What is the Best Org Structure for Insider Risk Management?

When we started using our Incydyr product internally, as more of a beta, we had the SecOps team managing it because they were already watching alerts on all our other security tools.  Then we built out our Inside Risk Management (IRM) team and our tool has continued to evolve.  So it only made sense that the IRM team own the tool that watches for data moving outside of our trusted network. 

While building our IRM team, we benchmarked with companies of all sizes on how and if they were also building IRM teams and if so, under which org. There was one clear commonality; there isn’t one right place for an IRM team to reside within a corporation.

A few years ago, it wasn’t a given that a company would have an IRM team. Now, more and more enterprises have found IRM to be a critical data security function and are now building out that defense. We learned through our benchmarking that this is a growing trend and that there are a variety of options on how teams deemed the best way to stand up their program. Most critically, it needs to fit within the pre-existing ecosystem of the business. IRM is not just a security function, HR and legal teams are also heavily invested in activity that could be deemed illegal or unethical. And while most data exfiltration is caused by human error, such as employees not understanding that the code they created, or the customer base they built, belongs to the company, and is not theirs to take, there are certainly instances where mischievous data theft occurs.

Through our benchmarking here’s where we learned IRM teams are being stood up: 

  • Detection and monitoring in the SOC
  • Forensics, Security Investigations
  • Cross-functionally with legal and HR as key stakeholders
  • Cyber Security Risk teams 
  • In collaboration with or within the Physical Security Team
  • In Cyberfusion Centers with a dotted line to the COO or Legal 

Clearly there is not one right answer, just the solution that fits your current business ecosystem. One CISO we spoke with had seen, several of the above options deployed and noted that all of them worked!  For those of us who have been in security for a number of years, we know nothing stays static for long. Even if IRM is set up on one team, it could certainly change in the not-so-distant future. 

So a head’s up to security tool vendors, in order to be successful, you’ll need to build solutions that; 

  • can be run without dependency on other tools,
  • and built with user-friendly dashboards so any team can manage them. 

When we first built Incydr, it was producing alerts that were best managed through a SIEM or SOAR tool, and so it was a nice fit on the Sec Ops team.  But luckily that has changed – our user friendly dashboard is self-contained and a stand-alone product or a SIEM/SOAR technology can be integrated via an open API. This provides flexibility for any team to watch for data that could be (read: likely is) slipping through your fingers right this very moment.

Flexibility and ease of use in all our security tools will allow security and IRM teams to perform at their best and in a way that builds collaboration with our stakeholders across the organization. 

I’ll take my hat off to that! 

Running a Low Overhead Insider Risk Management Program

A primer on Automation, Force Multipliers, and the Visibility Balancing Act

When security teams look at taking on Insider Risk functions alongside existing responsibilities it’s easy to be overwhelmed. Perhaps an organization has the sketch of an Insider Risk Management, or IRM program in place, but it’s cumbersome and staffing resources are spread thin across other security functions. Or perhaps IRM is on the roadmap, but resources to get the program off the ground are limited or unavailable. If any of this sounds familiar, here are some suggestions on how focusing on automation, force multipliers, and engaging with the visibility balancing act will help your organization get the greatest bang for your buck when it comes to Insider Risk Management.

When considering an IRM program, among the factors to consider first is the program’s mandate — essentially answering the question “What does success look like for the program?” This will drive the focus. IRM shares traits of other risk management programs — initial results are fairly easy to obtain, but more and more effort is required the further up the maturity scale you go. Let’s focus on some fast followers which can improve a program without a massive effort.

Automation — Automation is the overworked security professional’s best friend. As an example, in Code42’s Incydr tool, automating repeated actions (such as adding Departing Employees to monitoring, or removing off-boarded contractors) helps ensure actions are taken in a timely manner, regardless of human input. Additionally, consider automating error prone tasks (such as copy/pasting details, or closing out of sub tickets), this will free up cycles better used for bigger picture tasks. This may sound obvious, but fitting IRM tasks into existing workflows can be immensely useful.

  • Does Human Resources have an existing employee off-boarding process? Get plugged into that so that you can be alerted when an employee puts in their notice.
  • Does internal IT check out devices to users for short periods? Get access to their system of record to understand who has which devices and when.

Finally, building IRM processes to align with your natural workflows can help ease the overhead of adding additional tasks to your to-do list. Consider delivering information to your preferred platform.

