Your repeat offenders aren't the insider threats
Almost every organization today has employees that regularly violate standard security policies and protocols. However, oftentimes these violations aren’t the work of a malicious insider -- they’re usually the actions of an employee trying to do his/her job or taking a shortcut to get the job done. Corporate information security teams have the challenge of determining the motive behind these violations. While network monitoring security tools and InfoSec point-solutions are designed to help catch these infractions, they can, and do, unintentionally create an immense volume of work by flagging every policy violation as a threat -- creating thousands or even hundreds of thousands of security events to sift through daily. To make matters worse, these events are often labeled as high-urgency alerts.
The challenge is empowering your IT security teams to identify and respond to the most urgent threats while maintaining compliance with industry regulations.
Today’s next generation firewalls, IPSs, and a growing number of next-generation point-solutions offer novel and effective ways to catch and identify potential threats. However, the alerts they create only add to the noise instead of making it easier for internal security teams to identify the threat. While a small portion of the data generated by security tools can be useful, organizations cannot afford for their IT teams to sort through all of the data while they’re being compromised. So, how do companies streamline security operations to enable their IT teams to quickly respond to the most serious threats?
The answer is a solution that provides actionable information risk intelligence to enable InfoSec teams to determine the most urgent security events. This includes:
1. Leverage Big Data Analytics
In a recent report, "Reality Check on Big Data Analytics for Cybersecurity and Fraud", Gartner’s Avivah Litan noted, "big data analytics enables enterprise to combine and correlate external and internal information to see a bigger picture of threats against their enterprises". With big data analytics, companies can now elevate security incident and event remediation from an incident-by-incident approach to focus on dealing with patterns, trends, and behaviors to identify and address the real threats / higher-priority alerts. It’s important to evaluate and select a big data analytics solution that can overlay your existing InfoSec investments and rapidly break the silos to deliver context awareness. It is not about bringing everything together in one giant repository or distributed file system; it’s about extracting the right information to obtain answers. Choose providers that offer canned intelligence and create value out-of-the-box. Also, select a player that can scale and has a proven track record with large enterprises. Demos are great, but if the tool breaks during your proof of concept, something is amiss.
2. Identify and Fix Broken Business Processes while Remediating Security Events
Long term success depends on continuously improving your environment. You need an analytics solution that allows your team to diagnose the root cause of incidents and determine the right action to prevent security events from recurring, and it’s best to have it in an easily consumable management interface. It is also important to involve your business process owners (BPOs). You have to provide your InfoSec team with logical workflows for conducting multi-tier actions, including communicating back to your BPOs. This ensures shared accountability and includes the BPOs who are in the rightful position to fix broken business processes, and accept or reject the risks associated with the handling of their data.
3. Tune and Train
The same analytics solution you select needs to provide two-way flow and integration with your InfoSec point-solutions. You need a full-loop feedback capability to tune underlying detection tools and hone your policies in the process. Finally, just as you improve technology by using such a two-way flow, your analytics tool needs to provide just-in-time training to your end-users. As an end-user commits an infraction, this needs to go through a process that either escalates the matter or uses it as a teaching opportunity. Training your end-users protects your information and places accountability where it ultimately belongs.
Your repeat offenders are usually not your insider threat. Invest in a solution that actively analyzes a user’s behavioral interactions with sensitive data to enrich your incidents with a score as to what is normal versus unusual behavior for a particular user based on their prior interactions and those of his/her peers, supervisor, department, etc. This frees you from the noise and enables you to focus on real threats and proactively manage insider behavior.
Feris Rifai co-founded Bay Dynamics with Ryan Stolte in 2001 to create a company with a culture of accountability and excellence. Through his effective leadership, Bay Dynamics has become a premier provider of security analytics and information risk intelligence products.