things to do security things so I'm doing everything

in this 853 or ISO 27001 you know to some degree but am I really addressing you know the right exposure services so I had talked about focus you know we need laser focus where are we where are we exposed so just you know when we do vulnerability management you know pure vulnerability management you know we can't fix everything how do we do that analysis to decide what's important and then modeling so this is a really an important point so now once I know the exposure services and I understand some of those those threats you know accidental data leakage opportunity to stick data theft corporate espionage you know where where am i exposed and then what are those indicators so I we the

beginning we talked about technical and non-technical indicators but building those models really help us to focus those resources environmental countermeasures what's the we could we keep hearing about organizational culture and organizational culture sucks and things like that so I tie this back to policy from the standpoint of how many people here are familiar with the broken window theory okay so yeah so broken window theory says you know hey if I've got a vacant warehouse and I throw a rock through the window and I don't do anything about it by the end of the week the entire building is going to have its windows busted out but if I move aggressively for do policy enforcement early on I

won't have those other problems that result in in bigger issues this is a list of some different technologies the only thing I'm really going to focus on is going to be user behavior analytics you bas kind of expensive and it requires you know taking those those models and being able to see what kind of behavior is going through and the other one is employee monitoring systems which are extremely invasive and the balance between privacy and and security are really kind of a challenge you know there's a high level action plan that the national community has put out to maybe able to t treat a baseline initial operational capability for an insider threat program you know I really

recommend going out there and looking at it but really it's you know how do I start with this how do I do it how do i integrated it with my overall security program so you know if I can leave you with one thing it's it's really the security has to address people process and technology not just what's going on in the IT systems and not just you know the bad guys that are there lurking out there they are but the vast majority of breaches really result because of internal negligence and and mistake errors and things within our sphere of control so thank you [Applause]