Download Proactive Compliance for Insider Threat Protection

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Information security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Information privacy law wikipedia , lookup

Cyberwarfare wikipedia , lookup

Cyberattack wikipedia , lookup

Computer security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Transcript
Proactive Compliance for
Insider Threat Protection
By Larry Knutsen, co-founder, Strongbox Cyber Solutions LLC
540.222.7412
[email protected]
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-2-
Executive Summary
Cybersecurity and the loss of sensitive data seem to appear daily in the media. On
February 12, 2013, President Obama signed Executive Order 13636, “Improving Critical
Infrastructure Cybersecurity.” This outlined the Administration’s priorities. This executive
order highlights the importance and critical need for improved cybersecurity. The cyber
threat to critical infrastructure continues to grow and represents one of the most serious
national security challenges we must confront. Two years later, on February 13, 2015,
President Obama signed Executive Order 13691, “Promoting Private Sector
Cybersecurity Information Sharing.” This Executive Order calls out the National
Industrial Security Program to include amending Executive Order 12829, dated January
6, 1993, which “established the National Industrial Security Program to safeguard Federal
Government classified information that is released to contractors, licensees, and grantees
of the United States Government.”
The conversation has moved to encompass not only cybersecurity and Information
Assurance (IA), but also insider threat, which today is one of the most prevalent threats to
our nation’s security. In this paper, we explore the mandated compliance guidelines, from
Executive Orders to policies that address insider threat, along with the anticipated
changes to the National Industrial Security Program Operating Manual (NISPOM) expected
to be released this fall. We will discuss the impact of the insider threat to an organization,
the importance of doing a risk analysis, how to identify gaps, and what organizations can
do to create and mitigate the risk of a malicious insider by adopting appropriate security
measures.
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-3-
Policies in Place Now
The Federal Government has put forth a number of important mandates over the past
few years in the effort to bring security standards to a baseline for both cybersecurity and
insider threat. Cybersecurity has this Administration’s attention, with accountability and
deliverables outlined in several Executive Orders. I think we will all agree; we are only as
strong as the weakest link in the digital cyber world. These federal compliance standards
must be leveraged as a framework to create a robust security posture to protect sensitive
information. Beyond this basic framework, different organizations may require additional
security needs. So long as these basic standards are met, you are off to a good start, and
you can grow your security program as needed. Something is better than nothing and
doing your homework up front, discovering your gaps, and taking steps to mitigate them
are critical before you purchase anything. In my view, not all organizations require the
same level of protection and some can manage sufficiently and safely with a basic
program. The important thing for each organization is to strike the balance between
security and risk mitigation. Doing nothing is no longer an option.
What impact could the NISPOM have on you? If you have, or expect to have, government
contracts, your organization will be expected to have an insider threat program. Your
program should be based on published policies, linking requirements together into a
robust program that includes continuous evaluation, continuous monitoring, and a holistic
insider threat detection program. You can wait for the requirements to unfold or you can
begin taking steps to do your homework now. At the very least, you should ask yourself,
what is your company’s intellectual property worth? What is your company’s reputation
worth? What would you say to your stockholders and employees if tomorrow’s media
headlines read “Data Breach Occurs – Insert Your Company Name Here”? Senior
leadership must understand you cannot guarantee there will be no leaks or prevent a
trusted employee from going rogue. What you can do is know what happened when, how
and by whom. Most importantly, you can limit the timeframe of bad behavior.
Insider Threat Detection and proactive holistic analysis is possible if you build it into your
program—and you should start planning now.
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-4-
Getting Started
When determining what is right for your organization, there are some key questions to
ask yourself before you start building and investing time and money in your cybersecurity
posture. This is the “homework and due diligence” phase.
1.
What are your goals?
