National Insider Threat Center (NITC) Symposium 2020 (Day 1)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] [Music] [Music] [Music] welcome to the software engineering institute's seventh annual insider threat symposium my name is randy trizak the director of cert's national insider threat center it's a privilege to have you here today it's also my privilege to be the moderator for this two-day event with the second half of the symposium occurring on thursday september 24th from 1 to 3 pm eastern time as you are likely aware september is national insider threat awareness month which is a collaborative effort between the national counterintelligence and security center national insider threat task force office of the undersecretary of defense of intelligence and security department of homeland security and a defense counterintelligence and security agency with a goal to emphasize the importance of detecting deterring and mitigating insider threats national insider threat awareness month 2020 its focus is on resilience what we're looking to do is promote personal and organizational resilience to mitigate risk posed by insider threats to align with this year's theme of national insider threat awareness month this year's symposium is titled from mitigating insider threats to managing insider risk i want to begin by recognizing the hard work completed by a number of folks to make this event happen thank you to dan costa the deputy director of the national insider threat center team members of the seis event staff sei broadcast media and sei business development team for pulling all of this together a second thank you goes out to our event sponsor haystacks technology throughout the event you will have the opportunity to hear about haystack's whole person insider threat mitigation i also want to take the opportunity to thank our keynote speakers our panelists our panel moderators for volunteering their time creating an amazing agenda one that will provide actionable guidance to you immediately in which you can integrate into your enterprise risk program we certainly hope that you're able to attend both days of the symposium before we begin i want to cover a few of the logistics for the event this event is intended for an invited guest only there'll be no media in attendance we ask that you follow the chatham house rules not attributing any content to a specific organization unless express approvals granted by the speaker if you have questions we ask you to submit them through the chat feature within youtube your questions will be directed to the speakers to be addressed during the live question and answer sessions following each keynote or panel discussion we hope that you will complete the symposium survey to provide feedback which we will take to improve future symposiums finally if you're experiencing technical issues during the symposium please use the chat feature in youtube to submit your challenge to our events staff let's move on to the important portion of our symposium the speakers our first keynote session will be delivered and then we'll be following it with a panel discussion so it's my privilege to introduce mr dan costa and miss sarah miller to kick off our symposium with the keynote address from mitigating insider threats to managing risk dan and sarah thank you so much for volunteering your time to include this presentation dan and sarah now over to you hello and welcome to the seventh annual cert national insider threat center insider threat symposium i'm dan costa technical manager for the cert national insider threat center uh joined for this conversation with sarah miller uh one of our insider threat researchers hello sarah how are you good how are you dan excellent excited to have you along for a discussion that we're hoping really sets the stage for the rest of the symposium but the theme this year is from mitigating insider threats to managing insider risk i mentioned this is the the seventh year that we've been um lucky enough to host the symposium discussing insider threat program state of the research and state of the practice and what we wanted to do to get the conversation going this year was really talk about what we've seen over those seven years in terms of successes of insider threat programs and the challenges the growth opportunities that we're still seeing insider threat programs in both government and industry experience we're gonna in later panel discussions and keynote presentations highlight some of the challenges that have really made themselves apparent to organizations over the past calendar year we really just wanted to set the scene here and talk about kind of the where things are from an insider threat program practitioner perspective from our point of view and we wanted to start this discussion sarah by talking about uh some of the areas where where we have seen over the years and continue to see organizations who are just getting started um with building their insider threat programs having early successes in the first kind of uh the first thing that you and i had talked about when we were going over this presentation was this this idea of connecting the dot so you talk a little bit about kind of what we mean by that and um how we're seeing organizations have succe stakeholders coming together around the issue of insider threat management around training and awareness um putting together the organizational resources and staff that already exist that are attacking the issue from a lot of different vantage points and so programs have had success in getting those folks uh at the table on the same page in terms of what's already in place at the organization and starting not from zero but from what the current state is so there have been some successes there and of course that uh leads into uh identifying uh those blatant policy violations so where are the different parts of the organization able to identify uh those uh problematic behaviors the counter productive work behaviors um and then how does that tie into identifying broken processes down yeah so it's it's about that that that kind of first idea of connecting the dots is is really about kind of the low-hanging fruit with the motivation behind standing up an insider threat program we're doing really good stuff in hr in terms of managing the employee manager the employee life cycle as we on board and separate individuals from the organization um but maybe not necessarily doing an effective effective or efficient job at letting it know when those folks are leaving so some of the earliest findings from our research over the years showed where those connections needed to be made and how exchanging information between those groups could help us to put technical detection capabilities in place that will allow us to know when our intellectual property might be leaving the organization as someone's departing we also saw as organizations started to kind of do the plumbing was required to get that hr data and that it data connected that they found discrepancies errors or issues with the quality of that data that either highlighted a need to either fix a sensor uh find a different way to collect data or information particularly in the area of things like account creation and privilege access use or where there was the need to do something like make a policy clarification or a revision to something that that characterized what constitutes a acceptable use of rit systems or what what how our intellectual property was defined and what our expectations for our employees were on protecting that intellectual property so so these are just a couple of the things that you know not only over the years we've seen organizations kind of succeed with but for organizations that are kind of just getting started building inside of our programs now this is where they find kind of their early success finding ways to make the insider threat program be that coordinating component that's amplifies kind of existing business processes and helps us to detect critical policy violations and then as they mature find ways to enforce those policies more directly but sarah this is something in your role as one of the co-chairs for our open source uh insider threat information sharing group that comes up a lot when we're talking about kind of what challenges insider threat programs are still experiencing here that first bullet on measuring the effectiveness of the program and return on investment so talk a little bit about about kind of the struggles there and maybe uh some root causes for those challenges from our perspective so with measures of effectiveness identifying uh potential uh metrics for return on investment that's something that we see organizations across their sort of insider threat program maturity struggling with so some of the issues with measures of effectiveness kind of get to that key end state of insider threat programs where you want to be able to prevent insider threats so how do you demonstrate success by the absence of insider threat because that could just as easily be interpreted as failure to detect insider threat so figuring out how to frame the objectives being able to come up with measures of effectiveness by the program's functions you know preventing insider threat detecting insider threat uh responding mitigating those are all challenges because you have to think about each function sort of in its own term but also in terms of the different parts of the organization that are coming together around the insider threat issue and the insider threat management what are the different subsets of your tool set or collaboration are you measuring are you able to demonstrate improvement in those processes and then with a return on investment that can sometimes be really focused on what's the return on investment in an individual analyst or an individual analytic capability or tool uh and having that sort of narrow view of return on investment sometimes lose sight on the overall holistic benefit of the program it's that can really be a challenge and then uh that really ties into the scoping because as the program scope uh changes or evolves over time or isn't uh set up appropriately at the onset uh you can be juggling a lot of balls in the air or spinning a lot of plates and so you might not be doing any one particular thing particularly well because you're trying to do everything that's a really good point uh sarah the the other thing that that i think about when we're talking about challenges with scoping is if i can't adequately and clearly articulate the scope of my insider threat program what specific critical assets i'm trying to protect from what specific types of insider misuse i'm going to have a hard time measuring the effectiveness of my program if i'm stuck in a an abstract or a general goal for my program it's going to be really hard for me to find ways to quantify whether or not we're doing the things that we're supposed to be doing and this has never been more timely as organizations start to experience kind of the the economic impacts associated with the the recent pandemic conditions they were looking for opportunities to cut corners from a cost perspective and we've worked with folks over the the past few months that have shared that their their insider threat programs are on the chopping block we've asked them well how were you able to capture the value of the roi for the program they said not effective and it was probably one of the reasons why they ended up in the positions where they've ended up so this is this has become almost an existential need for insider prep programs to do a better job at adequately capturing what it is that they're doing for the organization and another thing that has also become apparent over the past several months is how important and maybe um how much of a growth area managing changes uh for the or the organizations insider program is and changes can come in a lot of different dimensions right sarah definitely so uh there can be changes uh based on organizational structure as you have mergers acquisitions uh divestitures how do you readjust and re-scope uh what your use cases are what endpoints you're concerned with um how do you uh put together you know multiple organizations that might have conflicting insider threat program policies how do you kind of bring those all under one umbrella how do you capture those changes for each organization that might be coming together uh with uh change management obviously uh we're in a situation where a lot of us are working remotely sometime for the first time ever almost entirely uh how do you readjust your your baselines how do you uh re-identify what's normal when the very essence of normal has changed profoundly um so while you might have business continuity and disaster recovery uh specialists in the organization that might be a little more attuned to um you know the possibility of a pandemic or another sort of natural disaster changing uh the way your organization works uh your insider threat folks aren't necessarily