you've caught an insider threat, now what? the human side of insider threat investigations
Post on 16-Apr-2017
223 Views
Preview:
TRANSCRIPT
Doug Sampson, Founder & CEO at Soteritech
The Human Side of Insider Threat Investigations
Copyright 2016 Soteritech LLC
● Assume: Robust Program Installed● Our Scenario… A Threat is Detected
Context
Dashboard
Examples● Repeated access attempts● Secret discussions at lunch● Confidential emails sent home● Cell phone in the SCIF● Documents to competitors
● Why do people turn?● So what’s next?
A Threat Detected
● Notification comes in● Triage within 10 minutes● Initial level assigned
● Green (low risk potential, no further investigation needed)
● Yellow (unsure risk potential, needs immediate initial investigation)
● Red (sure risk, needs immediate investigation and action)
The Hub
● Person’s behavior is deemed normal for his or her job function and responsibility level
● Examples
Green
● Questionable behavior that deserves further investigation.
● Widest reporting of incidents● Could be broken down further● Broad range of
● Communication● Collection● Consequence
● Examples
Yellow
● Behavior unacceptable and against company policy
● Significant information gathering (proof)
● Severe consequences● Examples
Red
Communicate with certain groups based on severity scale● Green – maintain internal log● Yellow – involve HR, IT, Security
Office, Legal and Exec (possibly Govt - COTR) depending on level
● Red – involve HR, IT, Legal, Security Office, Exec, COTR (if applicable) and Authorities
Hub Communication
●Green – none●Yellow – mild to
moderate/intense●Red – intense/severe
Employee Communication
Know your organization’s policies and stance ● Employee Agreement● Rules of Behavior● Handling of Trade Secrets ● Employee Training● Manager/Exec Training● Consequences
ITPM ResponsibilityKnow Where You Stand
● Do Your Homework… Investigate quickly● Collect data – start case● Engage with HR, Legal, Finance, IT, Exec-
Level● Possibly… talk to manager/supervisor
depending on situation
● Engage the right people, and● Prepare to have a frank conversation with the
employee
ITPM Activity
● Logistics● Who to have involved?● How to prepare?● What if they go sour?● What to do?
Conversations
● Pre-discussion preparations● Situational awareness● Discussion Part 1: Accusation● Discussion Part 2: Consequences● Successful outcomes● Un-successful outcomes● Monitoring
Yellow Stage 1Scenario: Attempting to access unauthorized shared drive folders
● Pre-discussion preparations● Situational awareness● Discussion Part 1: Accusation● Discussion Part 2: Consequences● Successful outcomes● Un-successful outcomes● Monitoring
Yellow Stage 2Scenario: Employee overhead talking about the new rocket guidance kit to a fellow employee at a local restaurant
● Pre-discussion preparations● Situational awareness● Discussion Part 1: Accusation● Discussion Part 2: Consequences● Successful outcomes● Un-successful outcomes● Monitoring
Yellow Stage 3Scenario: Sending confidentical work emails home
Yellow Stage 4Scenario: Getting caught in a SCIF with an unauthorized PED
● Pre-discussion preparations● Situational awareness● Discussion Part 1: Accusation● Discussion Part 2: Consequences● Successful outcomes● Un-successful outcomes● Monitoring
Yellow Stage 5Scenario: Being witnessed giving classified documents/hardware/thumb drives to competitors/foreign nationals
● Pre-discussion preparations● Situational awareness● Discussion Part 1: Accusation● Discussion Part 2: Consequences● Successful outcomes● Un-successful outcomes● Monitoring
● HUB communications● Pre-discussion preparations● Situational awareness● Discussion Parts 1&2● Successful outcomes● Un-successful outcomes
RedScenario: Leaving the premises with prototype radar sensors
Conversation Decision Tree
Accusation -Are you aware?
YesNo
Provide Proof – Do you understand consequences?
YesNo
Explain improvement plan – Do you accept?
YesNo
Explain unacceptable behavior – Do you accept?
YesNo
Explain consequences – Do you understand?
YesNo
Explain improvement plan – Do you accept?
YesNo
Explain consequences – Do you understand?
YesNo
Conversation Plan
●Simulation/Role Play●Repetition
How to Get Better at the Conversation
Doug SampsonSoteritech, LLC (@soteritech)
doug.Sampson@soteritech.com571-393-3801
Questions
David MaiObserveIT(observeIT.com)
david.mai@observeit.com617-946-0243
top related