All security events need end-to-end management, but this is particularly relevant for insiders. Managing an insider can be a sensitive topic that is politically-charged and it requires that policies and procedures be directly integrated into the solution.
From case management, event annotation and escalation to reporting, auditing and access to insider-relevant information, the technical solution must be in line with the organisation’s procedures.
Insiders need to be addressed consistently, efficiently and effectively regardless of who they are. This process requires executive sponsorship and the involvement of major stakeholders such as human resources, legal, IT and management.
Security teams can identify the insider, but the company needs to carry out the disciplinary actions. In fact, one of the key requirements in managing insider threats is the right of privacy, where the observed activity is analysed with an indirect reference to the individual performing it. Only authorised system users, such as IT security management or human resources actually know the identity of the suspicious individual.
Depending on the nature of the insider threat, rapid response may be appropriate. Based on your company’s policies, the response may be automated or may require human intervention. Regardless of the events triggering the response, a number of techniques can be used including: moving the malicious user to a quarantined network, disallowing them access to sensitive assets, completely blocking their computer from network connectivity, disabling user accounts and even preventing them from physically entering access controlled areas.
Carlo Minassian is the founder and CEO of earthwave, the leading Australian provider of security services.