as concerned with that day-to-day but maybe you know they should get on a call with those folks and figure out how can we better anticipate these changes in the environment how does that affect our network posture how do we better capture those changes yes sarah you talked about kind of changes to just how how folks are working they're also experiencing significant changes in their personal lives right now and this is another area where um we've got it here listed under struggles but from our perspective this is an opportunity for insider threat programs because the workforce is now being exposed to a significant collection of personal and professional stressors now's the time that insider throw programs should really be strongly considering and finding ways to more effectively deploy proactive response measures into their operations that can help cope with the concerning behaviors and activity that precede harmful acts that are demonstrated by those that are experiencing various degrees of both personal and professional stressors so we've got it listed here as a struggle but for um i hope the takeaway from this discussion is that this is this is the opportunity for insider threat programs to start to push into some of these more proactive responses and where we've seen organizations kind of struggle to do this a lot of the root causes have to do with again helping those stakeholders that we've engaged understand what it is that we're actually trying to do within our instead of threat programs as opposed to do their jobs for them or replace what it is that they do or do a better version of what it is that they do we're trying to help provide data and information that can help them make better decisions faster absolutely um and i think that uh transitions well into this notion you know where do programs traditionally focus if not on those proactive measures yeah so it's it's sarah you you you brought up a really um fascinating point a little bit earlier when you were talking about um where the the low-hanging fruit that insider threat programs traditionally address and you can tie back those successes to directly kind of where we see insider threat programs traditionally focus and a lot of this has to do with kind of how we get inside of threat programs within organizations in the first place and usually it's in response to something right uh a a requirement a mandate a splashy incident either in your organization or a organization very much like yours who's all over the news so it makes kind of intuitive sense that managing incidents controlling incidents managing access and trying to fire technology of the problem is where we traditionally see instead of threat programs focus and because this is a relatively underrepresented kind of threat factor in our organization's more holistic kind of um management of the threats to our critical assets there's a significant training and awareness effort that needs to go in upfront to not only help your stakeholders understand the problem more broadly but to help the workforce understand kind of what role they have affecting the organizations for the classes so it kind of makes intuitive sense that um because these are the things that we're focusing on the successes that we're having involve kind of stakeholder identification and initial engagement and policy violations and fixing broken process now on on the flip side then because we're focused on kind of a reactive in many cases incident or the thing that got us the inside of our programs it would make sense that some of the more proactive strategies are the things that that we need to expand or we see organizations kind of struggling with and and need to focus on to address some of those those group challenges uh sarah as we were kind of uh kind of pre-gaming this discussion uh you had a really nice way to characterize kind of these these two collections of star lists yeah so the way we were sort of thinking about this move from um the incident management piece is that the expansive part um you know on this slide is you know that's the insider risk management so these are the things that um we might see as not necessarily having the same urgency as some of the other activities we talked about on the previous previous slide where uh the training that access uh controls management um those feel really urgent and that we have to implement these these tools and technologies in order to get a handle on the problem we need to get uh training in order to deal with this sort of low-hanging fruit issues whereas uh some of these other kinds of considerations you know external dependencies management those are a little more complicated problems it doesn't mean they're not important but they don't necessarily feel as urgent for people working on the program day-to-day they're triaging incidents and you know the organization may not understand what the end state is for some of these things with uh implementing technical controls or uh training awareness there's a sort of binary end state of like do we have this thing yes or no whereas some of these other processes uh associated with resiliency are ongoing activities that require a lot of maintenance and uh input from a lot of different stakeholders and so it doesn't mean that uh they have to be hard but uh to accomplish but getting them right does take time yeah really good stuff sarah i i think you've uh summarized this earlier as as kind of uh from mitigating insider threats right the things in the green stars here uh to managing insider risk the things in these bold stars here and i i thought that was a fantastic way to characterize this and i thought it was such a good job that we almost could have just done that and flashed these two slides and been done with the keynote presentation okay so um we should we should probably point out that what we're looking at kind of on this set of slides um are the 26 process areas from the cert resilience management model a framework that that cert has developed and maintained over many years that's designed to help organizations figure out what they need to do to achieve operational resilience and when we're talking about kind of operational resilience uh we look at kind of the physical property of resilience and the the picture of the spring here is a good indication of that that that talks about uh the physical the characteristic of uh something that can return to some beginning state after being kind of experienced or after being exposed to some amount of stress so the question is kind of where is the limit right if you pull that spring too hard at a certain point it's not coming back to that initial shape but up to that certain extent there's a there is a level or a limit to the stress that you can put on to that before it returns to normal form so carrying that over into kind of operational resilience it's an organization that can continue to do the things that it's designed to do its mission in the face of stress and disruption that does not exceed some limit so we're going to talk a little bit here sarah about kind of how we find that limit and how we find that limit particularly for for insider threat act right another piece of connective tissue i think we should pull forward from the resilience management model is this idea that we we think about stress and disruption to our organization's ability to carry out its mission relative to to risks where a risk you can think of as the impact and likelihood associated with a threat occurring and operational resilience this emergent property of an organization that can that can carry out its mission in the presence of risk um only emerges from an organization that is able to effectively manage risk and when we're talking about insider threat programs what you can do is provide operational resilience to insider threats through effective insider risk management so again kind of a subset of the risks that your organization experiences but there's a lot that we can learn as we look to expand our insider programs from things like the resilience management model and leveraging things like uh the principles of operational resilience and risk management right sarah definitely absolutely um i think in terms of uh operational resilience and risk um using this kind of terminology and thinking about that in terms of developing your holistic program can really help uh put you into conversation with your insider threat program stakeholders across the enterprise if there are folks that are already using this kind of terminology or familiar with these processes it can be a lot easier to frame those discussions and better scope your programs false activities so the goal then for an insider threat program if we kind of continue pulling at that thread from kind of operational resilience all the way down to how we might be able to bring it into our instead of thrift programs it is to and if you've seen us present or you've taken one of our courses or you've read one of our blogs you've seen this picture before sarah i'm sure i'm sure you've got this burned into the back of your eyelids at this point but really what we wanted to do here was was maybe reframe it a little bit and and talk about how the the goal of bringing all of this this data from disparate sources together and bringing these different bodies of knowledge and these different opportunities to grab not only technical indicators but behavioral indication is to not only help the organization kind of get left of boom and start to consider more proactive detection and response strategies the conditions that precede the harmful act what you're really doing there is you're is you're trying to reduce insider risks to your critical assets to acceptable levels you're you're putting these controls in place that are designed to kind of limit or make some impact on the impact and likelihood of the insider threat actors within your organization of actually exploiting the vulnerabilities that exist by the nature of you granting them authorized access to your critical app well sarah i i know this is a picture that you've uh you've dealt with a lot um but i i think it's a nice way to kind of show how we can really use risk management resilience management um as as principles that can help us kind of show maybe the broader goal for an incentive program yeah um and i think uh the point you made about getting to the to the left of boom uh is a good one because you know a lot of times with programs we kind of have to start with the end state of an insider and then work our way back uh further left to getting to that prevention uh before we can really reduce the risk a lot of times we have to focus on those response activities um but when you get into the prevention that's where um you can really bring those risk management processes uh to the table uh that you are thinking about just not not only the the impact but also the the likelihood of the risk yeah so we've kind of danced around this idea so far about kind of um reducing risk to acceptable levels well what are those acceptable levels right that's the that's the million dollar maybe maybe more maybe millions in underestimate that's the big question here right which is where where is that sweet spot how much insider risk is our organization wielding or able right think about the the spring able to withstand while still carrying out its mission and this is the the pro the question right that we think insider threat program should be spending more time thinking through not only in their planning phases but particularly as they mature their processes past past reactive capabilities and looking looking into those proactive capabilities because when you think about it for insider threat incidents and we're talking about let's let's talk about deploying controls let's talk about deploying technical controls well who's administering that technical control someone with authorized access to to the the critical configuration of that control so an insider right so there's at least one person that's going to know how to bypass circumvent that control so deploying our this is not a binary switch that we're talking about when we're thinking about um can this happen within our organization and what we've got to do is start to think about kind of this these not as binary properties but as probabilities and once we kind of start living in the land of uncertainty then then we think about kind of controls development controls deployment as as a a matter of uncertainty reduction and this is sarah you you've talked about this can be kind of a hard sell for for inside of their program practitioners up their management right it can be because uh when so much of uh getting off the ground with an insider with our program is you know demonstrating successes and demonstrating value further down the line in terms of the insider threat programs benefiting the entire organization it can be a little intimidating to start talking about risk because you can't get the risk down to zero and that in some ways can feel like