A Person-Centric Approach to Insider Threat
The Journey – Part B
Closing out from Part B of the journey, Unearth’s main goal was to support ABC Corp’s (fictitious name) efforts to build a proactive Insider Threat program and to shed the reactive methodology that harmed them in the past. To do this, we needed to take a staged approach. We needed to have clear deliverables along the way so that we could demonstrate our value to ABC Corp in a short period of time.
These stages included:
Current State Assessment Report
Unearth provided a Current State Assessment Report which included critical risk priorities and risk cause analysis. This process included interviews with ABC Corp stakeholders, including the Security Operation Centre (SOC), Investigations and Governance Teams, Data Owners, and so on.
Points to Note
- Developed a clear understanding of the current state of processes, policies, people, and systems to surface priorities for strategic action
- Assisted the newly formed Insider Threat Team in understanding how they could leverage information from internal groups and what they could offer to these groups
- Highlighted a range of internal obstacles that possessed the potential to impact our project as well as the effectiveness of any insider threat program. For example, barriers associated with data sharing between teams were not specifically technology issues, but more bureaucracy and data owner biases and control issues.
Pilot (Proof of Value – PoV) of the Software
This needed to be conducted on-premise for ABC Corp to ensure that the software would integrate with their internal environment without a negative impact.
Ability to consume ABC Corp’s data while maintaining data confidentiality and integrity.
Provide insights from data, starting with a small data set as a foundation and increasing the data sets at each phase of the pilot.
Demonstrate the software’s ability to identify potential insider threats and to provide clear and actionable information through alerts, reports, and user-friendly dashboards.
Points to Note
- The ability to show value with minimal information and data sets and to ingest information from other systems
- Tailor use cases
- Model testing and tuning
- Results analysis
- Supporting processes and systems, including Process redesign recommendations – Detection-Response process (workflows) and Organisational redesign recommendations – Governance, authorities
- Address security and confidentiality concerns, including the management of sensitive and confidential information. This included the ability to redact fields that analysts are not required to view, as well as capturing digital evidence, and a user access audit (ie watching the watcher).
Provided live demonstrations to ABC Corp’s global stakeholders and data owners at stages to show the effectiveness of the system, even with minimal information and data. More benefits were shown as additional information and data was made available.
Points to Note
- Demonstrate the power of the system to all of ABC Corp’s stakeholders and data owners. By the end of the second showcase, even the biggest sceptics in the organisation recognised how powerful the system truly is.
- Illustrate the value gained by sharing data. By breaking down the barriers associated with data sharing, even the most resistant data owners were considering and offering data options. They became open to sharing data internally, despite their long-held attitudes to the contrary.
Minimal Viable Solution Roadmap and Architecture, plus Final Report
Develop a process to provide architecture and a roadmap for ABC Corp’s production environment related to insider threat systems.
Unearth leveraged all the learning from the Proof of Value as well as additional considerations identified during the project.
The project results, findings, and considerations were made available through the Final Report.
Production deployment to support 45K ABC Corp employees globally.
Thanks to our experience related to insider threat, Unearth was requested by ABC Corp to provide insider threat analysts, build workflows and playbooks, and develop the training program for new insider threat team members.
Points to Note
- Leveraged the work from the PoV and the opportunity to explore environmental considerations for the production environment deployment and support.