  • Really like working in Slack or Teams? Pipe critical alerts into that app to get them the attention they need in a timely manner.
  • Already have email and calendar pushed to your phone? Create reminders to complete infrequent tasks ahead of time to ensure you stay on top of things.

Force Multipliers — When discussing force multipliers, the adage “work smarter, not harder” comes to mind. In this context, force multipliers are those factors which allow an analyst to accomplish outsized results through preparation and modest effort. These items will look different in every organization and industry, but here are a few that have come in handy for my team.

  • Foster partnerships with Legal, HR, Compliance, and Internal IT. The “who” here is paramount, as this person chosen should be an IRM champion in that area. This will make getting a second opinion quick and easy, and will give those groups a defined channel to escalate questions or concerns back to security. Along the same lines, where possible, lay out processes for approvals and escalations ahead of time; having predefined paths for escalations will save time in an emergency, and will ensure proper protocol is followed. To the extent possible, seek opportunities for shared wins or efficiencies, this will ensure a mutually beneficial relationship.
  • Create communications templates for common situations. This will prevent wasted time as you type out the same message to a user for the umpteenth time. Additionally, laying out repeatable workflows prevents wasted time due to indecision. This is easier said than done, but once workflows are established, try to stick to them. This will ensure the IRM processes are applied in the most objective, ethical, way and will free the analyst from the need to handle every instance as a special case.
  • Finally, enlisting others to be advocates for security on your behalf increases the likelihood your program will succeed. Seeing a problematic trend of new employees syncing data to non-sanctioned cloud platforms? Consider reaching out to those doing new employee on-boarding and training to ensure that acceptable use policies are being communicated clearly and with enough emphasis. Seeing an uptick in data flowing to third party applications? Contact the Helpdesk to ensure they are advising users to utilize approved applications to accomplish their work.

Visibility Balancing Act — The interplay of thresholds and work volume in IRM is perhaps the trickiest part. Given the portability of modern data, how does a security team ensure they have enough visibility into data movement within their environment to ensure they can stop harmful exfiltration without being overwhelmed by having to inspect every file event? Unfortunately I do not have a magical formula to share, but I do have some tips about how my team has tackled the problem.

  • Work with your stakeholders (mentioned above) to understand critical data to the organization and prioritize that data first. Where possible, also work to influence policy and behavior to ensure data critical to the organization is stored in an appropriate and verifiable way. Similarly, understand other priorities; this is typically driven by the IRM program mandate and organizational values. For instance, prioritizing time sensitive risks will help ensure focus is placed correctly (for example, when reviewing alerts, those generated by departing employees should be reviewed first.)
  • To the best of your ability, learn to recognize and eliminate routine data. This effort will require constant vigilance. Processes change, responsibilities change hands, people turnover and all the while data continues to flow. With time you’ll develop what we like to think of as “Analyst UEBA (User and Entity Behavior Analytics)” — you’ll get a “feel” for what is routine and this will help you zero in on what isn’t. One shortcut here is to consider building your IRM team from existing company employees if that option exists — these company veterans may already have strong institutional knowledge and a well developed “radar” for what risk looks like. If possible, consider suppressing data flowing to sanctioned destinations, or as part of day-to-day operations from your preferred pane of glass — an ounce of noise reduction is worth a pound of visibility.
  • Finally, in addition to understanding where data is stored, you must also gain an understanding of where data is going. This information can help prioritize where effort should be spent to curtail problematic data movement. Part of this is an investment in data handling hygiene — setting your IRM team up for success and lean operations by clearing away data clutter. This applies to the entire IRM program — upfront investments in process, policy, governance, workflows, and automations will pay off over the life of the program.

In conclusion, as insider risk management becomes increasingly important for security professionals, resources will continue to be a limiting factor and it is paramount that any program provides value without upsetting the delicate balance of priorities.

Mac Shops: Is Your Company Data Ending up in Personal iCloud Accounts?

Are you a Mac shop?  Do you have Macs in your corporate environment?  Is iCloud a corporate sanctioned cloud repository for your company?  If you answered Yes, Yes, No – Then read on, because you may have a data exfiltration problem that you are not aware of.  