you're failing you haven't gotten the risk down to zero well why not sometimes depending on how you know your stakeholders interpret that information it may seem like well you're not doing what you're supposed to do we're supposed to be getting the risk down to zero right and it's a matter of reframing what the end state actually looks like and the other thing to consider is that if the end goal is to prevent insider threats to reduce insider threats if you're not detecting insider threats if you have that sort of risk reduction down it may be interpreted as failure to detect so there's really not an easy answer but this is another area where again you need all of those stakeholders at the table and speaking the same language as much as possible and you know there's going to be an education piece here too as well right if if the organization senior leaders haven't adopted kind of the risk management mindset yet right this is an another challenge that you're going to have to work through but again i think because we're talking about insider threats it's it's i think a very tangible thing to kind of get into the minds of our senior leaders which is there's always going to be a human in the loop none of these solutions are going to be 100 effective all the times can you can you nod your head in agreement to that if so now we're now we're bargaining right now we're trying to figure out hey where are we on that spectrum between zero percent and and a hundred percent and how much money are you willing invest to get us kind of less or closer to zero than we currently are and i think that that is the the way that we can start these conversations to drive towards activities that will inevitably make the the lives of the inside of their program practitioners easier and make the inside of their programs more effective at bringing their organizations to a place of operational resilience as it pertains to insider threats so it's uh we've got a fancy kind of phrase up here in bold right this this concept of kind of risk appetite right and the development of risk appetite statements it is something that we think organizations should really be driving towards with their senior leaders with the owners of the critical business processes the owners of the assets the program is trying to protect in gaining an understanding of kind of what are those acceptable levels for the insider threats to these assets and to get there you've got to have ways to quantify the impact and likelihood associated with the instead of threats we just talked about a way to do likelihood right it's somewhere between zero percent and a hundred percent but impact can be a little bit trickier sarah right uh we've been organizational with with this one in particular but we've also kind of we've got some we got some resources that we think can help right definitely so there are lots of publications that we've put out that other organizations have put out around the impact of insider threats we have an industry sector series on our insider threat blog that talks about the impacts and common scenarios affecting a number of different sectors uh there's of course the common sense guide to insider thread sixth edition that talks uh through a number of case studies and the impacts of those cases to help organizations um bring in some information about uh ways that their industry might be impacted even if they don't have that data on hand themselves and of course there's the open source insider threat information sharing group that i helped to coach here uh that we put practitioners into conversation with each other to talk about um ways to kind of measure this impact likelihood et cetera so how do we get from mitigating insider threats to managing insider risk right we're just talking about kind of some of the resources that we have available to help folks kind of characterize impact associated with some of these threats it's good to not wait around for the stuff to happen within your organization to figure out how much it'll cost again if it happens again so there's there's proxy data out there and there's incident data out there that can help that another thing that is really uh an effective strategy at getting there is by conducting things like business impact analysis or working again with the folks that do this already within your organization okay what's the business impact associated with the degradation to the confidentiality integrity or availability of this asset okay let's start adding those up for all the assets that are in scope of the program and now we can start to better prioritize where we might make our next security dollar investment to buy down risk or what we're comfortable with in terms of the investments we've already made and the impact associated with one of those threat scenarios being realized in our organization and it's important to consider a bunch of different dimensions there right not just how much the thing that was stolen cost but things like damage to your organization's reputation things like damage to your ability to get new business in the future right uh damage to uh the the workforce right there's lots of dimensions by which we have to consider the the impact of the business associated with scenarios and i i just use the word measuring there right and that is another real key challenge for a lot of this stuff organizations have to make the investments into making these measurements that'll help us understand our current security posture better better and more better penetration tests that leverage insider threat scenarios more tabletop exercises that demonstrate our ability to respond or detect to conditions both harmful acts and the concerning behaviors and activity we see those and finding ways to make these not take as long will cost as much for us to make from a measurement we've also got to think about helping our stakeholders have a better understanding of what we consider a security and sarah this is something that we've touched on in our positive incentives for over the years so when we think about security controls we often of course think about the the tools the technology but there are a number of administrative controls proactive controls uh things that connect folks to their organization that make them feel appreciated at work you know those can be security controls those proactive measures for positive engagement with the workforce really are security controls in terms of managing that threat likelihood when we think about uh employee assistance programs things that uh can kind of move people further and further left of boom to the point that they're no longer you know on that path to insider threat those are really security controls that's a situation where your insider threat program can engage with hr other parts of the organization people management to amplify the work that they're already doing to empower employees to get help when they need it to reduce the risk of becoming an insider threat by getting the help they need and when we think about um administrative controls of course that's policies procedures trainings uh that go beyond just the purely technical uh those can all help to reduce the threat um posed by insiders as well yeah it's it's a growth area for kind of us from a research perspective which is to kind of demonstrate these causal relationships between management practices and a reduction in insider incidents but intuitively it makes sense and we've seen organizations also kind of have good early returns as they start to consider some of those things security control um you know what another thing that i think we've got to also think through when we're talking about measurement is how we can use the the what the inside of our program is producing as kind of an input into a continuous measurement and feedback process that we can use to refine our insider threat program operation and continue to share information and whether that's through things like the open source insider correct group that sarah is so involved with other information sharing channels finding ways to share incident data more broadly there's there's a real opportunity here for us to kind of again make these better impact and likelihood determinations by not only doing a more effective job and collecting and using our own internal data but by finding ways to uh finding ways to share information and use statistics and use other publicly available information sources to help us with with some of these hard kind of quantification challenges okay so sarah this has been a fantastic discussion uh thanks for sharing your uh insights and expertise um just a couple departing thoughts here um where do you where do you think that that what what is the desire can a future end state look like for the our program of the future from your perspective the question i think that's something a lot of people are struggling with in their own organization you know with that that next step um in terms of you know beyond just moving left to boom the sort of phrase we'd love to use i think it's really being able to bring together all the resources at your disposal within your organization outside of your organization the data that you can use to inform your decision making the the inputs from risk management experts from your hr and legal experts kind of amplifying what they're already doing putting it into context together so even though though those are kinds of things that we've been sort of harping on for years the last seven years or so uh symposia uh i think really the thing we or at least that i would like to to drive home is that those resources are available that you can learn from past incidents whether you experience them something else experience them to sort of empower your organization to manage your incidents your risk profile yourself uh the thing that i like to say is um we don't want to give organizations cake we want to give them a recipe that they can tailor and use to make the cake they want um that they can reproduce it over time so we can kind of help show you the kinds of ingredients you need for that recipe the risk management the different components of operational resilience that you would incorporate into your program i think that's really the goal is to kind of have that holistic approach um in you know have all the ingredients in your recipe excellent ending the ending the the uh first presentation of the symposium on a cake analogy we are off to the races this year fantastic sarah thanks again for joining me uh for this discussion i am looking forward to to continuing this the discussion with you all on our live q a session which will immediately follow this this event so thanks again sarah thank you for having me thank you so very much dan and sarah for such an enlightening presentation a great way to kick off this insider threat symposium we do have questions that have come in through the chat feature of youtube if you still have questions we're able to collect them and direct them directly to our live speakers to answer your questions so let's kick it off by maybe addressing to you dan first we did get one comment and a question built into the comment as well specifically your comment related to risk uh the the the person who asked specifically was struck by the comment risk down to zero and the question is that even possible and maybe if you can maybe go into a description of what that means and is there the cert definition versus enterprise risk management assumptions around risk as well so dan could you maybe address the uh the audience member's comment that was that was posed yeah certainly randy good afternoon everybody it's good to be with you in person um yeah the it sounds like the risk down to zero comment you kind of forgot the backhand half of that which is you can't do that particularly for for insider threats um because there's a human in the loop because the nature of the game here is the misuse of authorized access you've granted to somebody to do their jobs there's always going to be some potential for that for misuse of those assets so it's it's it's very unlikely if not flat out impossible to to reduce the likelihood or the probability of a someone misusing their authorized access down to zero so the best that we can do and what we should be striving for within our insider threat programs is to understand kind of for a particular set of threat actors because not all insiders are created equal in terms of a what they have access to and be what what means they have or motivations they have in terms of causing potential harm to the organization so for a given set of threat actors based on our current defenses so what do we have in place that'll help prevent detect respond to some of this stuff um what how likely is it that someone can bypass those defenses circumvent or evade detection and cause harm to our organization and and that's a real challenge for organizations to make the measurements that allow them to say with some some relative degree of certainty kind of what the likelihood