Enterprise IT Context for the CTO

Bob Gourley

Subscribe to Bob Gourley: eMailAlertsEmail Alerts
Get Bob Gourley via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Marketing and Sales

Blog Feed Post

Insider Threat: A perspective on how to address the increasing risk

Cyber security is one of the highest priority topics for organizations today. Spanning a wide range of malicious activities from destructive malware and denial of service attacks, to the theft of intellectual property and even espionage, cyber threats pose a significant risk to any business. In recent years, multiple high-profile, high-impact breaches have raised awareness of the cyber threat. The continuous growth of malware and advanced persistent threats has kept much of the cyber-related focus on threats that originate externally. However, in June of 2013, a systems administrator at the National Security Agency (NSA) reminded us of the threat that already exists within an organization, behind the protection of its sophisticated, complex perimeter security.

The Insider Threat

It is often said that employees are the most valuable asset a company has, but research suggests that they can also be one of its greatest risks. Recent breaches including those at the NSA, Target, and Sony illustrate the damage that can be done to an organization though the malicious or careless use of network and data access. Ordinary employees, privileged users, contractors, and even trusted partners all represent significant risks for an organization.

The potential for damage from the insider threat is serious across Commercial and Federal Sectors alike. Insiders can do harm across a spectrum of business functions, from stealing customer lists in commercial, to stealing classified files in government Damage can range from harm to the brand and reputation all the way to comproming mission and even loss of lives. The insider represents true risk to every firm and organization. According to the Verizon 2015 Data Breach Investigations Report, insider and privilege misuse has had the most notable increase in activity and is occurring in every sector of the economy

Additionally, insiders now have new ways of coordinating with others. The abundance of free email, social media and other electronic communication services, combined with their inability to accurately attribute these accounts to identifiable individuals, provides a veil of anonymity for those seeking to remain undetected or unidentified. The apparent anonymity of the Internet is alluring to many, but presents a significant challenge for organizations seeking to combat or defend against criminals and terrorists alike.

Cognitio’s Approach to Insider Threat

Cognitio is unique in that we represent a vendor agnostic approach to assist client’s in understanding the risk of insider threat; helping them develop programs, policies, and technical solutions aimed at early identification and response; and, ensuring that our customers understand the full range of response and mitigation that can assist when an incident occurs.

Our first task is to work with our clients to fully understand their unique requirements and limitations around what may be collected, analyzed, or used as many clients are global in nature and rules, regulations and laws vary from country to country.

Next, we work with our clients to help them understand the nature of cyber risk, the continuum of insider threat and review what programs they may have in place today. This will include review of current process; helping our clients understand anomalous behavior; separating criminal intent from accidental action; and, working with them to understand the differences between audit, compliance and intelligent security.

From there, we work with our clients to drive a blended approach that combines business, process and technology to define and create capabilities that support the detection, identification, containment and remediation of insider threat.

Policies: In many cases an organization's security policies and procedures can be improved to help mitigate insider risks. Policy improvements are frequently focused on training, technology concepts of operation, and articulation of or expected behaviors. Policies alone do not mitigate insider threats, but they lay a good foundation.

People: How people are trained and led can have a direct impact on an organizations insider threat risks. Many organizations find it prudent to have a lead for cyber threat mitigations and this person should be appropriately trained and certified. Cognitio will help ensure this is done.

Technology: Well managed infrastructure with the right authentication/authorization and security capabilities provides a baseline for additional specialized tools which can help detect attempts at unauthorized access, issue alerts and contain damage. There are many tools available for these tasks and recommendations for which to leverage will your existing environment. Solutions must be integrated in ways that detect malicious attempts but have very low false positives. Specialized tools also aid in forensic examination to determine how systems were intruded upon and what the damage was.

The Special Case Of Big Data Analytics In Insider Threat Detection

Breakthroughs in the ability to analyze data rapidly at scale, largely due to advances in the Apache Hadoop ecosystem, have resulted in numerous production quality deployments of data intensive analytic solutions aimed at using data to helping mitigate insider threats. Typical uses of data intensive analytics for insider threat include building aggregated data repositories that capture user authentication/access activities, computer security logs and information on physical security solutions (including card-swipes) for correlation, behavior analysis, and anomaly detection. Some solutions leverage much more data, including the activities of every privileged user, and can even begin to incorporate public data sources, including social media feeds, in order to create a holistic view of an individuals behavior. Ultimately these data focused solutions help you apply scalable analytics against these Big Data repositories in order to look for organizationally specific anomalous activities as they occur, triggering alerts that can be adjudicated by security staff.

We recommend architectures that also enable analysis of streaming data. A malicious insider can cause damage fast and analysis of streaming data at line speed can be key to mitigating damage.

How might this look in practice? Our experience in the intelligence community and in enhancing insider threat mitigation normally addresses issues in Policy, People and Technology:

Cognitio has experience with all the most reliable/reputable analytical tools in this space and can assist in your selection of criteria to evaluate them to ensure the right selections are made for your business needs. The typical analytic tools used for insider threat mitigation will need to be evaluated against specific organizational needs including ease of use, automatic alerting, and the ability to detect anomalous activity with a very low false positive rate.


The ability to accurately identify and respond to suspicious or anomalous activity in your environment is vital to combating Insider threat. As such, it is imperative that organizations establish a process and technical solution that is capable of supporting the demands that insider-threat represents in today’s complex cyber world. Cognitio’s approach ensures that all levels of an organization understand the continuum of the threat and how to bring the critical volume and variety of data needed to identify, contain and mitigate this threat

Read the original blog entry...

More Stories By Bob Gourley

Bob Gourley writes on enterprise IT. He is a founder of Crucial Point and publisher of CTOvision.com