INSIDE or OUTSIDE Where's the Bigger Threat?
By Balaji Ramanujam, CIO and SVP for Products, ASI Government
If there’s anything safe about cyber security, then it would be my statement that there is wider media coverage about external threats and system hacks – think Russia and a host of other accused countries and foreign interests– than reports on insider threats. This leaves most of us imagining that there is more external threat activity than there are blow-ups from malicious insiders and inadvertent actors.
What if the combination of malicious insiders and inadvertent actors is a higher threat than from external sources? A review of scholarly publications suggests this could be true.
For example, the 2015 IBM X-Force Threat Intelligence Quarterly (second quarter) addresses three distinct threat categories: Outsiders, Malicious Insiders and Inadvertent Actors. Malicious Insiders and Inadvertent Actors, who could very well be insiders as well, total 55 percent of the bad guys!
“The classic organizational trifecta of people, process and technology will need to rapidly transform to deal with this threat ”
As we become more aware of this growing threat, how should CIOs and CISOs respond to keep the systems and thereby, the country safe? As a quick thought, aren’t we all glad that IM clients like Google Chat have moved to the browser and away from client installs? Shouldn’t there be a concerted effort to minimize installs and resist the proliferation of background processes on client machines? Unfortunately, we all know that the defense strategy needs to be far more robust and far beyond these examples.
There are a number of publications that cover best practices, vendor tools and capabilities in the area of Cyber Security. However, at the heart of this problem is the need for humans to evolve at the fastest pace possible, to sense and defend against virtual threats— a sense that is very different from dealing with physical threats. Ignorance is no longer bliss and negligence has a heavy price tag. We live in times when trust in humans is seen as a vulnerability and weakness by the bad guys.
Should the next wave of threat detection software be about tracking changes in user behavior, in other words, browsing and social media habits? Let’s be honest, we’re currently relying on endorsements or pledge of allegiance to the bad elements by users to be able to flag and track them down. And we know this doesn’t cut it for Cyber Security or National Security. Should Ad Revenue and Predictive Analytics software be repurposed to guess what Inadvertent Actors are likely to click to draw trouble? How do you repurpose IBM Watson and the likes to start playing a new game with potential hackers to stay one-up and learn their next move? Some vendors claim to have the capability, but buyers aren’t convinced yet.
Rather than engage in more questions, here is a quick start towards a solution. Imagine a defense mechanism inspired by living conch shell – impenetrable but not impermeable, with a gooey middle. The spiral structure of a conch ensures the structural integrity and limited accessibility of the shell’s bottom half. Translate that into:
1. Proactive threat detection software, as opposed to standard virus scan software. Threat sensors meet and flag higher and more diverse usage patterns.
2. Hyperaware staff who peer-review behavior and share data on evolving threats.
3. Data abstraction architecture that morphs constantly to keep intruders from guessing data layout patterns.
While there needs to be a reinforced outer layer of IT security with standard tools, training and audits, what constitutes the inside (privileged data) security layer has become even more critical to the business. How organizations devise methods, predictive tools and processes to govern insider threats will be a significant investment and a differentiator for many businesses. At the least, a cultural shift is necessary to start sensing insider threats and to spread awareness about growing risks.
Organizations can claim that the choice of every employee was deliberate. However, they simply cannot claim there was a choice in the impending threat that an employee posed. There is now a need in the industry for version 2.0 of HP’s famous Flight Risk program that predicts employee behavior. Employee retention will continue to be important, but predicting a possible threat from every employee is even more paramount. At the most basic level, CIOs and CISOs could devise a simple test for prospective employees that pulses if he/she poses a cyber threat to the business. And perhaps, a targeted training even before hiring would be in order. As controversial as this may sound, the potential damage from an insider – when compared to someone with a bad credit – may be far greater than anyone realizes.
Insider threats are an elusive and poorly understood risk to business. The classic organizational trifecta of people, process and technology will need to rapidly transform to deal with this threat. The good news is that firms can repurpose a number of capabilities, like predictive analytics and gaming tools. The better news is that humans have shown to quickly evolve and prevail. The ability to witness the next wave of tools and capabilities to meet the challenge sounds very exciting!