Running a Low Overhead Insider Risk Management Program

Insider Risk, Security Ops, Uncategorized

A primer on Automation, Force Multipliers, and the Visibility Balancing Act

When security teams look at taking on Insider Risk functions alongside existing responsibilities it’s easy to be overwhelmed. Perhaps an organization has the sketch of an Insider Risk Management, or IRM program in place, but it’s cumbersome and staffing resources are spread thin across other security functions. Or perhaps IRM is on the roadmap, but resources to get the program off the ground are limited or unavailable. If any of this sounds familiar, here are some suggestions on how focusing on automation, force multipliers, and engaging with the visibility balancing act will help your organization get the greatest bang for your buck when it comes to Insider Risk Management.

When considering an IRM program, among the factors to consider first is the program’s mandate — essentially answering the question “What does success look like for the program?” This will drive the focus. IRM shares traits of other risk management programs — initial results are fairly easy to obtain, but more and more effort is required the further up the maturity scale you go. Let’s focus on some fast followers which can improve a program without a massive effort.

Automation — Automation is the overworked security professional’s best friend. As an example, in Code42’s Incydr tool, automating repeated actions (such as adding Departing Employees to monitoring, or removing off-boarded contractors) helps ensure actions are taken in a timely manner, regardless of human input. Additionally, consider automating error prone tasks (such as copy/pasting details, or closing out of sub tickets), this will free up cycles better used for bigger picture tasks. This may sound obvious, but fitting IRM tasks into existing workflows can be immensely useful.

  • Does Human Resources have an existing employee off-boarding process? Get plugged into that so that you can be alerted when an employee puts in their notice.
  • Does internal IT check out devices to users for short periods? Get access to their system of record to understand who has which devices and when.

Finally, building IRM processes to align with your natural workflows can help ease the overhead of adding additional tasks to your to-do list. Consider delivering information to your preferred platform.

  • Really like working in Slack or Teams? Pipe critical alerts into that app to get them the attention they need in a timely manner.
  • Already have email and calendar pushed to your phone? Create reminders to complete infrequent tasks ahead of time to ensure you stay on top of things.

Force Multipliers — When discussing force multipliers, the adage “work smarter, not harder” comes to mind. In this context, force multipliers are those factors which allow an analyst to accomplish outsized results through preparation and modest effort. These items will look different in every organization and industry, but here are a few that have come in handy for my team.

  • Foster partnerships with Legal, HR, Compliance, and Internal IT. The “who” here is paramount, as this person chosen should be an IRM champion in that area. This will make getting a second opinion quick and easy, and will give those groups a defined channel to escalate questions or concerns back to security. Along the same lines, where possible, lay out processes for approvals and escalations ahead of time; having predefined paths for escalations will save time in an emergency, and will ensure proper protocol is followed. To the extent possible, seek opportunities for shared wins or efficiencies, this will ensure a mutually beneficial relationship.
  • Create communications templates for common situations. This will prevent wasted time as you type out the same message to a user for the umpteenth time. Additionally, laying out repeatable workflows prevents wasted time due to indecision. This is easier said than done, but once workflows are established, try to stick to them. This will ensure the IRM processes are applied in the most objective, ethical, way and will free the analyst from the need to handle every instance as a special case.
  • Finally, enlisting others to be advocates for security on your behalf increases the likelihood your program will succeed. Seeing a problematic trend of new employees syncing data to non-sanctioned cloud platforms? Consider reaching out to those doing new employee on-boarding and training to ensure that acceptable use policies are being communicated clearly and with enough emphasis. Seeing an uptick in data flowing to third party applications? Contact the Helpdesk to ensure they are advising users to utilize approved applications to accomplish their work.

Visibility Balancing Act — The interplay of thresholds and work volume in IRM is perhaps the trickiest part. Given the portability of modern data, how does a security team ensure they have enough visibility into data movement within their environment to ensure they can stop harmful exfiltration without being overwhelmed by having to inspect every file event? Unfortunately I do not have a magical formula to share, but I do have some tips about how my team has tackled the problem.

  • Work with your stakeholders (mentioned above) to understand critical data to the organization and prioritize that data first. Where possible, also work to influence policy and behavior to ensure data critical to the organization is stored in an appropriate and verifiable way. Similarly, understand other priorities; this is typically driven by the IRM program mandate and organizational values. For instance, prioritizing time sensitive risks will help ensure focus is placed correctly (for example, when reviewing alerts, those generated by departing employees should be reviewed first.)
  • To the best of your ability, learn to recognize and eliminate routine data. This effort will require constant vigilance. Processes change, responsibilities change hands, people turnover and all the while data continues to flow. With time you’ll develop what we like to think of as “Analyst UEBA (User and Entity Behavior Analytics)” — you’ll get a “feel” for what is routine and this will help you zero in on what isn’t. One shortcut here is to consider building your IRM team from existing company employees if that option exists — these company veterans may already have strong institutional knowledge and a well developed “radar” for what risk looks like. If possible, consider suppressing data flowing to sanctioned destinations, or as part of day-to-day operations from your preferred pane of glass — an ounce of noise reduction is worth a pound of visibility.
  • Finally, in addition to understanding where data is stored, you must also gain an understanding of where data is going. This information can help prioritize where effort should be spent to curtail problematic data movement. Part of this is an investment in data handling hygiene — setting your IRM team up for success and lean operations by clearing away data clutter. This applies to the entire IRM program — upfront investments in process, policy, governance, workflows, and automations will pay off over the life of the program.