Eight Questions You Should Ask
What are you trying to
1. What are your goals?
protect? You cannot
2. Are your HR and employee regulations supportive of what
guarantee to leadership
you want to create?
that your organization
3. What are your current technical capabilities?
won’t fall prey to a
4. Who should oversee your program?
malicious insider, but you
5. Bring your own device (BYOD)—do you allow it?
can monitor the rumble
6. How good is your user activity monitoring system?
strips within your
7. Can you merge your employee information gathered
from due diligence as part of the hiring process with
perimeter and strive to
other data your advisory panel has authorized for use
identify suitability issues
within your cybersecurity program?
early while they are small.
8. Is your insider threat program on a private network?
Think of the rumble strips
as those found along
most major highways. When you hit them and the noise begins, your full attention is turned to your primary mission – Safe Driving. For example, if a user logs onto two
computers and prints in two different locations miles apart, shouldn’t you ask
yourself, “Is this user sharing their corporate login?” Mitigate suitability and network
issues when they are small.
2.
Are your HR and employee regulations supportive of what you want to create? Review existing policies, guidelines, and employee handbooks, and engage legal on day
one. Do you have ‘”consent and disclosure” for what you are trying to create? What
policies need to be updated, and what is the timeline for that? Engage leadership, HR,
legal, security, the CISO, and the CIO to answer these questions as you establish a path
forward for your Insider Threat Detection program.
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-5-
3.
What are your current technical capabilities? What technical and non-technical
programs are in place that can support a proactive insider threat detection program?
What information and capabilities do you currently have that can be leveraged and
where are the gaps? What, where and how are your network defenses deployed? Are
they reactive or proactive? Break down the stove pipes! For example, are there
processes in place to revalidate privileged users’ accounts and their continued need for
privileged access? Are your removable media devices locked down? Do you allow
unencrypted files to exit your network including those stored on removable media?
Where are passwords or other sensitive PII information being stored? Are you
monitoring network activity? If you see terabytes of data going out of your network
after hours, do you know where is it going and why? Are you leveraging all your existing
network defenses? Has complacency set in? When you have completed a basic
inventory exercise, you will discover gaps in technology/capabilities that may require
investment. You will also discover you already have capabilities in place to support the
early stages of both a reactive and proactive insider threat program.
4.
Who should oversee your program? C–Suite engagement and legal is critical; CISO,
HR and CIO are a must. Establish a senior advisory board to oversee the program. This
board will be responsible for deciding things like what type of data can/should be used,
how long data should be retained, where should the copied data reside, how can this
data be used to create proactive triggers, who knows what about the program, and
how to inform the workforce of its existence. Most importantly, this group must decide
how the data can be used and agree on anomaly detection triggers. User privacy and
the privacy of the investigative threshold are critical. Build partnerships! If you could tell your CIO how many applications exist and the frequency for which they are being used
on your organization’s network, this will assist your CIO in network migration. This has
cost savings potential because you can weed out applications no longer being used.
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-6-
5.
Bring your own device (BYOD)—do you allow it? Is there an agreement in place
to obtain the necessary user attribution activity on a timely basis? Policies about BYOD
should be decided by your senior advisory board (see step 4) and become an integral
part of employee education efforts around security. This should also include a review
of company-provided devices and policies. Should you travel to questionable countries
with devices loaded with company IP? How do you spell “Corporate Espionage”?
6.
How good is your user activity monitoring system? How close to the user does it get
you? How do you monitor internal encrypted connections? Should they be monitored?
You need to know who did what, when and where, and the closer you can get to user
endpoint activity the better. You can’t go back and collect something that occurred in
the past. Plan now and only collect information you need.
7.
Can you merge your employee information gathered from due diligence as part
of the hiring process with other data your advisory panel has authorized for use
within your cybersecurity program? This is important as it provides a holistic view
of your employees. Background information on an individual, collected during their
hiring process, may weigh positively or negatively on certain user activities or
anomalies, and granting privilege user accesses. How often should this due diligence
be initiated? Ask your advisory panel (see step 4). Context will always be the key. Just
because someone works after-hours or on weekends doesn’t equate to nefarious
activity. Does it mean that person is working on a deadline?
8.