There are so many great things about Macs and Apple products – and best of all, they work seamlessly together.    I love Apple products and can’t imagine myself without them, they have become part of my life and my daily routines.  I use a Macbook Pro, an iPhone 11, an Apple Watch and have a personal iCloud account.  I use Apple’s products for everything from listening to music and podcasts, streaming movies and TV shows, checking email and organizing my day, tracking my workouts and fitness routine, trading stocks and keeping up on the news of the day, taking pictures and sharing with family and friends….and oh yeah, I also make phone calls and send text messages.  

One thing that Apple is known for aside from their great products is adhering to their belief that they know what functionality you want more than you do; and they deliver that belief through their products and features.    And you know what?  They are usually right!   Notice that I said usually here – sometimes they make unilateral decisions on functionality that on its face may be convenient but that can be problematic or beneficial to Apple and not necessarily the customer, at least not every customer.   This can be especially true when it comes to Macs in a corporate environment.  

Incydr Discovery: Accidental Data Leak to iCloud 
So, what am I talking about?   Well, what we discovered through our use of Code42 Incydr was large volumes of data being synced to iCloud.  This was a problem as iCloud is not a sanctioned cloud repository for Code42.  So, right away we knew there was a problem.   

Upon reaching out to the associated individuals  we immediately saw a trend in the responses we got ….”I didn’t know that this was happening” and “what do you mean? I didn’t set that up or move data to iCloud.”  And not only was Code42 data syncing to their personal iCloud drive, their iCloud drive personal data was syncing to their Code42 device. This is a double-whammy since not only do we want to protect against data exfiltration, we do not want personally identifiable information that we are unaware of on our corporate devices from an employee privacy standpoint.  Additionally, with a recent new-hire we noticed that customer lists from their prior employer were also being synced to the new employee’s Code42 device. This is definitely data we weren’t expecting nor did we want to have in our possession!

The Cause: OS Upgrades Apply New Setting Defaults
So, we did a bit more digging and learned a couple of things as to why we saw this sudden spike affecting both new and existing employees.   First, when Apple pushes a new OS upgrade, Apple re-sets the default iCloud sync settings which include Desktop and Document folders.  So when the user signs into their personal iCloud account, if the default settings are not changed, any documents residing in those folders are automatically synced to iCloud..   So, for users who leverage iCloud for personal use they are automatically set up to sync all documents on their corporate endpoint to their personal iCloud account when they sign into iCloud.   Believe it or not Apple does not make a distinction between personal documents and corporate documents they just sync away!   

Our Remediation Steps
Thanks to Incydr, we had immediate insight into this activity and were able to take quick action to address the issue from a short and long term perspective.  The immediate steps we were able to take included creating a simple step-by-step guide to disable the sync functionality to affected users, which included deletion of corporate documents from their personal iCloud.   For the long term fix, we set baseline configuration parameters to override Apple’s default settings.  Had we not been using Incydr, we would not have had insight into this sync activity.   

Turning Adversarial Users Into Allies

An employee just sent an email to our security team, “Tomorrow is my last day and I’d like to move some personal pictures I saved on my work drive to a personal drive. Just letting you know and I’ve copied my manager so everyone is in the loop. Let me know if you have any questions.”

Whaaat? Since when do employees call out “I’m about to do something” to your security team? Is this just a randomly odd security minded employee? Yes…and no. At Code42 we’ve intentionally mended the gap between employees and the security team and we work harmoniously together to protect the company. Sounds utopian and surreal but I’m here to tell you it can be done. It’s not hard, but depending on your current situation it may take a bit of time to build out.

Let’s start with day one. Do whatever you can to get a security presence in onboarding. If you can only get 5 minutes, take it! That’s where you’ll plant the seed that you aren’t “out to get them” and that you need their partnership and expertise to protect the company. Let them know you’ve got their back but there’s also only so much you can do without them. Instruct them on how to reach the security team with questions or to partner with new projects and where to look for important security updates. Inform them how to report concerns and/or suspicious emails, phone calls, etc. I let them know that we are going to phish them, not to trick them but to help them develop their muscle memory so they can quickly spot and report suspicious emails. But the most important thing you can do is let them know that you will not report them upward or get down on them if they make a mistake, unless perhaps that becomes an ongoing problem.

If you can do that, congratulations! You have just laid down a big, colorful, inviting welcome mat with your newest employees. The relationship is off to a great start. But as with any relationship, you must work to maintain the good vibe.

