Words Matter - Insider Risk vs. Insider Threat.
Employees are an organization’s greatest asset. What makes an organization great is not its technology, its processes, or its systems – it’s the people. Historically, the cybersecurity industry has referred to the procedure for protecting organizations and workers from compromise as Insider Threat Programs. According to The Intelligence and National Security Alliance (INSA). “The term ‘insider threat’ is in wide use. While this promotes consistency, possible unintended consequences may be that the organization views its workforce as a threat.”
Insider Threat is a problematic term because of its negative connotation. It implies that employees are a threat instead of a value driver. At Everfox, our approach is different. We focus on “Insider Risk” instead.
We’ve been doing this long enough to know bad actors don’t always look like bad actors. Sometimes, the good actors look like bad actors, and sometimes, identity obfuscation is by design.
According to INSA, the objective of Insider Risk Programs must go beyond detection and mitigation of bad actors. At Everfox, we believe that Insider Risk Programs should seek to be the arbiter of truth. Uncovering data points that may have been intentional red herrings or false positives. Effective and fair Insider Risk Programs should help protect the innocent just as much as they seek to hold the guilty accountable.
The Precarious Threat Landscape
As Insider Risk Programs take a wider view of risk, direct threats, including Advanced Persistent Threats (APTs), continue to be a vector of concern. The current external threat landscape is no match for the average worker, especially when it comes to APTs. The sophistication and scale of threat actors has grown by leaps and bounds. Today, these actors are regularly carrying out successful phishing, spear phishing, and whaling attacks using convincing deepfakes, hyper-targeted AI-driven communications, and social engineering tactics. In an era where social media has convinced the masses to overshare personal details on the web, and that data is being sold and re-sold to countless data brokers, Open-Source Intelligence (OSINT) is being leveraged by threat actors to craft convincing scenarios that prey on unsuspecting victims.
Compromised credentials, especially if they are not secured with Multi-Factor Authentication (MFA), can lead to breach if not detected quickly. In the case of session hijacking, where the threat actor takes over legitimate user sessions and carries out actions as if they were that user, even MFA hard keys are rendered ineffective. Attacks like these require continuous monitoring to identify anomalies in user behavior, otherwise security teams may end up accusing an entirely innocent employee of carrying out a malicious attack. After all, it happened using their identity on their machine. This scenario doesn’t end badly just for the employee, but it also likely means that while the security team is focused on investigating the wrong person, the real threat actor could still be lurking in the network.
The Attribution Problem
When it comes to cybersecurity, attribution with absolute certainty is a high bar to meet. It’s arguably impossible without continuous monitoring of all endpoints. However, collecting everything, everywhere all the time isn’t necessary (and would not be in compliance with many privacy laws that differ from country to country and, in the case of the U.S., from state to state).
Everfox experts employ a more efficient methodology of policy-based activity monitoring, risk scoring, and attribution dashboards – a methodology designed to increase efficiency of what’s being collected, when, and why. Everfox encourages Insider Risk Program Managers to involve stakeholders at multiple levels when implementing a program to evaluate the purpose and intent behind what is being collected. Policy controls in Everfox solutions enable governance, management, and oversight as part of implementing technologies and programs. Everfox configurable dashboards are designed to avoid overwhelming investigators and security analysts with unusable collections and data.
While competitor tools tend to focus on collecting everything everywhere, Everfox solutions are designed to collect appropriate, insightful, and relevant user activities as part of data security, and workforce protections. The goal is to more efficiently detect patterns and anomalies within user activities and deter workers from erroneous, unintentional, or accidental data leakage.
Focusing on the Why, Not Just the What
One of the best benefits of a robust and responsible Insider Risk Program is the simple fact that having the entire picture or complete context of a person’s actions or behaviors allows companies to make an objective decision, without bias. For example, employees have been known to circumvent company security processes, especially when it comes to being more productive. In this circumstance, employees are not being malicious and not stealing information. They are simply taking actions that, in their mind, save the company time and money. What they may not understand is the risk or vulnerabilities that are generated when you use personal cloud storage, personal email addresses, or other non-approved applications for sharing and storing sensitive company information.
A typical Data Loss Prevention (DLP) solution would fire an alert in those cases (the “what”) but would not tell you the “why”. This is where Insider Risk steps into the equation. Our solution would tell you why a person moved data and what data was moved. Analysts would be able to quickly decipher that the individual was not being malicious, but rather that they are trying to do their job more efficiently in a manner that the company processes perhaps didn’t allow for. So, they instead found an alternate option.
In the case of Shadow IT for the sake of getting work done, a company has an opportunity to re-educate their employee on appropriate usage and behaviors and provide further explanation as to how these actions put the company at risk. For most people, this demonstrates that the company is looking out for the best interest of the employee. As they are not terminated for trying to do what is right in their mind. In addition, the employee can help spread the word to others about good security hygiene and the potential consequences to the company of going outside approved processes.
Paying more attention to the why instead of just the what creates a win-win situation for everyone: the company saves money from not having to hire and train a new person, and the employee wins by not being falsely accused of malicious intent.
Who’s Watching the Watchers?
Everfox Insider Risk Solutions are designed with checks and balances that help prevent abuse of power and authority. We understand that the nature of Insider Risk requires that accountability go both ways.
When it comes to searching for viable Insider Risk programs and solutions, it’s important to consider the question: Who’s watching the watchers? As in, how does your organization plan to implement software tools in a way that prevents the abuse of power and authority? Everfox Insider Risk Solutions help make doing the right thing easy. By empowering system administrators to implement policy controls like “Do Not Collect” global policies that prevent data collection and protect individual employee privacy.
We understand that with great power comes great responsibility, which is why we build solutions with the goal of providing fair, accurate, and just workforce protection.
What’s Next: Insider Risk Awareness Month
In recognition of Insider Risk Awareness Month (opens a new window), Everfox is launching a series of stories we are calling The Innocence Files. Throughout the month of September, we will be sharing three true stories from the Everfox vault to show how Everfox has helped organizations carry out fair and accurate investigations that enabled them to defend and protect the innocent. Check back on our blog next week for the first story of how we helped an organization protect the innocent and defend their workforce.
Learn more (opens a new window)about Everfox Insider Risk Solutions and how we are supporting National Insider Threat Awareness Month.
Ready to connect with an Everfox export to learn how we can help your organization implement a high assurance Insider Risk Program? Contact Us.
Michael Crouse
Director of Enterprise User and Data Protection
Michael Crouse is the Director of Enterprise User and Data Protection at Everfox. He works closely with industry thought leaders, executives, and the Everfox management team to help guide long-term programmatic and technology strategies aligned with federal and commercial requirements. By leveraging his wealth of over 25 years of operational experience in cyber and insider risk solutions, Michael has helped lead the company to the forefront of User Activity Monitoring (UAM) and Behavior Analytics Solutions.