Insider threat behavior not just actions: Part two of a series

Share this article:
Dan Velez, director of defense programs, Raytheon Oakley Systems
Dan Velez, director of defense programs, Raytheon Oakley Systems

In a recent industry presentation, Christopher A. Williams, president of Christopher A. Williams, LLC , turned attention to the rise of alarming security breaches that have compromised highly classified federal information.

Williams called for greater agency accountability and compliance oversight, in addition to more rigorous “need to know” policies when it comes to limiting an individual's access to sensitive information based on their roles and responsibilities. He cautioned against unproven IT tools/solutions as remedies, and noted that the U.S. government and private sector must work together to halt the “massive, illegal transfer of American know-how and secrets.”

Given his commendable experience as a top security official with the Department of Defense (DoD) and the U.S. Congress, Williams' words carry weight. I strongly agree that the private sector has to remain highly involved in the “fix.” Yet, that fix will require an overhaul of institutional mindsets on the subject of safeguarding critical information and data that, after decades, have become deeply ingrained.

In short, we too often focus exclusively on implementing technologies and auditing at the endpoint. We overlook user behaviors that command tremendous influence here. To advance our capabilities, we need to get a better grasp on the “people,” as well as the technical side.

Frankly, there is resistance to this notion because it's easier to maintain the status quo when it comes to policies and procedures based on simple virus scans, configuration management, log analysis, “dirty word” searches, etc. It's difficult to go beyond this mentality and pursue something more inquisitive – something that will reveal the “how” and “why” behind the “what” that delivers valuable – and actionable – knowledge.

Context means everything. You can identify breaches and “catch” people. But without the perspective of their business role, authority, motivation, scope and impact of an incident, you're only getting part of the story. This is the surest way to transform oversight from a reactive, “put out the latest fire” posture to a proactive one that anticipates user behaviors and their capacity to pose a threat. 

For example, in one case, a client sought our help during a significant reduction in force (RIF) initiative. Despite offering severance packages that specified the non-disclosure/removal of secure data, a number of just-downsized employees went back to their desks and started downloading away. Our solution swiftly detected and reported this. That single day virtually paid for the customer's licensing fee for an entire year.

Page 1 of 2
Share this article:

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Unfair competition: Proactive preemption can save you from litigation

Unfair competition: Proactive preemption can save you ...

With each job change, the risk that the new hire will bring confidential information or trade secrets with him or her to the new company grows.

Hackers only need to get it right once, we need to get it right every time

Hackers only need to get it right once, ...

Hackers only need to find one weak point to steal valuable information. On the flip side, security pros need to account for every possible scenario.

Successful strategies for continuous response

Successful strategies for continuous response

While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit their scope and reputational impact.