This is my perspective as a CISO on what are the essential requirements for an insider threat solution. I have tried to not focus on the obvious such as "provide investigative capabilities". All vendors will provide these. I will instead focus on the requirements that bring the most value to a comprehensive insider threat strategy.
Most of these apply to almost any security product (e.g., accuracy, coverage, respect to employee privacy). Solutions should automate security and reduce the burden on the IT and security teams who are drowning in alerts.
- Proactive: protect high-value corporate data proactively (i.e., look for a solution that goes beyond post-fact investigations).
- High signal to noise ratio: identify exfiltration of high-value corporate data only (i.e., avoid solutions where you have to weed through false alerts unrelated to company data or high-value data).
- Discovery: discover all the locations of your high-risk and high-value data.
- Identify data sprawl: identify not just where this high-value data is located initially, but also where all of its derivatives are after handling by employees.
- Self-mitigating: a large fraction of insider threat incidents are accidental or bad employee practices. Look for a tool that actively educates users through real-time notifications of accidental exfiltration attempts and blocking dangerous data behavior.
- Help with privacy compliance: look for a tool that provides compliance reports for data privacy legislation by tracking how risk associated with PII data varies over time.
- Time to value: look for a tool that immediately improves security operations, proactively reduces risk, and fills gaps in your current data protection strategy
- Flexible to cover multiple use cases: Insider threats come in a variety of shapes and sizes. Does the tool help with accidental insiders which are the most frequent in addition to finding malicious insiders?
- Simplify Investigation: Investigations should get easier and faster. Period.
- Accuracy: aim for zero false positives.
- Easy to implement: look for a hassle-free SaaS installation that can be done in a couple of hours.
- Integration with corporate cloud services: does the tool provide visibility into all the cloud services where corporate data is stored?
- Minimal set of events to look at during an investigation: look for a solution where the investigation is so easy to follow that it can be done even by non-technical staff.
- Automated and low-maintenance: look for a solution that does not add additional burdens to your team.
- Respect employee privacy: the tool should focus on corporate data only and not expose personal employee data to the security personnel.
- High coverage: the ideal solution works for all types of unstructured data and all locations where sensitive data may be located.
- Does not modify any data: solutions that do this are brittle, have low coverage, and annoy your employees.
- SIEM and SOAR integrations: even if you start using the incidents management platform built into the dashboard of the insider threat solution, sooner or later you might want to integrate with your SIEM or SOAR tools and manage the incidents from a single place.
- Scalability: stating the obvious, but make sure during a POC that the solution scales to your company size or can accommodate mergers and acquisitions easily.
Vendor security requirements
- Confidentiality: Assure that the solution does not store any of your sensitive data: duplicating corporate data and then storing copies of all all corporate data in a single place (the vendor's SaaS environment) dramatically increases the exposure to data breaches even if the data is encrypted.
- Multi-tenancy: does the vendor provide strong isolation between the data and SaaS deployments of different clients? If the vendor works with both Pepsi and Coca Cola, a malicious sysadmin of say Pepsi could hack into the sensitive data of Coca Cola. Or the other way around, I don't drink soft drinks so I have no inkling into which may be interested into the recipe of the other 😉
I hope this helps your team formulate your criteria for Insider Threat tools. If you want to discuss further please reach out at firstname.lastname@example.org. I would love to hear your thoughts on what is missing.
Topics: Insider Threat