Is your insider threat program on a private network? It should be, and with
restricted access. Administrators on your primary network should not have access to
this private network. This isn’t about a lack of trust, it’s about knowing if a privileged
user account is compromised or used in a nefarious way on your primary network. This
same account cannot delete or modify computer activity records. Forensics and the
ability to recreate activity is a must.
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-7-
Once you have documented the gaps and developed a timeline on how to mitigate these
gaps, you will know the level of investment needed to get your organization to the next
level, especially if this level is below your threshold of risk mitigation. Your next step will
be to select the correct technology and tailor it to your specific needs. Remember that the
goal is to balance acceptable risk against potential damage to your organization’s
reputation, loss of IP, and the loss of employee/stock holder confidence.
Taking the time to consider these questions will help you expand on existing capabilities
or establish a program based on the needs and culture of your organization, without
threatening morale or potential litigation. It will also prevent you from buying unnecessary
hardware, software, and capabilities you don’t need.
Building Your Insider Threat Detection Program (ITDP)
It is important to remember that insider threat detection and information assurance (IA)
are two different missions with some overlapping areas of data and tools. An insider
threat is an individual who uses his/her authorized access to wittingly or unwittingly do
harm. To meet this challenge, you need more than traditional IA tools. You need a holistic
program that leverages audit data from office-issued computers to include user activity
computer monitoring. This needs to be merged with internal (HR, security, training, etc.)
and external records (gathered during your due-diligence pre-hiring process) to create an
Insider Threat Detection Program (ITDP). Avoid creating a “data retrieval” system. Instead,
your ITDP must be reactive and proactive. Reactive allows you to respond to authorized
queries about activities within your organization. Proactive requires you to create anomaly
detection trigger rules based on your senior panel’s approval. For example, on the
information highway you have rumble strips along your perimeter and if a user or activity
hits the rumble strips, your ITDP will be alerted. The activity would be reviewed in context
to determine if this is a false positive or an activity that warrants a closer inspection. If it’s
a false positive, review your anomaly triggers to proactively correct the issue. At no point
should your ITDP engage in fishing or individual profiling. Fishing would involve identifying
an individual and trying to find bad behavior based on curiosity versus on an authorized
investigative requirement. Protecting a user’s privacy is paramount and should include
treating all individuals in the same way. Do not hide the existence of the ITDP and adhere
to legal, Human Resource and employee consent, plus the employee handbook (code of
conduct, etc.). You must protect the anomaly triggers not the existence of the ITDP.
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-8-
Users can also be evaluated, and anomaly triggers can be defined holistically. To reiterate,
these three steps will help you create a robust program benefiting your employees and
your organization:
Three Steps to Create a Robust Insider Threat Program
1. Establish a central repository for all company provided computer/IT audit
records to be stored on a private network.
2. Obtain a copy of internal data based on guidance and approval from your
oversight committee.
3. Integrate data used during the hiring process.
First, establish a central repository for all company provided computer/IT audit
records to be stored on a private network. This will benefit both IA and ITDP missions.
It is critical to make sure your endpoint monitoring gets as close to the user as possible to
meet your user monitoring requirements as approved by your senior advisory panel.
Second, obtain a copy of internal data based on guidance and approval from your
oversight committee. You will need to have an identity resolution process in place to
ensure data accuracy.
Third, integrate data used during the hiring process. Due diligence should include
thorough background checks and external research of potential employees (e.g. financial
information such as bankruptcies, arrest records, education confirmation). Interviews
should include questions that probe a candidate’s moral compass, and this information
should not just reside in HR files but be included as part of the ITDP. Your oversight
committee should determine the frequency for which the due diligence process should
be repeated. Obviously greater frequency will ensure any issues are addressed in a more
timely process.