In conclusion, as insider risk management becomes increasingly important for security professionals, resources will continue to be a limiting factor and it is paramount that any program provides value without upsetting the delicate balance of priorities.

Finding The “Why” During Insider Risk Investigations

Insider Risk

Insider Risk is a uniquely human problem, and being an effective Insider Risk investigator requires an understanding of those human elements, as well as technical prowess. With this post I’d like to discuss an aspect of this human element — specifically interviews and inquiries conducted during investigations.

As security practitioners, we are often confronted with situations where we need to respond without the luxury of a complete set of facts. Our tools are fairly good at the “who” and “what” of a situation — user X moved a file to removable media, a document was sent via email to this address — but this is rarely enough information. Most often the purpose of insider investigations is the pursuit of the “why” of a situation, and gaining that context usually requires speaking directly with users.

Interactions with the subject of an investigation will often wholly dictate the outcome of that investigation. Once an investigator has compiled as much context as possible from the technical solutions available to them, they are still often left with questions and contextual gaps surrounding the event, making an interview with the subject necessary.

Before going directly to a subject it may be useful to conduct supporting interviews with others adjacent to that subject to gain more information — this will be context dependent, sometimes circumstances are cut and dried, but often crucial context is missing. Bear in mind that increasing the scope of an investigation unnecessarily adds complexity and increases the risk that a subject may become aware of an investigation before you intend (especially a concern in instances where there is a potential for ongoing activity). Depending on the event in question, and the needs for confidentiality, there may be individuals who can bring clarity to the investigation such as Human Resources or Legal partners, departmental peers, a subject’s manager, or the application owner or administrator. Consider these avenues to add context to an investigation:

  • A subject’s manager can provide background on a subject’s job duties, including what information they would require access to, and how normal workflows proceed.
  • An information owner can provide a better understanding of the sensitivity and outline appropriate handling of a piece of data, including potential consequences of improper access or disclosure.
  • Company legal council can help illustrate any potential legal, regulatory, or repetitional damage that could result from particular activity.
  • Human Resources representatives can provide insight into relevant personnel challenges that can provide background or affect next steps of an investigation.
  • A subject’s coworker may be able to offer context into general process questions. Be careful, asking a peer about specific events may be a breach of confidentiality and could compromise an investigation.

As a general rule, all aspects of an investigation should be treated with the highest level of confidentiality, especially interviews with those outside a subject’s direct chain of command. Impropriety or mishandling of confidential information damages an investigators reputation and threatens an organization’s ability to respond to insider risks.

Once as much context as possible is assembled from technical sources and supporting interviews, a subject may need to be interviewed directly. In these cases it is important to assume positive intent, not to jump to conclusions, or be accusatory with subjects. The approach, timing, and forum of the interview should all be considered carefully depending on the nature and risk associated with the event. From my experience, here are a few approaches to consider:

  • Should the investigator reach out via an internal messaging application or pick up the phone and call directly? Instant messaging has the advantage of being fast and informal, best for a quick question or setting up a more formal conversation. Judging a subject’s reaction to a question is near impossible via text though, and even just tone of voice and speech patterns can lend additional information.
  • Should a formal or informal in-person (where possible) interview be considered? Informal chats with subjects (such as dropping by their workstation, or approaching them in a common space) can help set a subject at ease. Formally scheduled meetings give the subject time to prepare, which can help or hurt depending on the circumstances, but do lend weight to an investigation, which can be useful to influence behavior.
  • Present pandemic circumstances have forced our company to work remotely, how can I adapt an investigation process to continue to be effective? While in person interviews are the gold standard, current circumstances will present challenges to this type of interaction for the foreseeable future. In order to continue to conduct investigations effectively, doubling down on video conferencing, screen sharing, and open lines of communication will help to minimize disruptions to normal investigation processes.
  • Should a third party be present during an interview, such as the user’s manager, company legal council, or another security investigator? Regardless of the seriousness of an investigation, it’s prudent to have another person present during an interview, should it come down to the Investigator’s vs. the subject’s word. Having a manager or legal council present can lend gravity to proceedings if need be.
  • If a video interview is conducted, should it be recorded? Depending on your jurisdiction consent from all parties may be required to make a recording legal. If a recording is not possible for technical or legal reasons, having a third party join the call can be useful. Recordings can also serve as concrete evidence in instances where a subject is asked to take some action in the presence of investigators (such as delete files from a personal drive).
  • If an interview must be scheduled in advance, how transparent should Investigators be about the subject of the conversation? This will be highly situational. In cases where there is a concern about a subject taking additional harmful actions, it may be best to be vague about its purpose. That said, outright deception of a subject may constitute entrapment and toes a moral line that each investigator must judge for themselves.
  • After an interview is completed, what level of documentation and follow up is required? This will again be situational, but in general the more notes that are collected the better. Additionally, making notes as close to the actual conversation aids in accurate recall of important details.

While these considerations may be new to some cyber security professionals, they are common-place to those with law enforcement and behavioral psychology backgrounds. Since insider risk is a human problem at its core, conducting investigations and effective interviews are a mix of art and science. Rigorous investigation and interviewing practices can help mature your organization’s Insider Risk Management process and make it more effective. There are a number of interviewer trainings available, but the majority are provided by, and directed toward law enforcement. That said, they’d be valuable for security practitioners. Another option to consider that we find helpful is benchmarking with other Insider Risk practitioners at peer companies. Given present trends, cybersecurity specific interviewer training will hopefully become more readily available in the near future. 

If you enjoyed this blog check out redblue42.com for more content like this.