Michael McKee, Chief Executive Officer at ObserveIT, discussed steps to diminish insider risk vulnerability.
At the outset of his keynote presentation at the 2016 Chief Information Security Officer Leadership Forum Fall Event held on October 20 in New York, McKee noted there are all sorts of threats out there—ransomware, viruses, bots—but the real vulnerability is people. “What we need to know more about is what people in the organization are doing,” he said. “Ninety percent of security incidents in 2015 were caused by people, 58% of breaches were caused by internal incidents or those in a business partner’s organization, and 55% originated from an insider. You can’t patch people. They’re much less predictable than machine vulnerabilities,” he observed.
“Ninety percent of security incidents in 2015 were caused by people, 58% of breaches were caused by internal incidents or those in a business partner’s organization, and 55% originated from an insider. You can’t patch people. They’re much less predictable than machine vulnerabilities.”
There are also vendors who do bad things. “We recently did business with a company in Boston that could see their vendors come in and go out, but they had no idea what they were doing in between. Another company thought it had 200 privileged users accessing their servers, and it turned out to be 1000. This is a big problem,” said McKee. “Knowing how many privileged users are in your environment, what they’re doing, where they’re going, and what applications they’re working with is very important. Disgruntled users are another issue, but the greater problem is people who are unaware they’re putting the organization at risk.”
“[A] company thought it had 200 privileged users accessing their servers, and it turned out to be 1000. This is a big problem.”
McKee outlined these steps to address human-caused risk:
• Ensure organizational commitment. Get support from executives, security, legal, compliance, and HR; identify the crown jewels; and establish clear security policies and governance processes. “People and processes are more important than technology,” said McKee.
• Focus on the time to detect and respond. Gartner has reported that, historically, 90% of dollars in security are spent on prevention. “The trend is toward more focus on detection and response, and thinking of threat from the user perspective rather than the machine and asset perspective,” said McKee.
• Investigations should take minutes instead of weeks. Have an “over-the-shoulder” view of all employee activity to enhance visibility. Alerts should be in plain English and easy to understand.
• Prioritize people, not assets. Identify the riskiest users. Know where your vendors are. Learn and continually assess the people risk.
• Integrate tools for greater insight. “Security vendors need to do a better job working with each other. Don’t get one-off tools. The tools need to work together to act as a single pane of glass,” stated McKee.
• Deter and educate, early and often. “Deterrence can go a long way,” emphasized McKee. Educate employees about policy violations in real time, offer constructive alternatives, and provide a communication medium for security-policy feedback and suggestions.
“The trend is toward more focus on detection and response, and thinking of threat from the user perspective rather than the machine and asset perspective.”
McKee then talked about a case study involving a Merck drug in development worth $25 billion in market potential. Merck found this drug on the black market in China and purchased it for $1,400. “The company was lucky in that it was able to find this drug and bring it in; it hadn’t gone anywhere,” said McKee. “This incident became the burning platform to get executive buy-in to improve the overall security posture. Merck organized an executive committee and formed a core group that met on a monthly basis. The company got the PhDs as well as the business owners on board to agree on what mattered to the organization,” he explained. The business users worked with the security team to identify 950 words, which, if they appeared in emails or communications, sent up a red flag about information going where it shouldn’t go. Merck identified the most at-risk people or roles and did hundreds of investigations a year. "People who had access to important data received in-person lectures from people in security.”
In conclusion, McKee stated, “More often than not, the risk isn’t a bad guy on the outside; it’s the people you’ve allowed into the network—privileged users, disgruntled users, vendors, contractors, or general users.”
ABOUT MICHAEL MCKEE:
Mike brings almost 20 years of cross-functional, global experience in the technology industry to ObserveIT. Prior to ObserveIT, Mike led the award-winning Global Services and Customer Success organizations at Rapid7, a security data and analytics company that went public (RPD) in July 2015.
Mike's prior positions include Senior Vice President, CAD Operations & Strategy, at PTC, Inc., a software company; Chief Financial Officer at HighWired.com, an e-commerce solution provider; and Associate/Analyst roles at Broadview Associates, Ltd., McKinsey & Company, and Goldman Sachs.
Mike also played professional hockey for the Quebec Nordiques (now the Colorado Avalanche). Mike received a B.A. in economics and politics, cum laude, from Princeton University and a M.B.A., with honors, from Harvard Business School.