of one of their insider threat actors exploiting a vulnerability within their organizations are but as we mentioned in the in the video recording there were lots of things like red teaming engagements penetration tests tabletop exercises um these are the things that we should be doing more within our instead threat programs to inform kind of the threat likelihood threat likelihood measurements based on our current offenses so do you think there's any difference between the risk measurements of a malicious insider versus a non-malicious or accidental and how would you address that in relation to the comment getting that risk down to not zero but maybe a manageable amount yeah so you know i i think the high level dimensions of brandy are pretty much the same right when we're when we're characterizing threat actors into different adversary classes we think about means we think about motives right now within those different thread actor classes and for insiders in particular me the types of means and motive will differ really but really the the the differences between the different types of threat actors comes down to um your the the threat actors knowledge and understanding of kind of a what your critical assets are and be how they're protected so because you're going to have kind of different levels of access and understanding of not only how you're protecting your critical assets but what they are and who may who who they might be of value or benefit to um you're going to have potentially different determinations for the likelihood that that that access is misused and also even potentially the impact associated with it because not only do your insiders know how to how to get to it and how to take it they would know how to make the most and fullest advantage of that compromised asset should they be able to degrade its availability or to degrade its confidentiality so it's that's kind of what i think of when we think about kind of the differences between external threat actors and internal threat actors we we can use the same basic tools to calculate impact and likelihood but the you'll see great variance in terms of kind of the those numbers okay thanks very much dan i appreciate the response of that we also had someone an audience member did comment as well specifically saying it's impossible to ensure 100 of safety and whatever you do there's always some percentage that you can't be prepared for but with a high quality policy and trainings you can mitigate the consequences so it sounds like the other audience member who responded through chat was pretty consistent with your message as well yeah spot on i mean there's a there's there's a way to kind of do a better job at reducing the likelihood of a threat of that activity happening and that's to not grant people authorized access to your critical assets right but you now you're not now you're not able to do your job now you're not able to meet the mission of the organization so um by the very nature of having to grant folks authorized access to your assets you're opening up kind of a non-zero chance that that access is misused so you can either do business by granting folks authorized access or reduce your risk to zero and not do business at all right so the choice is pretty clear thank you very much so we do have another question that came through and also anyone who's on the line uh you have any questions feel free to submit it through the chat feature of youtube and we'll get them directed to our keynote speakers so we do have another question that came through i'd like to ask if there's any reason in particular why there's not included a post analysis phase or lessons learned phase in the process and risk management at all so specifically referring to the slide the goal of insider threat so do you comment on could you comment on all about the post analysis phase as part of the entire life cycle of insider risk mitigation yeah certainly i'll get started and sarah please feel free to jump in but um you know that that picture is not really the best picture to think about when you're looking at the different phases of insider threat program building and operations there's a really good picture out there for insider threat programs specifically developed by the intelligence and national security alliance so if you just look for the insa insider threat program roadmap that would be a diagram that's going to show you kind of the various stages of building a program from stakeholder identification to scoping all the way through lessons learned and feedback that that picture is really just to kind of show the the the nature of combining both technical and behavioral data sources owned by various stakeholders within your organization and helping your organization try to find ways to get leftover by sharing data across kind of previously stove by parts of your organization so certainly there is the need to constantly measure and evaluate the effectiveness of what it is that you're doing and feed back the results of those measures of effectiveness and evaluations into improvements and enhancements to your insider program because your risk landscape is going to be constantly changing your organization's risk risk appetite might be changing as new people cycle into and out of positions of uh leadership where they're the ones making the final risk acceptance decisions so there's there's certainly a need to to measure and to incorporate the results of those measures of effectiveness into changes to our incentive okay thanks very much dan that's sarah let's get you into the conversation if you don't mind uh so a question did come in are there any new studies or existing studies based on cultural indicators and triggers for instance differences between generations differences between demographics etc so could you comment on that any new or existing studies cultural indicators no i'm so excited to see this question because that is something that we've actually done a little work on um in addition to helping out um a student group that reached out to you randy a couple years ago now um i gave a presentation to our open source insider threat group about some generational differences potentially um in our cert insider threat incident corpus focusing specifically on uh the non-national security uh espionage type cases you know malicious technical insiders uh we saw some interesting things so not um huge differences um between generations um there are some generations that might be a little underrepresented in our data set for a few different reasons um so in terms of the sort of uh gen y gen c um you know there's not necessarily uh enough of those folks in the the workforce yet to necessarily be present in uh our corpus based on some of the lag time we see with you know court records and things like that you know we usually have to catch up a couple years to sort of get everybody uh in the data set but what we did see um was that um generation xers uh are uh over represented in our i.t sabotage cases so uh proportional to their you know presence in the the workforce and our data set and their the population uh they accounted for more of the i.t uh sabotage cases than we might have expected um and so we can you know speculate as to why uh that would be um but there's been a lot of studies about gen x in particular uh being subject to more stressors than their sort of like forefathers or their their children you know they're sort of that sandwich generation taking care of uh children going off to college uh parents that are sort of coming out of the workforce so it's possible that there might be some uh correlation there but uh not enough data yet to uh really narrow that down so we'll have to publish something soon thank you very much appreciate that i'll stick with you uh sarah if you don't mind we have another question specifically during the presentation uh you mentioned in your response to the previous question you mentioned about the open source insider threat information sharing working group can you show a little bit about that maybe how people get more information about becoming members of that group absolutely um so the open source insider threat group is an industry only group of insider threat uh practitioners people that are working to support uh their organizations insider threat efforts i believe uh there's a blog post from you called announcing the national insider threat center that goes into a little more detail about oset um but the best way to learn about it is to just reach out to our contact alias so it's osit dash forum dash support that's osit forum f-o-r-u-m-support s-u-p-p-o-r-t at cert.org and somebody will get back to you right away great thanks sarah appreciate that thank you so much for the questions that are coming in keep them coming it's great to challenge our our keynote speakers in the way that you're doing so thanks for keeping those questions coming in just as a reminder if you do have other questions feel free to submit it through chat through youtube and we'll get them directed to our speakers who are live waiting to respond to your questions so dan here's another question that came in so how are programs considering the threat posed by conspiracy groups or do they and do you have any recommendations for addressing those types of threats yeah so so it's two things immediately come to mind one one which is um how can how can any of these groups kind of co-opt my employees into misusing their access to my critical assets in a way that might cause harm to my organization right so if i'm a company that has information that one of these groups might be trying to use to satisfy some objective right what what am i what how likely and what's the impact associated with one of my employees being co-opted by one one of these groups regardless of kind of their which groups they are and kind of what their their higher level goals are but really organizations are thinking about things like this from that perspective which is how can i help my workforce understand kind of that their access to our our critical data is a thing that is targeted by folks outside of our organizations for a variety of different purposes monetary political ideological right and armed with that understanding what what's your role and responsibility as an employee of this organization in terms of protecting that authorized access so this is a really good thing to work into insider threat awareness training so it's not just hey don't do bad stuff or we're going to catch you and throw you out of the organization it's no because you have access to our crown jewels you're a target and here's how you can help us help you keep that access protected great thanks very much dan so we did collect a number of questions as part of this q a session we really appreciate the questions coming in what we're going to do is we're going to cue these questions up we'll take them back we'll get our keynote speakers to address them and release these as part of outreach back to the community through a blog post or a follow up from this particular message we really appreciate your your contributions to these questions thank you very much dan and sarah for commenting on the questions and just as a reminder is what sarah said that if you do want additional information you can always follow up with insider hyphen threat hyphen feedback at cert.org we can continue to answer questions as well continue to do queries of our database so thanks so much for the q a session as part of this symposium so at this particular point we're up to our break we are projecting a 10 minute break when we come back to the break we will begin our first panel discussion managing insider risk during a pandemic thank you so very much dan and sarah for your time with your presentation as well as your question and answer now we'll take a break thank you organizations today face growing threats from their most trusted insiders not only in the form of malicious attacks but increasingly from negligence as well haystax is renowned for its pioneering approach to insider threat mitigation instead of looking solely at network logs and other technical indicators haystacks uses artificial intelligence and advanced data science to help your organization understand its most pressing insider risks our analytics platform consists of data connectors that allow data to be extracted and ingested an analytics engine to process and augment the data and an interface to help users to manage their daily analytic investigative and response workflows while preserving the personal privacy of all individuals the most unique component of the haystacks platform is a probabilistic model that analyzes and reasons on complex problems it's the model that gives the haystacks insider threat solution its powerful predictive capabilities and sets our system apart from every other ai based insider threat solution as our customers will tell you the haystacks insider threat mitigation solution is proactive giving decision makers immediate continuously