If you’ve got additional monitoring tools, this is also a good time to have that conversation. We’ve (obviously) got Incydr which watches for data movement off and onto our trusted environment. Are we sitting around waiting for them to exfiltrate data? Of course not. We don’t have that much time on our hands. So we ask folks to let us know if and when they have a business (or personal) reason to do this so our team doesn’t waste time going down a rabbit hole for no reason. Also, to avoid getting that awkward call from the security team, if they proactively let us know, we can perhaps provide suggestions for moving the data in a way that better protects it; with an encrypted drive or suggest an approved storage or sharing solution they may have overlooked. They are on our front end defense team, and they can rest assured that we’ve got their backs if they forget or mistakenly move data to an unapproved source. Is there ever a need for discipline? Of course but unless there’s solid evidence of malicious intent it’s likely just an opportunity to educate and course-correct. We always start any conversations by presuming positive intent, which, let’s be real, is most often what’s going on when our corporate data leaves us.

Our Insider Risk Management team does an awesome job at presuming positive intent. If confronting employees lands on folks on your team who are not as comfortable with having those types of conversations with your users, we’re happy to share the templates our team uses to keep the tone positive and productive. Every company has its own culture and messages should reflect that, but here are some generic phrases you can start with or give your teams to use, that support a positive relationship between users and the security/risk team:

Our records indicate that you are overdue on your security training. Can you confirm?
The user will probably come back with something like, “Sure, how do I do that” which helps shape the conversation that they just need more education on how to use the LMS, for instance.

It looks like you may have clicked on the last phishing email with the subject “XYZ”. Does that sound right?
Most often the responses I get are, “Shoot, it’s true! I’m usually much better than that.” Which tells me they have pride in not clicking on links and had a human moment. Remind them that it helps protect the company if they let the security team know if they have clicked on a link they shouldn’t have. If it is truly malicious, we can get to work on it right away. If it is just an exercise, we still want to rest assured that they know they need to report it to us and how to do so. Those are metrics I value as much as, if not more so, than click rates.

Attackers can find their way into corporate networks and often do so to steal data. Our security tools are set to alert on any data moving off our network so we can look into whether it is one of our own just trying to get work done or if we should further investigate a potential security incident. We are showing that the following data was moved from to on your account and we didn’t get a head’s up from you. To help us minimize data loss, can you kindly confirm by & if you are aware of this? If we don’t hear from you, we will assume it is unwanted data leakage and we will need to , to minimize the damage.

If no response, then you may have a malicious case on your hands and you can use the below follow up.
We sent an email to you on and requesting an urgent response and have not heard back from you. To protect our company, we have or to help minimize damage. If this was an intended action by you, please respond so we can reverse course and get you back up and running.
If they respond and tell you it is true and give you a valid reason for doing so, use it as a teachable moment and remind them how helpful it is to get a head’s up for next time.

These are simple suggestions to begin an email and more info is likely needed. Not all cultures will find an easy path toward this type of synergy between users and security but there’s no better time than now to get the ball rolling. If you are a larger enterprise, consider using the tone of these suggestions to put into your templated responses.

If you’d like additional information on how to monitor for unwanted data movement in your organization, check out how Incydr works. If you just want to chat about creating productive security cultures at your organization I’d love to connect any time. You can find me on LinkedIn at https://www.linkedin.com/in/chrysa-freeman/.

For more blogs from our extremely talented Code42 security team, find them at redblue42.com.

Finding The “Why” During Insider Risk Investigations

Insider Risk is a uniquely human problem, and being an effective Insider Risk investigator requires an understanding of those human elements, as well as technical prowess. With this post I’d like to discuss an aspect of this human element — specifically interviews and inquiries conducted during investigations.

As security practitioners, we are often confronted with situations where we need to respond without the luxury of a complete set of facts. Our tools are fairly good at the “who” and “what” of a situation — user X moved a file to removable media, a document was sent via email to this address — but this is rarely enough information. Most often the purpose of insider investigations is the pursuit of the “why” of a situation, and gaining that context usually requires speaking directly with users.

Interactions with the subject of an investigation will often wholly dictate the outcome of that investigation. Once an investigator has compiled as much context as possible from the technical solutions available to them, they are still often left with questions and contextual gaps surrounding the event, making an interview with the subject necessary.

