Speaking on the keynote stage at Infosecurity North America, Professor Derek Smith, IT Program Manager at the IRS and President of Cautela Cybersecurity Solutions said that the insider continues to be the blind spot for many organizations.
In his talk “Mitigating the Insider Threat: Closing Down the Enemy Within”, Smith said that “everyone could be an insider threat”, and “you don’t know who it could be until it happens”. Identifying common factors such as people who have recently resigned or been terminated from employment, or those involved with merger and acquisitions or third parties, Smith identified that there are two types of insider: malicious or inadvertent.
Running through industry statistics, Smith said that the majority of organizations do not look at their audit trails, are not reporting on statistics on what is happening, that the majority of organizations had no idea about a rogue insider, and that 70% had trouble detecting insider threats.
Smith called it a “tool overload” as “most folks throw technology at a problem”, while Ponemon reported (PDF) that 43% take a month to detect an insider, SANS Institute said a third have no way to know, and SANS also say that 9% rank insider as ‘very effective’.
As a way to fix it, Smith recommended user behavior analytics. “To me is the key for insider threat, one of biggest things to do right now,” he said.
“It can determine a baseline of activity and identity deviations from normal activity. Using algorithms for assessment in real time, you can see who is likely to commit the crime and maybe pre-empt that.”
Smith concluded by saying that most tools analyze only system and data, not people, so for the insider threat you have got to look for anomalous behavior.