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-9-
These steps will help you to focus on maintaining
good employees and ensure you only collect and
Everyone makes mistakes
retain information you are authorized to have
based on your defined purpose. Everyone makes
and if an employee
mistakes and if an employee missteps and an
missteps and an anomaly
anomaly trigger sounds an alarm, a quick and
trigger sounds an alarm,
proactive examination of the incident with the
a quick and proactive
ITDP tools will tell you whether an action is
examination of the
malicious or not. Establish mandatory training
incident with the ITDP
and education courses for users so they
understand what to do and what not to do with
tools will tell you whether
company hardware, data and personal devices.
an action is malicious
Train employees to be alert for phishing attacks
or not.
and educate them on how to be responsible in
protecting company intellectual property. It is
my belief that companies spend a lot of time
and effort identifying and training employees and employees want to do a good job.
Suitability issues happen, and if you mitigate them early, you can save a good employee
who just made a mistake before her or she crosses a line of no return. Remember, the
purpose of your ITDP is to retain good employees, protect your IP, and quickly mitigate
nefarious employees.
Citation of privileged user statistics1:
73% of privileged users believe they are empowered
to access all the information they can view1
65% say these same people access sensitive or
confidential data out of curiosity1
57% indicate background checks lacking within
organization before issuance of privileged credentials1
1
http://www2.trustedcs.com/Raytheon-PonemonSurveyResearchReport
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-10-
Data Breaches2
Nearly 200 million records—or 93,000 records per hour—were stolen
between January and March of 2014, an increase of 233 percent over the
same quarter last year, according to the recently released SafeNet Breach
Level Index.2
2
http://www.scmagazine.com/index-200-million-records-stolen-in-q1-breaches/article/344845/
Protection: How To Confidently Mitigate Insider Risks
Once you have an ITDP in place, you cannot guarantee all insider threats will be stopped,
but you can confidently mitigate them and limit the period of time they have to inflict
damage. Data leaks are on the rise and are the lead story more often than we care to see
them, but with so many happening, are we becoming numb to them? If so, this could be
disastrous. Organizations would be smart to remember the extent of the damage that can
be done to a company’s reputation, stock prices, and customer confidence.
An Incident Response Plan that activates immediately when a data breach occurs is critical
to handling and responding to the loss of sensitive data. It may still be possible to
recover stolen records or even limit what is being stolen if you act swiftly. A published
Incident Response Plan is paramount to ensure collaboration, teamwork, protection of
individual privacies, and that the incident is handled in accordance with approved
company guidelines. Discovery and escalation come first. An incident response team must
move quickly to alert the C-Suite and authorities if the data breach involves the loss of
personally identifiable information or company IP. Does notification include regulatory
bodies? Lost business may be an immediate issue and the company needs to have a plan.
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-11-
New Federal Guidelines Heading Your Way
New NISPOM standards are due to be released this fall. Don’t wait until they show up to
see what you need to do to be compliant, especially when you can start now and be ahead
of the game. First, take inventory of where your organization stands in terms of the
recommended standards. If new requirements demand increased standards and if they
are linked to contract obligations, it is important to start leveraging what you currently
have in place and build from there.
Will this affect current or future contract obligations? Anticipate the areas you will need
to build out and proactively engage your company’s resources to include available
government resources to help you build a program tailored to the needs and culture of
your organization. And, don’t stop there. The fact is, in the face of the current threat to
national and industrial security, NISPOM standards may not be enough for your risk
mitigation model. In my view, guidelines should be your starting point and based on
leadership requirements to include your business strategy, you may require additional
protection. Doing nothing is no longer an option. Act now.
Disclaimer: The views and opinions in this paper are based on Mr. Knutsen’s personal
experience and do not express the views of any government agency or former employer.
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-12-
About the Author
Larry Knutsen retired from the CIA in 2012 as a Senior Intelligence Service Officer after 30
years – 10 years abroad. He was responsible for creating the vision, acquiring
resources long before audit/insider threat was the topic of today. Mr. Knutsen led the
Agency’s sophisticated CI and Security Technical Insider Threat Detection Program, which
became recognized as the “gold standard” for the Intelligence Community. He was
requested by the White House to lead an interagency team of technical and policy experts
in response to unauthorized disclosure from Wiki Leaks. As a result, recommendations
related to the insider threat and protection of classified information were adopted and
later resulted in providing the framework for an Executive Order that was published in
October 2011.