Before going directly to a subject it may be useful to conduct supporting interviews with others adjacent to that subject to gain more information — this will be context dependent, sometimes circumstances are cut and dried, but often crucial context is missing. Bear in mind that increasing the scope of an investigation unnecessarily adds complexity and increases the risk that a subject may become aware of an investigation before you intend (especially a concern in instances where there is a potential for ongoing activity). Depending on the event in question, and the needs for confidentiality, there may be individuals who can bring clarity to the investigation such as Human Resources or Legal partners, departmental peers, a subject’s manager, or the application owner or administrator. Consider these avenues to add context to an investigation:

  • A subject’s manager can provide background on a subject’s job duties, including what information they would require access to, and how normal workflows proceed.
  • An information owner can provide a better understanding of the sensitivity and outline appropriate handling of a piece of data, including potential consequences of improper access or disclosure.
  • Company legal council can help illustrate any potential legal, regulatory, or repetitional damage that could result from particular activity.
  • Human Resources representatives can provide insight into relevant personnel challenges that can provide background or affect next steps of an investigation.
  • A subject’s coworker may be able to offer context into general process questions. Be careful, asking a peer about specific events may be a breach of confidentiality and could compromise an investigation.

As a general rule, all aspects of an investigation should be treated with the highest level of confidentiality, especially interviews with those outside a subject’s direct chain of command. Impropriety or mishandling of confidential information damages an investigators reputation and threatens an organization’s ability to respond to insider risks.

Once as much context as possible is assembled from technical sources and supporting interviews, a subject may need to be interviewed directly. In these cases it is important to assume positive intent, not to jump to conclusions, or be accusatory with subjects. The approach, timing, and forum of the interview should all be considered carefully depending on the nature and risk associated with the event. From my experience, here are a few approaches to consider:

  • Should the investigator reach out via an internal messaging application or pick up the phone and call directly? Instant messaging has the advantage of being fast and informal, best for a quick question or setting up a more formal conversation. Judging a subject’s reaction to a question is near impossible via text though, and even just tone of voice and speech patterns can lend additional information.
  • Should a formal or informal in-person (where possible) interview be considered? Informal chats with subjects (such as dropping by their workstation, or approaching them in a common space) can help set a subject at ease. Formally scheduled meetings give the subject time to prepare, which can help or hurt depending on the circumstances, but do lend weight to an investigation, which can be useful to influence behavior.
  • Present pandemic circumstances have forced our company to work remotely, how can I adapt an investigation process to continue to be effective? While in person interviews are the gold standard, current circumstances will present challenges to this type of interaction for the foreseeable future. In order to continue to conduct investigations effectively, doubling down on video conferencing, screen sharing, and open lines of communication will help to minimize disruptions to normal investigation processes.
  • Should a third party be present during an interview, such as the user’s manager, company legal council, or another security investigator? Regardless of the seriousness of an investigation, it’s prudent to have another person present during an interview, should it come down to the Investigator’s vs. the subject’s word. Having a manager or legal council present can lend gravity to proceedings if need be.
  • If a video interview is conducted, should it be recorded? Depending on your jurisdiction consent from all parties may be required to make a recording legal. If a recording is not possible for technical or legal reasons, having a third party join the call can be useful. Recordings can also serve as concrete evidence in instances where a subject is asked to take some action in the presence of investigators (such as delete files from a personal drive).
  • If an interview must be scheduled in advance, how transparent should Investigators be about the subject of the conversation? This will be highly situational. In cases where there is a concern about a subject taking additional harmful actions, it may be best to be vague about its purpose. That said, outright deception of a subject may constitute entrapment and toes a moral line that each investigator must judge for themselves.
  • After an interview is completed, what level of documentation and follow up is required? This will again be situational, but in general the more notes that are collected the better. Additionally, making notes as close to the actual conversation aids in accurate recall of important details.

While these considerations may be new to some cyber security professionals, they are common-place to those with law enforcement and behavioral psychology backgrounds. Since insider risk is a human problem at its core, conducting investigations and effective interviews are a mix of art and science. Rigorous investigation and interviewing practices can help mature your organization’s Insider Risk Management process and make it more effective. There are a number of interviewer trainings available, but the majority are provided by, and directed toward law enforcement. That said, they’d be valuable for security practitioners. Another option to consider that we find helpful is benchmarking with other Insider Risk practitioners at peer companies. Given present trends, cybersecurity specific interviewer training will hopefully become more readily available in the near future. 

If you enjoyed this blog check out redblue42.com for more content like this.