updated intelligence on high risk individuals before they can do harm scalable making it easy to integrate new data feeds transparent showing exactly how each individual risk score is calculated and adaptable with continuous model tuning to account for new or evolving threats contact haystacks today for a demonstration and let us show you the power of whole person risk mitigation [Music] [Music] [Music] [Music] [Music] [Music] [Music] hello and welcome to the panel on managing insider risk during a pandemic i'm michael tice i will be your moderator today i'm the chief engineer for strategic engagements at the national insider threat center at carnegie mellon cert part of the software engineering institute with me i have three panelists i'm going to ask them to introduce themselves maybe tell you a little bit about their experience and their or about their program if they would like to describe any of that and then we'll jump right into the questions about how we're managing insider risk during a pandemic let me go ahead and start with shawnee michael uh so my name is shauni delaney i'm the ceo of vions group we do insider threat program assessment development and vulnerability vulnerability assessments and um training and education and things like that good to be here great thank you very much and then uh stephen we'll go with you next sure hi everyone uh my name is stephen chapolsky i'm a vice president at goldman sachs based in new york on the insider pro team i've been with the firm for five years our team among other things is responsible for executing various aspects of our firms anti-financial crime conduct integrity and insider prep programs for our population of over 30 000 employees so this includes everything from investigation surveillances workforce risk cyber incidents and training awareness months but it's great to be here great glad to have you and matt thanks michael i'm matt collins i work at citizens financial group and based in rhode island we have about 18 000 colleagues and 180 billion in assets prior to this i was a consultant and an energy company building an insider threat program and before that worked and started doing uh insider threat research with with you so it's great to be back and having a conversation today great yeah so let's just jump right into it uh shawnee since you actually do a lot of consulting for many companies uh let me start with you and ask you know how has covet affected insider threat programs kind of as a whole has there been like a trend in it or is it you know mishmash yeah what i've seen really is that data exfiltration has increased significantly um devices aren't being returned when people leave companies and there really is an increase in internal collusion and fraud now i attribute these patterns to job insecurity right people are unsure if they're going to have jobs in the near future or they just learn they're going to be laid off and it seems like people are sort of trying to hedge their bets or hoard information just in case a lot of people see taking sensitive data as being able to maybe appear more knowledgeable in a new role or in a job interview if they kind of have that information in their back pocket they could sell that data to competitors they could use it to start up their own gig things like that i think devices not being returned is interesting some companies actually have been laying off employees and allowing them to keep their work devices i think it's a logistical thing you know people are scattered around the world we can't come into offices that makes it easier but it kind of makes my head explode from the insider threat realm we've seen machines that have slipped through the cracks where permissions were not um shut off and people are still accessing sensitive data after that and then regarding the increase in collusion and fraud i think again it's people worried about where they're going to find a job how they're going to earn an income and sometimes fraud is just easier and faster than other legitimate options so it sounds like the the devices themselves for the most case they don't have a remote white capability or something along those lines yeah i think companies are still uh struggling to to get all of the capabilities that they need with everyone working from home um so yeah i think some things are just there's a lack of continuity in out processing that i've noticed especially with mass layoffs they weren't layoffs that companies expected so things are slipping through the crack ah interesting um let me follow up with matt uh matt have you seen a similar thing or i mean has your strategy had to change at all since the everyone started working from home type thing great question so so sure yeah looking at the impact of covid and the shift that we've had throughout the year our strategy has had to change i think being in the banking sector um in some ways it was an all hands on deck moment we have thousands of branches that we had to deal with getting fixed and adjusted to the new way of interacting with customers and then um supporting the pay check protection program was another work initiative that took technology services and and cyber security um really collaborating to make it work and happen within the time frame available so from our program's perspective it was really focusing on adapting our capability to handle more remote workers we had had a remote worker presence prior to this all happening but it shifted the amount uh in the scale that we needed to cover remote colleagues so looking at the people process and technology we had in place we needed to adapt to be able to better detect some of those things some of the incidents of insider threat that you might see in a remote environment and make sure that we maintained an even level of capability across our branch environment our back office environment and our remote workforce so it took a shift to be able to adapt those capabilities to remote work but but we were able to adjust and i think going forward uh the flexibility is going to remain key because we're going to see shifts back to the office and i think some sustained flexible work arrangements will be there and that ability to adapt the program to be sure that you you have equal capability wherever someone is will be important yeah that makes sense stephen let me uh have you follow up sort of the same thing if you had to have any changes in your strategy since the most remote uh work from home type stuff like i mean training and awareness probably isn't done the same way or you know some other things that you had to change right yeah that's a really good question so since day one of the pandemic right one of the primary things our team has been doing is focusing on training and awareness for our population of employees right this is something that was already ongoing for quite some time already with our program but um one thing that we really focus on when it broke out right so thinking about training employees on the risks of working from home right so whether it's cyber related and phishing sending from materials to their personal email domains um you know one of the main things we're trying to drive is how all employees at the firm are responsible for continuing to uphold our policies and procedures right so lots of communications and discussions on how we increase transparency with our organizations our teams and our managers right throughout the first week so having managers set up daily zoom calls with their teams for check-ins and this obviously addresses a lot of things that shawnee mentioned right about you know anxieties about you know where the firm is going or what the employment situation is like um internally we also set up this internal suite of uh reference materials for employees to refer to so specific to the work from home environment right so um pages about how to go setting up communication tools remotely from your office uh at home whether that's a phone whether that's certain remote desktops or remote printing um certain pages about how to go setting up um you know what what do you do if there's a cyber incident from your phone you know what what are the things to look out for um another thing that we did immediately once the pandemic started is a good majority of our trainings have included content or case studies and examples specific to the work from home environment so we had these before the pandemic but i think after the pandemic heard we wanted to really drive it home to our employees we're so diverse in lots of different locations and business areas that um you know anything specific to the virtual and the environment right so regarding employee stressors and kova specific risks uh we're focusing on increasing team and you know individual contributor communication with one another to ensure that all of our people continue to feel support throughout their teams throughout the whole pandemic but um to your point those are just a few of the things great um anyone else have anything that you wanted to add to that like that you've seen or that you've had to do that kind of follows on to what stephen mentioned shawnee yeah i i can say that i think um what stephen mentioned is actually not really the noise the way cobit is kind of affected inside our throat as companies were trying to stay in the black initially especially companies that had to do mass layoffs and so you know with the question of trying to keep the lights on and keep people employed versus you know do we spend money on software that might you know be a uam and and kind of it seems like a luxury you know and there are actually a lot of companies i know where the insider threat program manager the program was one of the first things to get cut yeah because it i think you know a lot of companies think it can't happen to me a lot of employees a lot of individuals you know people think it can't happen to me and as a former intelligence officer i can tell you that it definitely can't happen to you um those are the people that i would target um but it yeah i think the whole situation is just kind of shown like i had mentioned earlier it's just kind of a breakdown in processes and and spending in the realm great so you partially answered this but i'm going to ask it a little bit more broadly because again you have multiple uh clients and stuff so since the work from home stuff started did you find that you had to like educate them on you know what the potential new risks are or what the implications of it from an insider risk perspective yeah i think there was initial there was an initial education on why insider threat when people are working from home it is a little bit different right um how you know do they use vpns does the company have a vpn policy are people printing at home are people sending things to their personal email so that they can print from home but we see a lot of that and that's where um companies really would benefit and educate like steven's company and educating employees to to be aware that the the things they're doing kind of the work arounds usually it's usually not malicious uh are putting the company and that data at risk wow okay and uh matt have you seen anything similar or like you know you had to educate either somebody or a group of people that you know there's some implications here from work from home yeah i i think so and a lot of it came to adapting our flexible work arrangement training our cyber security policy and acceptable use minimum requirement already had items in place for remote workers so it was a smoother transition than a lot of organizations i think and and to shawnee's point i i do think there is a dramatic range of outcomes from covid um and their impact the organization so some companies became busier trying to adjust and adapt and keep the business operational others were just like the airline industry or some manufacturing firms energy companies um got slammed and are still feeling the effect and will feel the effects for a long time and that certainly um in every industry will will change the likelihood that someone will take information or have insider activities during this time i think it's also interesting there was a case this week um in the news where a manufacturing employee was recruited to install ransomware and so i think that some threat actors are taking advantage of the the turmoil the the confusion that's resulting from some of this and there we may see a ramp up in recruitment of insiders um to help threat actors carry out their impact if i could add just real quick to that point it's an excellent point i i think that when kobit started and everyone kind of panicked and you know people got laid off and companies were trying to stay in the black i think now with cases like that or the twitter hack you know when you're getting big media coverage on events like that companies and leadership is starting to say okay wait this is serious you know if that can happen to twitter or these other companies that that can happen to us so i think