For the past several years, information technology security concerns and priority regarding insider threats have steadily risen as evidenced by a variety of surveys across the IT security industry. Companies are becoming increasingly worried about insider threats.
From the cyber security perspective, insider threat is primarily focused on malicious threats to the company either by, or to, information technology assets. Whether it is fraud, intellectual property theft, or even cyber system sabotage, the cyber security professional considers it an insider threat if the incident involves IT assets and internal resources.
Development of cyber security tools
Cyber security tools to predictably identify trends and identify malicious activity in real time, are increasingly under development and becoming a mainstay for the cyber security toolkit. Whether the culprit is malicious, exploited, or just plain negligent, both cyber and corporate security have a responsibility to detect and prevent the threat. As a result, you are seeing the development of enterprise risk programmes combining physical and cyber security teams to implement a cohesive insider threat programme. A natural outcome of this is the emerging interfacing of physical and cyber systems at various levels to provide both predicative and real-time intelligence of insider threat activity.
Security Information and Event Management System (SIEM)
One of the most obvious system interfaces is the extraction of access control data and its incorporation into a Security Information and Event Management System (SIEM, pronounced “sim”) such as Splunk, AlienVault, and ArcSight to name a few. SIEM’s are used by the Cybersecurity teams to provide a total picture of the cybersecurity landscape. Specifically, most SIEM’s use data collection “agents” across a variety of InfoSec sub-systems such as anti-virus, firewalls, intrusion detection systems as well as applications, which is then correlated and anomalies flagged for action. Both normal activities and deviations can then be driven to an operator console.
One of the most obvious system
To the enterprise the advantage is obvious; it now has the ability to have a wide view of the current normal and aberrant network, application and data behaviour to begin the predictive analysis of insider threats. However, an IT systems-only view is in fact limited as critical pieces of information are missing from the analysis and extraordinary efforts need to be made to obtain information. Currently, this situation extends to most physical security systems.
Let’s pretend that a SIEM operator begins to receive alerts that a computer located in Toronto, Ontario begins to attempt access to a number of directories that it does not have privileges to. The attempts continue for a couple of minutes and that activity triggers an alert to the SIEM. The SIEM operator can quickly determine from the access control log that the ID of the person is Bob Smith. However, that does not really mean that Bob Smith is attempting the breach. The SIEM operator may need to call the Global Security Operations Centre and request an access report for the room the attack is being mounted from. If Bob Smith’s card was used to get into the room, and his ID was used to logon to the computer, then chances are its Bob Smith. The last piece of confirming evidence would be a video snippet from the camera monitoring the door to match the access granted with the photo on file and then to the video snippet. Cyber Security can then shutdown the computer and Corporate Security can physically stop the threat.
|Rising concerns around insider threats make the integration of real-time security information even more compelling|
Need for process automation
The above scenario assumes that the GSOC can make the request an immediate action priority. But what if it can’t because of another higher priority event occupying the GSOC? The answer is to automate the process with an interface between the two systems.
“Data mining on an archive is relatively simple” said Mike Hamilton, CEO of Critical Informatics at the ISC West Conference in 2016. “Arguably the more beneficial function is the real-time correlation of physical security data with a SIEM.”
The notion that an InfoSec SOC can hook into a live PhySec database, be it access control, intrusion detection, or video isn’t new. Indeed, the idea of it has been bandied about for a decade. However, with the recent advances in SIEM’s, InfoSec SOC’s, and the movement within the enterprise of a unified enterprise security governance, combined with rising concerns around insider threats, makes the integration of real-time security information even more compelling.
Imagine the same scenario mentioned previously, but now when the SIEM operator receives the alert they also get real-time access control and video snippets attached to the incident. Imagine further that the SIEM operator can use automated incident response processes to initiate an immediate joint corporate / information security, HR, Legal and employee manager response? Because of the speed of damage that insider threat can create it is vital that the incident response be decisive, pre-determined, and unified to be effective.
Because of the speed of
Data-mining for Insider Threat isn’t limited to real-time incidents of course. There is value for the enterprise when Insider Threat pattern analysis is done that includes a physical security database extraction. Indeed, deep pattern analysis would be executed against an archive since real-time databases could have performance issues against an intensive query.
So, what are the issues that face an enterprise when it is considering insider threats? There are several:
All the data access governance issues that apply to enterprise data (e.g. privacy concerns, legal requirements for preservation, cross-functional incident management) apply. An enterprise would be ill-advised to undertake a SIEM/Physical Security Insider Threat integration without the governance framework well thought out and planned.
Integrations require the manufacturers Application Programme Interface (API) to be available, and the application versions to be current. Each type of database integration would need a script written through the API’s and each would need to be maintained, including application version upgrades. So, a management plan would need to be in place for the script maintenance. Hardware and application standards would also need to be in place.
As the enterprise grows the SIEM would need to extend into the new network locations. Extensions may be relatively simple, for example the company has purchased new office locations and is extending the network. However, mergers and acquisitions (M&A) add a complexity to the programme. The M&A may acquire assets that do not conform to a corporate standard. Writing new hooks to standalone databases would be a nightmare.
For an enterprise considering using a SIEM or other dedicated application for Insider Threat the issues are complex, but not insurmountable. Further, the threat represented by an insider threat activity in today’s business environment requires tools that provide the timeliest information to initiate an appropriate response. Best practices, tool development, and unified governance all play a part, and data mining for insider threat will certainly become standard.