1 hour 25 minutes
many small and medium sized companies don't have. The resource is for ah dedicated insider threat team.
Even large enterprises who do have a dedicated team probably don't have endless resource is available to them.
This likely applies to both technology tools and headcount.
Because we've honed the insider threat program down to a few key work flows, your existing security and I T teams should be ableto handle the monitoring and detection responsibilities.
But Security and I T teams who are already wearing multiple hats and managing strange resource is don't have to shoulder the full burden.
It's also critical that all stakeholders be trained so they understand the full scope of the insider threat program.
So let's look at how to utilize current resource is to create your plan and put together a training plan for your stakeholders,
and we'll do that by hearing from Chris A. Freeman.
By this stage, as you begin to look at technology tools to support the program, you should have defined your insider threat use cases as well as the assets you're trying to protect.
It's okay if you have multiple use cases and a variety of critical data assets you want to protect. If that's the case, make sure you've also prioritized and rank them toe. Help guide program decisions. Once you have that documented, you can start looking around the organization at existing Security 90 teams to see if there are any helpful starting points.
One way to streamline the investigation process is to begin a security ambassador program
or leverage an existing one. Ambassadors air trusted partners across the organization who assists the security team by both extending the security messages and also informing the security team of norms and practices in their respective areas of the organization.
For example, using our use case of data exfiltration, these ambassadors can help you understand the tools most often used to store insure data in the area as well as any collaboration tools they use. This is important information, so you are fully aware at the onset of building your insider threat program and throughout your program
toe levels at what acts are authorized by your organization
or perhaps easier which applications air not authorized.
If the ambassador understands both the nuances of the technology as well as the business use cases of the applications, you have an excellent resource
for an insider threat program that focuses on data Ex filtration. You'll definitely need Teoh inventory All your existing monitoring, investigation and response tools.
Are you using a sim or sore tool, for instance?
What monitoring Mawr auditing tools Do your most valuable applications utilize?
Can these assist you in identifying and investigating your insider threats?
The inventory helps you determine what, if any, additional tools you need to fill in gaps in your insider threat program.
It also helps down the road by providing a better mapping of the I T ecosystem that you're charged with protecting,
as well as serving as a way to build relationships with stakeholders you may be working with in the future.
Doing this type of due diligence helps with cost savings and potential reduction of technical debt.
Two things senior leaders and executives sponsors will certainly be on board with
tow. Watch your suspicious data movement. There are several security tools and vendors provide solutions to analyze the tremendous volume of data generated
Theis fan from simple tools that centralized information the very sophisticated cloud based artificial intelligence and machine learning platforms. Part of the planning is determining the budget. You will need to complete the program.
As an aside, be wary of vendors with complex tools that promise quick set up an easy use.
Sophisticated tools are likely to have some layer of complexity you need to be aware of before purchasing.
Make vendors prove their marketing claims are true by conducting an in depth trial before committing
towards the end of the planning process, you need to train your stakeholders on what is being monitored specific triggers that are used, the investigative work flows and the rules of engagement.
Any technology, tools or applications should be introduced at this time as well, and training should be provided on those tools if necessary.
If you're utilizing the ambassador program, you should set up a regular cadence of meetings with, um to keep current on any changes in shadow, anti and consult with them on communications to their area of the business.
The ambassadors are ingrained in the culture of their geo location or subculture, and can help determine the best training methods, content and most used communication channels
as you involve others in any matters related to the insider threat program.
Keep in mind the principles of least privilege
and need to know
insider threat. Data and investigations are often very sensitive in nature and may include information about employees.
Ensure your program meets strict standards of privacy
and access control
not only with US. Help get approval and buy in from legal in HR,
but it's the responsible and right thing to do.
While you want to leverage as many existing resources as possible for your insider threat program, there are ways to stretch. Your resource is in both the planning and training stages.
You can determine the validity of existing security tools and utilize an ambassador program to help fill in the blanks.
Because you're insider threat program will need to evolve. The ambassador program may also bring in ideas for improvements.
Your stakeholders will need training in what is being monitored. The specific use case triggers the investigation, work flows, the rules of engagement and the tools used to accomplish all of this.
This training should clearly define their roles and responsibilities so they're ready to jump in when an insider response workflow is triggered.