you're going to start seeing programs ramp up a little bit more now yeah i was just thinking you know from that same uh point of view you know in the past what we've seen is attacks like uh people pretending to be the ceo and telling the cfo to cut a check you know to somebody that we owe money to but i'm just wondering at even at the lower levels uh how easy how much easier could it be now to pretend to be someone else in the organization that that person may not know very well and try to get them to share information uh with them because you know you're not in the office right so everybody's sitting someplace else so are we educating our employees to to think about how to verify that that is the person that is actually asking you for the information stephen i see you nodding your head do you have any thoughts on that yes absolutely so i think you know just to matt's point about you know some of the recent incidents right so one of the things our team has been doing is just kind of staying on top of what's happening in the world right so if things like the twitter twitter breach are happening right like could that occur at our institution right and what are our controls that we have during this period to prevent anything similar that's happening in the world from occurring um you know when you bring up you know this work from home environment and how you know employees are at a different disposition right now to to uh aid or even other individuals or become insiders themselves right it brings up a good point about investigations and surveillances right within the first couple of weeks of this pandemic our organization was thinking about you know how long is this going to be occurring to what extent right um so we were doing a lot of evaluation thinking about you know what's changing so rapidly and where do we direct our attention and for us that meant you know thinking that about any surveillances that we had that cater to in-person or physical data um you know how do we tweak these or update them to compensate for a new worker environment right so that monitoring of employee activity as we typically do in person right it changes significantly so how do we capture for this new type of risk and environment that we have now so just to your point johnny and that right you know completely new environment really requires us to think differently about the data in the monitoring it's great matt did you have to you know think about making any changes to the way that you would normally monitor employees sure yeah yeah and we did right so it's it's different um different controls across different environments when you when you have a back office versus somebody in an office and someone at home um traditional reporting techniques just aren't there right some of those behavioral indicators um that you see someone printing an anomalous number of documents that may contain customer information and walking out the door you don't have the same visibility there so moving some of those physical controls to technical capability is important to maintain that level of control across the the environment the different types of workforce that you have with remote yeah so one of the things that we've always said is that just as important as the technical indicators is the behavioral indicators and it seems to me that there's a potential loss of some of that good data on the behavioral side because i'm guessing there are less conversations going on about hey what i did last night or what happened last week or you know those uh potential risk indicators that that a person might be feeling stressors uh that you know how else are you gonna get that unless they're talking to someone else on the team and that person could say i think our you know our fellow employee might need a little help and uh then the insider threat program can you know help that person along keep them on the good path shawnee have you seen anything like that your clients yeah absolutely 100 um just like you're saying having everyone behind a screen all the time meetings are not as engaged um you know people are not getting that that personal information on others so when you're seeing somebody every day in the office you recognize that their pattern of behavior changes right you notice when someone starts a little depressed or angry or they're venting if you've got a quick 30-minute meeting with them there's no time to get any of that feedback uh and i think that that that's where training comes in like right now it's so critical that employees and managers are trained and what to look for or to have those one-on-ones you know um on my team we've got kind of one-on-one like coffee chats where it's not work it's not business it's just catching up and trying to maintain those relations yeah that's a good point so let me ask kind of the opposite of why i asked a moment ago has there been any person or group of people that you had to let's say talk off the ledge because they were panicking about the fact that we're gonna have to work from home and we're gonna lose all our data and everyone's going to run amok and become an insider i mean did you have to you know sort of show like hey we can adapt to this we can make it happen let me start with matt again this time i i think we've been fortunate in that area where we did uh we weren't just purely on site so we had some some playbooks we could use to go remote um and and we had the technology in place it was a matter of of scaling it up to be prepared and the security controls were there again it was a matter of scaling them up to handle the load but for the most part it was questions that we asked ourselves right how do we do this purely how do we maintain our security posture as we go remote and adapt quickly to make sure that that we don't have any vulnerabilities there from this and that's really what we were focused on great and stephen did you uh have any similar type situations yeah i mean i i don't think that you know we came across any situation where we had to talk anyone off the ledge we were very lucky as a large organization that you know have remote workers in our in our workforce and we have you know working home you know remote abilities before this even occurred right so it was more about adapting to the mass scale of individuals who are going to be working remotely and there are certain things specific to financial services industry right for example you know how bankers and traders typically work right we have to work with our regulators to understand um you know how they're executing their business whether it's from their home office and that's a very known environment for a lot of people um who traditionally had to you know execute trades in person but i would say the majority of our efforts have been very people and employee-centric right focusing on being transparent employees about you know return to work when that's going to be occurring do we feel safe doing such um updates to our business so we've had our ceo david has had you know regular global town halls as has management you know in the various business and non-revenue units focusing on what's just happening to shawnee's point just trying to have a relationship with our employee population so that these anxieties and these stressors can be at least be mitigated to some extent right so this extends to performance reviews or you know safety coming into the office um so you know it is obviously an insider threat matter but organizations that have good partnerships with wellness and benefits and human capital management is is really crucial at this time because a lot of the things that we think of you know as insider threat risk really can be supplemented with you know some wellness benefits or resources whether that's taking off whether that is you know encouraging our employees to take vacation time even if they think that they may not need it from a working home environment so that's really where our focus has been and just encouraging our employees to have the tools that they need to get their job done in a way that they're comfortable and they're safe and we found that to be beneficial to us so far yeah i know from my perspective i've actually seen uh several organizations both mine my wife's uh she works at a hospital you know changing their policies about things like we can give you some emergency time off that's not going to count against your actual pto balance your paid time off balance or saying hey uh don't worry about the fact that normally you can't roll it over from you know period to period or year to year we're going to suspend that for a while so that people don't feel like they have to take it when they don't want it they want to save it for when they can actually travel and do something with it so i think that that's you know one of those adaptations that people have to think about and i've seen plenty of organizations doing it and shawnee let me just ask you have you both questions so have you seen any that maybe were i wouldn't say panicking but we're maybe overly concerned uh and that they're really gonna had it going for them you know they just didn't realize it and then you know yeah so to that no i really haven't seen a lot of the panic mentality i think it's been kind of the opposite um where it's me saying no no this is serious you know um i think people are in it to win it i think everyone realizes they're in the same boat and i've seen a lot of information sharing in this realm actually especially lately uh everyone has kind of is on the same mission and realizes that this is an issue great great the second part of your question i as well has seen i've seen a ton of companies really enhancing benefits eap and making sure that people have lyra or different wellness programs and mental health programs and and from what i've seen it really has made a big difference and meetings and things talking about some incidents those those programs have been able to kind of intervene ahead of time and so i really think they're priceless in the situation especially okay great thinking about program building now so um you know there's like a process in building an insider threat program and i'm wondering has this pandemic inhibited working you know sped it up a little bit because of the potential challenges let me start with matt and ask you what what do you think has it changed the strategy of building programs ev everyone has a strategy until you get punched in the face i think that's the saying um mike tyson yeah yeah it's it's an interesting um it it doesn't shift the fundamental need for programs to prevent detect and respond to different types of insurgent threats so the sabotage theft of intellectual property fraud those use cases still remain and they exist and i think for some organizations for those that may have lost their inside return program manager it will definitely set that capability back for the organization for others it brings enhanced focus and clarity around the need for a program and can actually build support for building out the program um understanding that it does cut across all boundaries of the organization and all locations where people work so from that perspective i think again the difference between the two organized two types of organizations if you were severely negatively impacted it might set you back if you were saw an increased workload or a major shift in your operations that needed assistance it might have improved your your programs backing and highlighted thanks so shauna you know when you first mentioned that some some organizations the first thing they did was cut their insider threat program made me think of that and i was just wondering have you also seen the opposite where some of them did accelerate sort of okay we were planning to do this next year but we need to get it in place now type of thing yeah absolutely and i think those are typically industries where they understand need to know or they kind of understand those security vulnerabilities a bit better than the other companies that have come back and and seen it as a luxury um i i've actually seen kind of a shift in investigations as well where typically with a lot of companies investigations tend to be reactive and now realizing that this is an issue companies are starting to try to institute more proactive approaches not necessarily with software technology because again those are expensive and right now companies don't have the money you know a lot of them don't have the money for stuff like that but but trying to just have investigations a little more practical specifically in that in that fraud and collusion realm okay great uh stephen have you seen like a change in strategy i know that your program's fairly robust and it's been going on for a while so i just didn't know if there was maybe a next step that you were hoping to get to that's now going to be delayed or you know or you got to accelerate and get to that next step faster than you thought right yeah i think at least from our organization right