Mike McKee, Chief Executive Officer of ObserveIT, provided five keys to help businesses identify and mitigate insider threats.
“ObserveIT’s mission is to help organizations identify and eliminate insider threats,” stated McKee at the outset of his thought leadership presentation at the 2017 Chief Information Security Officer Leadership Forum held on November 7 in New York. “My plan is to share five of the best practices we’ve put together to mitigate insider threat. All too often, people are at the center of cybersecurity incidents—anywhere from 52 percent to 70 percent of all data breaches involve a person. Without a doubt, there are many external threats out there, but the insider threat is far more dangerous,” he stated.
“Anywhere from 52 percent to 70 percent of all data breaches involve a person. Without a doubt, there are many external threats out there, but the insider threat is far more dangerous.”
“The first of the five keys to protecting against insider threat is to remember that it’s all about the mean time to detect and remediate—and making sure the solution works. We need comprehensive visibility, and a key component of that is context—what happened before and after the alert,” he said. “With people, there are normally threat indicators, like changes in their behavior—they have access to an application that they normally don’t, they’re accessing files they normally don’t, or they’re working hours they normally don’t. These are early-warning signs.”
“With people, there are normally threat indicators, like changes in their behavior—they have access to an application that they normally don’t, they’re accessing files they normally don’t, or they’re working hours they normally don’t.”
The second key McKee mentioned is thinking about high-risk users, not just privileged users. “Security 101 is knowing your critical assets. Regarding insider threat, this means knowing the people you’re worried about—people who are part of an acquisition, people who have recently joined or left the company. Most people have moved from or to a company in a similar business as yours. On the privileged-user side, watch out for ‘privilege creep’—which goes in only one direction—to more privilege.”
“Third,” McKee said, is to “think people, process, technology—in that order. Technology should be last and it, alone, won’t solve an insider threat problem.” To address this, he suggested:
• Electing a champion
• Building an insider threat team
• Developing a business plan and process
• Establishing a playbook
• Creating an integrated insider-threat hub
“I always refer to insider threat as a team sport,” said McKee, “so it’s important to have an insider-threat team. This is the fourth point. When issues occur, know who’s going to deal with them. Make sure there’s alignment and broad buy-in among those assigned to dealing with problems,” he advised.
“I always refer to insider threat as a team sport, so it’s important to have an insider-threat team. When issues occur, know who’s going to deal with them. Make sure there’s alignment and broad buy-in among those assigned to dealing with problems.”
“The fifth and final key is to create an incident management and response playbook. Keep in mind that when it comes to insider threats, half the time it’s the employee not knowing the security policies and half the time it’s malicious. So it’s important to know who to contact when insider-threat incidents happen.”
In summary, McKee noted these three business objectives in dealing with insider threats:
1. Proactively detect data exfiltration—no more reactive security. “Proactive means more alerts, responding to those alerts quickly, and knowing who your high-risk users are.”
2. Enterprise-wide visibility across all users—no golden-key holders and flat networks.
3. Integrate points one and two with the security ecosystem—ticketing, security information and event management (SIEM), and analytics. “In addition to making sure the tool can be deployed in a time-efficient manner, make sure it plays well with the other tools you have. Regarding the people-process-technology piece, a lot of that process is thinking through how the tool is going to work with your other security tools and knowing who’s going to get the alerts.”
ABOUT MIKE MCKEE:
Mike brings almost 20 years of cross-functional, global experience in the technology industry to ObserveIT. Prior to ObserveIT, Mike led the award-winning Global Services and Customer Success organizations at Rapid7, a security data and analytics company that went public (RPD) in July 2015.
Mike’s prior positions include Senior Vice President, CAD Operations & Strategy, at PTC, Inc., a software company; Chief Financial Officer at HighWired.com, an e-commerce solution provider; and Associate/Analyst roles at Broadview Associates, Ltd., McKinsey & Company, and Goldman Sachs. Mike also played professional hockey for the Quebec Nordiques (now the Colorado Avalanche). Mike received a BA in economics and politics, cum laude, from Princeton University and an MBA, with honors, from Harvard Business School.