So, what should we be watching instead? We need to bring more focus to watching and understanding our attackers—we call this the threat focus. We need to place a greater emphasis on understanding and sharing threat patterns to balance detection with mitigation and response. We need to share and analyze knowledge gained from multiple, discrete attacks to better understand attacker behaviors and reduce the likelihood of future successful attacks by aligning our defenses and our investments to the actual threats we face.
How do you approach the insider threat?
Well, first we should define what we mean by “insider threat.” I define it to include true insiders as well as situations where an intruder has gained access to users’ credentials, and is now “free to roam.” Both types of insiders pose different yet equally challenging issues for security professionals.
Fundamentally, I approach both with a threat-based defense. This means gaining understanding of the system, of individual intruders’ behaviors, and then using the data to help inform defensive action where abnormalities exist. I like to think of the issue as looking for a needle—not in a haystack but— in a pile of needles. You don’t use the same tools and techniques to discover the latter, but you certainly can use similar understandings of the problem to start your search.
I think the work done by the Software Engineering Institute at Carnegie Mellon University is a good example of how DHS has worked to develop common-sense recommendations to address and mitigate the impacts of insider threats to organizations. It succinctly provides tables that make it easy for members of different organizational groups, such as IT, software engineering, and human resources, to work as a holistic team in finding and applying the most relevant practices to the threats. The guide also maps each practice to existing standards, lists implementation challenges for large and small organizations, and outlines quick wins and high-impact solutions.
The recently published fourth edition of Common Sense Guide to Mitigating Insider Threats, sponsored by DHS, updates and expands the CERT Insider Threat Center's recommendations for a broad range of organizational stakeholders.
Based on your experience, what advice would you give to a government trying to improve the resilience of its cyber ecosystem? What areas are often overlooked and in desperate need of improvement?
First of all, I think that we need to significantly alter the conversation about the challenges we face. We have countless government agencies, private industries and citizens within and outside of the United States, who own, operate, and use cyber infrastructure to conduct their business. We also have another broad range of players, some human, some natural events, that threaten our cyber infrastructure.
Given the diversity of players, it isn’t surprising that they don’t operate as if they were part of a single team that is playing the same game and using the same set of rules in a predictable manner, where linear cause and effect relationships are easily definable.