we haven't seen any decreased need for the insider threat program right i think you know our efforts and how robust our program is has just kind of been reinforced by this pandemic that we need someone in the organization that we can rely on um during these times of crisis or rapid change and i think the insider threat program not just things that are 13 but the program as a whole has really stepped up to the plate and and you know an investigation is right really being proactive about thinking about these employee populations different whether it's geographic whether it's tenure at the firm business pro like business area right thinking about where is the risk and where do we need to focus on our efforts but um in terms of the need of the program right it's all a matter about shifting priorities so some things that we may have wanted to get to this year we may have to do a little bit later on or next year um but nothing significantly has changed because the program really stepped up to the plate as a leader in the organization about thinking about risk how do we respond about how to prevent it um so you know for us it's been a really interesting time because you know we're all hands we're very mission driven uh and we see this is a a great opportunity for the program to really step up to the plate and show our value to the organization and other business plans and great uh um i have another question and i'm going to start with you stephen this time was there anything that you expected to see based on the whole work from home thing that never really materialized like it could be a threat but it could be a positive thing too i mean it doesn't have to be negative yes um you know thinking about this i would say at least personally right i was kind of expecting when this first broke out you know just as a risk manager and someone who's a little bit suspicious of all activity that's occurring right um in that mindset i was kind of expecting incidents to be happening left and right just kind of flying off the walls and i think i was positively surprised that um you know our organization and employees right really stepped up to the plate understood that you know this is a really difficult time for an organization in the world and the industry so um we've kind of driven at home that every employee plays a significant part in whether it's the firm's bottom line or driving our business initiatives or thinking strategically about how we want the firm to go in the future right we kind of all seem that it's our duty and our responsibility to uphold the integrity our responsibilities in the conduct space right so i've been positively surprised that you know we've pulled this off so well um and it makes us very proud of the firm that you know our employees are doing what they should be doing they're thinking about their day jobs and you know um we have the resources to support them if anything uh turns up great great uh matt your thoughts similar right at the start of this there was concern of of what shawnee had mentioned earlier where um going into a recession and a downturn are people going to start taking information are they going to be looking for other jobs are they going to be will we see this spike in an incident and and we've been fortunate um to have a similar outcome to what even mentioned where the the low interest rates just drove our home mortgage and refinancing business heavily the paycheck protection program shifting everyone remote handling the thousand branches that we have in the in the thousands of atms that we have to deal with and those processes kept everyone very busy and uh culturally we also had programs in place where we were allowed to work from home we were able to take time off emergency time off and the organization has been flexible to reduce stress at work related to covid because there's enough there from actually keeping things operational adjusting for the new needs and the new business that um that added stress of of well i need to be in the office if i don't feel safe just is taken away and that's a great thing so i really think this is heavily impacted by the industry and then how the organization responds and has responded to this as a whole but thankfully we haven't seen a major increase in cases or anything like that great and shawnee i'll ask you the same question but you have a wider breadth of uh programs that you actually deal with so it might be a little harder for you to say you know yes or no because you've probably seen a pretty good mix of both there has been a good mix i think um i like other guys we i was expecting to see more cases i was expecting to see more public cases and i feel like maybe in the beginning it it stopped or slowed down and there was nothing because everyone was so preoccupied with covet itself that now that people seem to kind of understand it now we're starting to see those cases come out in the media um also with regards to work from home like matt was saying especially in the tech sector in silicon valley you've got companies that are saying all right you know what everyone's going to work from home until june or july 2021. so having programs like that having you know more robust eap and mental health programs i think is huge and i i think i'm a little bit surprised at how well companies have kind of moved with the times and figured it out and made it work great and of course you know by sector it's going to be different i think matt you're the one who mentioned the airlines that's probably hit pretty tough you know and and other types of travel and leisure you know types of things that maybe couldn't be as resilient because unless they you know had enough cash reserves you know to carry them through it um okay we're getting a little bit closer to the end of our time so what i wanted to do was go around and ask you to sort of uh either bring up something that we haven't talked about that you wanted to mention or sort of recap an important point that you wanted to make or just talk about uh you know something that you found very interesting out of today's discussion so uh let me go ahead and start with shawnee i think um i think it's just really important that everyone understands that that you can have insider threat programs with not a lot of resources like even if you take baby steps or start with a pilot program doing something is better than doing nothing and i think it's important that people at least try right right okay great uh stephen let me go to you next sure i mean this has been a very interesting discussion i think my main takeaway is that uh and this is nothing novel or new right it's just that we're in a very volatile world right now and you know we still have to remain vigilant about these entire front risks we can't get comfortable with thinking that we've mastered how to do it right um you know it's constantly changing so um you know we obviously have a lot happening here in the us right the elections are coming up and there's things that are happening that we need to remain on guard for so at least from my standpoint it's that we're not through the clear just yet and that things can arise and that we need to keep being thoughtful and strategic about how do we develop this program during you know unprecedented times how do we cooperate with our partners and learn from them including on this call and in the working groups right um i think those would be my biggest takeaways from this great thank you and matt final thoughts uh i think steven and shawnee highlighted it well right so stephen's point staying flexible uh we're two thirds through 2020 and it's been quite a ride um there's more to come i'm sure and and being able to adapt to that will be important and if uh you have been in one of those areas where funding has been cut back or or um you're you're facing trouble there probably are existing capabilities in your organization too that you can pick up to fill in some of those prevention capabilities detection capabilities and response capabilities so uh using your existing forensics team or using your dlp team um and collaborating coordinating that effort to be an insider program um can can be done without a large amount of resources as shawnee mentioned yeah and i think my two takeaways are that um one is i hadn't really given as much thought to the fact that threat actors could take advantage of the situation with the turmoil of organizations and maybe making people uh putting people in compromising type uh positions because of making them believe that they are about to lose their job or that you know there's a better way to you know get through this by helping the threat actor you know those types of things and then the second takeaway that i had was uh i was a little bit surprised when shawnee said that you know some companies actually cut their insider threat program as the first thing to go but it does make sense if you know you're really strapped for resources it's not usually a revenue generator it's usually a revenue you know taker uh so um i guess i just hadn't expected that um all right well i just want to thank the panel members for for being with us today i really appreciate your participation i look forward to see what kind of questions we get from the audience mike thank you thank you well welcome to the live q and a session uh we hope that you've thought about some things that you wanted to ask our panelists they're here for that purpose they've donated their time as i told them i apologize i meant to wear my tuxedo today but i forgot that when i mowed the lawn two days ago i wore it then and my dry cleaner doesn't have one day service but let me go ahead and start by summarizing a question that i've already seen and it's kind of an opposite of a question that i asked during the panel which was is there anything you expected to see that didn't happen like you expected i don't know uh people would run amok or that a good thing would happen and it didn't happen so it could be positive or negative and uh i think for that one i'd like to start with matt sure so thank you again for for having me on the panel and uh happy to be here again today so i i think um one of the things that we we thought we would see was an increase in um data leaving the organization um or increasing activity and and really with the way things were going it really took a lot of all hands on deck to to get us through and get and continues to take a lot of effort from the organization and so i don't think uh people have been they've handled it well in our organization our organization is has provided a lot of services and and taking care of colleagues to make sure that they have the resources they need to handle this well and as well as we could we we have done well so seeing that was gave hope i think and and was positive from this experience great uh stephen do you have anything that you kind of thought was going to happen that didn't uh yes and once again i want to reiterate thank you for having me i appreciate being here and learning from everyone and connecting with everyone part of this group um you know personally i was also like matt just kind of surprised in general that the number of incidents wasn't as high and i think that reflects really well on just the employees in the organization right just really stepping up to play understanding the role they also play in risk management uh during these challenging times so uh it's been a positive experience in that we've learned a lot and we will definitely be able to handle this even better going forward shawnee was there anything that you saw or didn't see that you kind of thought you would see yeah i think i expected the sky to fall and it didn't uh there there was a lull in cases from what i saw and then things did kind of proliferate a bit as i mentioned during the talk but i i think what i was surprised mostly is how people really came together and started sharing best practices everyone was having the same problems and so they got together to tackle those problems together using each other's expertise i i've really appreciated that that's great and kind of uh you know stephen you had talked about investigations at one point during the panel and so one of the questions that we have here i think would really suit you well it's uh what what are some of the best practices that you'd recommend to conduct insider threat investigations when everyone's remote it's a very good question and you know i wish i had the the golden standard rule as to like how to best do this but i think it really just makes sense to kind of continue the program as is right taking an inventory of your most critical assets and employees making sure your employees are taken care of that they have the resources to get help from whomever they need right whether it's management whether it's health and wellness for certain instances uh whether that's you know human resources or human capital management it's providing those resources on best practices from working at home so that you know these incidents