Incident response. Playbooks, orchestration and automation are all excellent tools to address specific problems.
But for insider threat, it's important to understand how the investigation and remediation work flows may be different than other types of response.
Since insider threat is a human problem perpetuated purposefully or accidentally by one of your own employees, you should be prepared for a human centric response.
Many investigations will involve coordination with a combination of HR, Legal and others.
Eventually, someone may have to speak with the employee as well.
For this video, instead of automation and orchestration, think training and practice when dealing with the human factor.
Let's explore the difference with clear Austin door.
Cybersecurity is often described as part art and part science. Nowhere in the security field is that truer than in the insider threat space. Human behavior is the most unpredictable variable to account for in the security program and consequently, where a lot of the art and experience comes into play.
Let's think about insider threat investigations as an art science, then diagram
as you think about the different aspects of an investigation, which items fall into each category, things like search criteria alert parameters, escalation and triage, work flows and alert severity or priorities may fall into the science side.
Items like defining motive, calculating risk, assessing data sensitivity, liaising with stakeholders or interviewing employees would likely fall into the art side.
Some of these may fall into the overlap area.
A prime example of a mixed category item would be your escalation and triage process flow. Some of them may be automated and prescribed, but there is also room for human interpretation and qualitative judgment by an analyst to deviate from the standard process based on their experience. An assessment of the available fax.
Aside from deviating what falls into each bucket and what remains a gray area, let's talk about a few ways to prepare for the uncertainty of our own erratic nature.
Your stakeholders will include anyone who may be part of the investigation process. Different stakeholders may get involved with an insider threat incident for different reasons at different stages of the response and remediation.
It's important to help these stakeholders understand insider threat risk, the data and the use cases you are looking at and what their role in the process will be.
This will also mean taking into consideration their needs and requirements to fulfill their piece of the puzzle.
For example, if HR is going to help with investigations or employees interaction, what data do they need? What information, What format, What case management system, What files
Doing dry runs of investigations is a great way to consider the unexpected from human behavior.
Mock interviews of employees that were identified performing insider threat activities will help you learn how to engage these individuals and what issues might arise. What happens if they don't admit their actions?
How can you tell if they're being truthful?
What are the standard excuses?
How can you use the data and evidence to help guide the discussion? Also? And this might be the most important.
How do you treat employees with dignity and respect while discussing an insider incident?
If this is your first time building an insider threat program, you'll quickly see how difficult of a job investigators have.
It truly is a professional skill set, and seasoned investigators spend years to hone their craft.
As your program matures, it's very likely you'll start uncovering mawr inside a risk
and human behavior. The most unpredictable variable to account for.
That's where a lot of the art and experience comes into play.
If you take a human centric approach to response and remediation, you can prepare for success by understanding how these cases will be different than other cyber risks your organization faces.
Thanks for watching.