Mr. Knutsen recently started a small company called Strongbox Cyber Solutions with a
partner. Strongbox Cyber Solutions provides consulting services that leverage his
expertise in CI and Security to guide data analytics and developers to create tailored
anomaly triggers and algorithms based on unique customer requirements. The company
helps organizations establish an insider threat detection program based on their risk
mitigation strategy.
Government Awards
Mr. Knutsen was awarded the National Intelligence Superior Service Medal from the
Director of National Intelligence in 2013, Distinguished Career Intelligence Medal from the
Central Intelligence Agency in 2012, the National Counterintelligence Award for
Community Excellence from the Director of National Counterintelligence in 2010, and the
National Intelligence Meritorious Unit Citation in recognition of outstanding achievements.
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
-13-
Appendix: Policies in Place Now
The Federal Government has put forth a number of important mandates over the past
few years in an effort to bring security standards to a baseline level for both overall data
assurance and insider threat. We are only as strong as the weakest link in the electronic
cyber world.
• Executive Order (EO) 13691 - Promoting Private Sector Cybersecurity Information
Sharing - dated February 13, 2015 – “to address cyber threat to public health and
safety, national security, and economic security of the United States, private
companies, nonprofit organization, executive departments and agencies and other
entities must be able to share information related to cyber security risks and incidents
and collaborate to respond in as close to real time as possible.”
• Executive Order (EO) 12829 - National Industrial Security Program – dated January 6,
1993 – “established a National Industrial Security Program to safeguard Federal
Government classified information that is released to contractors, licensees, and
grantees of the United States Government.”
• Executive Order (EO) 13587 – Structural Reports to Improve the Security of Classified
Networks and the Responsible sharing and Safeguarding of Classified Information dated October 7, 2011 - outlined policy, general responsibilities ranging from
designating a responsible individual, implementing an insider program, to self-scans.
• National Industrial Security Program – Operating Manual – DoD 5220.22-M, 28
February 2006 Incorporating change 1 – dated 28 March 2013 - “It prescribes the
requirements, restrictions, and other safeguards to prevent unauthorized disclosure of
classified information.”
• National Insider Threat Policy and Minimum Standards for Executive Branch Insider
Threat Programs – dated November 21, 2012 - outlined capabilities to gather,
integrate and centrally analyze and respond to key threat-related information; monitor
employee use of classified networks; provide the workforce with insider threat
awareness training; and protect the civil liberties and privacy of personnel.
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com
Proactive Compliance for Insider Threat Protection
•
•
•
•
-14-
Fiscal Year 2013 Reporting Instructions for the Federal Information Security
Management Act and Agency Privacy Management – dated November 18, 2013 –
“helps agencies improve cybersecurity performance by focusing on efforts on what
data and information are entering and exiting their networks, who is on their systems
and what components are on their information networks, as well as when their security
status changes.”
Executive Order (EO) 13636 Improving Critical Infrastructure Cybersecurity – dated
February 12, 2013 – “Repeated cyber intrusions into critical infrastructure demonstrate
the need for improved cybersecurity. The cyber threat to critical infrastructure
continues to grow and represents one of the most serious national security challenges
we must confront.”
Presidential Policy Directive (PPD)-21 – on Critical Infrastructure Security and
Resilience - dated February 12, 2013 – “advances a national unity of effort to strengthen
and maintain secure, functioning, and resilient critical infrastructure.”
NIST SP 800-53 Rev 4 —Security and Privacy Controls for Federal Information Systems
and Organizations – dated April 2013 - covers the steps in the Risk Management Frame
work that address security control selection for federal information systems in
accordance with the security requirements in Federal Information Processing Standard (FIPS)
200. This includes selecting an initial set of baseline security controls based on a FIPS
199 worst-case impact analysis, tailoring the baseline security controls, and
supplementing the security controls based on an organizational assessment of risk.
http://csrc.nist.gov/publications/PubsSPs.html#800-53
Strongbox Cyber Solutions LLC
www.strongboxcybersolutions.com