aren't occurring um separately it includes you know um tailoring your surveillances your controls to uh this work from home environment so data points that are no longer available because employees are coming into the office right thinking about you know what are the best ways to to alter their surveillances or controls and this may not apply to every organization maybe the larger ones but that's definitely something to think about and then lastly i i think i would comment on you know just communication between your employees being more understanding of you know personal situations and difficulties that are rising during this time having management that's understanding and empathetic with those employees really makes a difference in reducing incidents um you know causes for employees to to have to to do anything malicious or reckless or careless and you know these are just some some tips and tools i think that are important when it comes to managing these unique times great thanks stephen uh so matt i see a question that came in that i think is ready made for you because it's along the lines of you know what what in terms of insider threat issues what would you implement to monitor the activity in an organization especially in times like this i'm on mute sorry about that no that's all right i was just checking out it wasn't me because i did have that before nope that's me so remote conferences um i i think it it comes down to what you can see and what how you analyze it and um and from what you can see you have tools like user activity monitoring tools or data loss prevention tools uh for endpoint visibility but then also on the network thinking of proxies and other network monitoring that you might have in place and then from a an analysis standpoint it's important for organizations to look at tools that take the data in can be used to query the data and analyze it overall and i think that will help organizations to detect insider threats as a portion of the prevention detection response excellent okay anyone else have any uh additional thoughts on that um stephen none for me i think mattis said well all right shauni anything extra yeah i was gonna say one thing to consider is that not every organization can afford or wants to be monitoring um you know with tools like that so i think when you're when you're thinking about that topic it's really important to really emphasize the training and awareness angle making sure that employees know what to look out for with their colleagues what managers know to look for making sure everyone knows where to report their concerns or suspicions especially again in the tech sector they don't want to be monitoring privacy is a huge concern in other cultures it's okay uh so it's just important to look at that from different advantages yeah i mean that's a really good point because i i definitely both visited and worked with organizations especially in high-tech type sectors who don't want to do anything that might inhibit creativity and so that thought process of monitoring is uh it's a risky acceptance thing kind of long of the lines of what dan and sarah were talking about during the uh keynote which is how much risk appetite do i have what am i willing to accept and from their perspective in those cases that were explained to me they said we stand to lose more by not having the creativity we lose more in real dollars by not having the creativity and continuing to innovate than we would by potentially protecting against some hopefully minor losses and that i think that hits on a great point as well um that we should definitely cover which is the importance of governance and and having a strong governance structure around the program right any of these processes whether it's an investigation or detection process or tools need to fit the risk appetite of the organization and need to have input from employee privacy legal counsel and hr to make sure that it fits what you're doing fits well within the organization and does align with with its culture that's a great point yeah i was thinking about legal uh just as you started to say that and so now i i've uh come up with kind of a question that i i would like to start with shawnee because again you have a wide breadth of of clients that you've dealt with what is sort of the risk appetite from the legal perspective in other words have their programs run into lots of problems because legal's opinion is that they don't want to actually be doing that yeah um it it's hard again i think to touch on culture uh it depends on the culture right even within legal departments you know if you have a legal department in an organization that works with government and understands need to know their they might be okay with user activity monitoring um but when you when you have one in the tech culture they're it's like bad words you know uh it really spans okay great and stephen it doesn't have to be your organization but i know that you guys work together in your sector with lots of other organizations so have you seen that they've had challenges with uh legal sort of understanding why certain types of monitoring wanted to be done or needed to be done you know personally i haven't um you know i would defer to shawnee on you know the clients she's interacting with but you know speaking from our perspective and financial services right we definitely have a strong partnership at least within our organization with the legal department and other control functions um we don't see each other as adversaries we see each other as partners and trying to achieve the same goal which is protecting our customers protecting our employees and our clients and ensuring that you know our risk management framework is is top of the line so we've had nothing but you know positive experiences interacting at least from financial services great so uh just taking another moment to remind folks that they can ask questions using the interface through youtube those questions will then be posed directly to our expert panel uh audience so at this point while i'm waiting for some additional questions matt let me ask you you led a big project when you were with us for the common sense guide for mitigating insider threat and have you found any of those have you found any improvement so to speak things that you say you know this is good but i also thought once i once i took that i built on it in a certain way it could just be one of the practices it could be more than one of the practices i i would say the biggest thing um in in reviewing the common sense guide and taking it into industry is boiling it down to what are the key components of a program that you must have in place and how can you get that message across quickly and so simplifying it to who are the people we need to have what processes do we need to have in place to successfully run a program and then looking at the technology required for the organization using that and then layering the the practices in that framework was a really useful exercise because it allowed me to to deliver a simple message to leadership and to the team and say these are the people we need these are our key stakeholders if we're not doing this then we don't have a complete program and if we're missing this process then then we could cause issues and and here are technology gaps um if if they existed so i think it was simplifying it because as you go in to a presentation whether it's to the team or or to leadership and you have 20 best practices that you're getting through um that was probably the the challenge that i faced but the content um was still it's still very valuable and and um i i think it is important to we to check against your program and make sure you you are doing those and carrying them out okay thanks matt stephen you had mentioned something several times actually about the engagement with the employees after everyone started working remote and that communication and keeping that communication strong and it reminded me of some research we did about two years ago which we called the critical role of positive incentives to mitigating insider threat and now we're calling it positive deterrence and in that what we found there were three major factors that aligned very well in keeping people on the good side when these stressors hit them and one of them was the connectedness to the organization so in other words how much organizational support they felt they actually had was a big factor in them deciding not to do things that would be harmful to the organization even when they were under stress and felt like they needed to do something to get out of the situation they were in so do you think that that strong communication that you have is have you have built in your organization is maybe one of those positive deterrents yeah thanks for that question mike so i think you know twofold it definitely is acts as a deterrent we definitely want to encourage positive communication encouragement amongst our teams uh during these times you know as a reason for uh preventing incidents from happening but you know on the other hand it's right um our teams are very connected we see each other more hours in the day than we do some of our family members right so you know just being a good teammate is asking you know how are you doing like checking in with the zoom calls having a catch up um because this is a tough time for organizations and people and at least you know in our organization where we take a very people-centric approach um we just care about each other so yes it's a deterrent but um we're a big family and we're all trying to achieve the same goal so um from that angle it goes to shawnee's point of just you know encouraging a culture of um supporting one another yeah and the other two uh factors one was connectedness to the the people they work with so you just address that that makes great sense the third one was uh what was their connectedness to the job itself so in other words they enjoy with the work that they're doing did you see any potential issues where people couldn't actually do the same work now that they were working from home because it required hands-on machines that you know they couldn't take with them back uh to their home office i'm trying to think if there's a specific example nothing's coming to mind one thing that was really important in financial services when this first brought um you know broke out was the ability for certain bankers and traders to be able to execute their business at home in an at-home environment previously financial regulations um you know out an issue uh that preclude this from happening in a normal time in a normal environment so that was definitely something right you know we have traders working from home and executing these trades and um so that's one example and i'm sure there's others out there but that's the the first one that comes to mind right now okay well thanks that that looks like all of our time and i want to thank again our panel members for volunteering their time not only to do the original uh portion of the panel which you saw earlier but also to be here again for a live in person question answering so at this point we're going to turn it back over to randy so as we wrap up we want to thank you for attending day one of our insider threat symposium and just a reminder the second half of the symposium will be on thursday september 24th from 1 to 3 p.m eastern time you're looking in advance of what's going to happen on that day we'll have a keynote presentation by don capelli ciso of rockwell automation with a presentation entitled strategies for maturing in insider risk program we'll also have a panel discussion risk and resilience management for the counter insider threat mission moderated by dan costa with panelist scott greyer charles marguiata jt mendoza and brad melech so if you have any questions after the symposium today feel free to contact me dan sarah or michael at the software engineering institute additional information regarding the national insider threat center can be found at the software engineering institute website as we mentioned earlier we will be collecting any unanswered questions we didn't get to as part of the q a sessions and we'll address them via a blog post to be released as soon as possible thank you once again to our keynote speakers our panelists our moderators for today's events we appreciate your contributions to making it a huge success we also want to thank our event sponsor haystack technology and we look forward to seeing you again on thursday september 4th just as a reminder 1 to 3 pm eastern time so have a great remainder of your day best wishes to all so we're signing off from carnegie mellon university here in pittsburgh pennsylvania thank you very much you

Info

Channel: Software Engineering Institute | Carnegie Mellon University

Views: 1,881

Rating: 5 out of 5

Keywords: Insider Threat, Cybersecurity

Id: r6UneKK9zfo

Channel Id: undefined

Length: 118min 38sec (7118 seconds)

Published: Thu Sep 10 2020