By Gregory Hale
Puxatony Phil had more success predicting whether spring will come early or not than the FBI did in its first system of predicting potential cyber insider threats.
“Puxatony Phil was correct at his predictions 60 percent of the time, the FBI was nowhere close to that number,” said Patrick Reidy, the former chief information security officer at the Federal Bureau of Investigation (FBI), during his presentation at the Black Hat security conference Wednesday in Las Vegas. Reidy, who just left the FBI to go into the private sector, gave his talk on “Combating the Insider Threat at the FBI: Real-World Lessons Learned.”
If you want to look at dollars and cents, insider threats cost $412,000 per incident and $15 million per year, Reidy said. The problem is in many cases to find, or to profile, a potential insider threat, it does not fall into the technology category as most security professionals would see it. Instead, it is about “knowing your people.”
Everybody thinks of insider threats as being a hacker or running hacking tools on an internal network. But that could not be further from the truth, Reidy said.
“An inside threat is an authorized user using their trusted access to do unauthorized things. It boils down to an actor with some level of legitimate access and some level of organizational trust.”
One thing to remember is if someone steals system administrator information, that does not become an insider threat, he said. In reality, in a sampling of 200 cases, only 1.5 percent were actual privileged users and .8 percent involved system administrator cases.
Reidy talked about five lessons, or tips, companies should learn from:
• Insiders are not hackers
• Insider threat is not a technical or cyber security issue alone
• A good insider threat program should focus on deterrence and not detection
• Avoid data overload
• Detection of insider threats has to use behavioral-based techniques
Technology is a great thing, there is no doubt, but to truly head off an insider threat a company would be wise to invest in its human resources area and in normative analytics.
“You should create an environment where insiders just can’t be a threat,” he said.
“Don’t try to predict when an incident will happen, people have to think more like marketers and less like an IDS analyst,” Reidy said.
He told one story where he was purchasing shoes in a Nike outlet in California and charged the purchase on his American Express. The card did not allow the purchase and he wanted to know why, so he talked to the Amex people. They told him the purchase he made was out of the ordinary and to the point of they knew he bought it in a different location in a different state and even selected a different color.
Marketers, he said, have more data and behavioral analytics on just about everyone.
With business competition becoming greater, the value of a good insider threat and data protection program will help companies move forward.
You will see the companies that have these programs will be around in five to ten years and the ones that don’t will not, he said.
“You need to use the whole person approach,” Reidy said. “No just what people do on a computer, but the whole psychosocial approach. They can predict insider threats.”
On top of knowing your people, you also need to know your enemy:
• Who would be targeting your organization
• Who would they target within your organization
• Who are the high risk individuals in your organization
“You have to know what are the crown jewels in your organization,” he said.