Mature vs Maturing Security Programs
By Gunnar Newquist, Client Advisor at Strider
In my years in the security industry working with both government counterintelligence programs and corporate insider threat programs, I've seen many programs at varying degrees of maturity. Some had experienced practitioners, a well-defined working group of stakeholders, and program members knew their responsibilities and understood the actual risk environment. Other programs had loose procedures and followed processes on a case-by-case basis. Many of the less experienced programs were driven by enthusiasm but lacked a clear threat picture. Over the years, I've observed three critical differences between mature programs and less mature programs:
- Mature programs understand that data without context leads to more danger
- Mature programs have clearly defined processes
- Mature programs focus on educating their at-risk employees
Mature programs understand that data without context leads to more danger
“False positives” is a term all too familiar to insider teams. User and Event Behavior Analysis (UEBA) tools are effective at generating indicators of abnormal behaviors, which are indicative of insider risk. However, the UEBA tools use of risk indicators are only as effective as the actual data feed. When the UEBA data is reviewed, there is a temptation to feel the information is conclusive, when in fact the data is often limited to simple binary indicators which need to be further examined or investigated.
For example, a certain employee has a high-risk score in a UEBA platform because they have worked unusual hours, exfiltrated a large volume of unidentified material, and expressed hostile sentiment. These combined observed behaviors are an indicator of potential risk but may not provide conclusive evidence of a policy violation or IP theft. Understanding why the employee violated policy provides valuable context. Knowing if this information has been targeted by state-sponsored actors and if the employee has any indicators of an ongoing relationship with state sponsored actors provides much needed context to understanding the actual intent and associated motivation.
All too often when conducting a reactive investigation, investigators are looking for evidence which simply demonstrates the policy violation, and in their rush to protect the data, do not take the time to understand the employee’s motivations and intent. In some cases, the investigators do not understand or appreciate the relevance of the state-sponsor nexus. Therefore, their investigation is deemed successful as it discovered a policy violation, but the opportunity to uncover deeper damage is missed.
Mature programs have clearly defined processes
Economic Security programs should not be run like a police homicide unit, only initiating investigations in response to discovering a dead body. Mature programs work to protect their employees at greatest risk and prioritize their focus on the technology of greatest interest to state-sponsored actors. Mature programs understand which company data needs to be protected and have repeatable and defensible processes for prioritizing their investigations.
Repeatable: Mature programs have developed standard processes to use when triaging surfaced risk. These standardized processes prevent mistaken omissions, allow for better understanding of the threat environment, and prioritize their limited resources to focus on the incidents which could cause the greatest damage to the company. Creating an investigative response matrix to standardize investigative response utilizing such factors as “value of information at risk,” “state-sponsored interest,” “employee's nexus to state-sponsored actors,” “violation of policy,” and “past risky behavior” creates a repeatable process which allows for more comprehensive understanding of your risk vectors.
Defensible: Mature programs recognize that any employment action in response to the results of an investigation can result in legal action. Therefore, clear policies should be established. Having a standard investigative response process focused on identifying policy violations and gathering tangible evidence can help avoid these lawsuits and help defend the company’s actions when they inevitably occur.
Proactive: Mature programs understand their risk environments and therefore are proactive in their efforts to prevent state-sponsored actors from stealing their intellectual property (IP). Developing a deep understanding of who the state-sponsored actors are, what they are interested in, and how they initiate relationships with targeted employees with whom they can later exploit, allows mature programs to identify this behavior in the initial stages to proactively confront their efforts and better protect their IP.
Without established processes, mistakes are made that can end in uneven results, missed opportunities, or the appearance of unethical behavior.
Mature programs focus on educating their at-risk employees
Mature programs understand the value of educating at-risk employees regarding the methods in which they may be approached by state-sponsored actors. Educating your people, stakeholders, and executives in a thoughtful way empowers them to make wise decisions and avoid getting entangled in relationships which could hurt them and the company. Once you understand your threat landscape, it can be shared with those at risk so they too understand it and can take defensive action.
Providing customized briefings that clearly demonstrate what technology is being targeted and by whom resonates with the employees directly working on the technology in question. These briefings instill trust between the affected employees and the security program, resulting in a greater exchange of information.
Informing all employees about the risks of workplace violence is important. However, security programs aimed at countering state-sponsored risk should prioritize the protection of critical technology assets and the evaluation of relationships between employees and state-sponsored entities. Mature economic security programs build customized training material for the employees directly associated with the technologies targeted by state-sponsored actors. Security teams share:
- Which technologies are being targeted
- Which state-sponsored actors are directly interested in acquiring the technology
- Common methods used by state-sponsored actors to approach western employees
The training material is designed and delivered in a way which instills trust and encourages employees to notify security when they suspect they have been approached.
Maturing programs may not always recognize the value in gathering relevant information to get a complete understanding of intent behind the theft of IP, they may be reluctant to formalize a repeatable, defensible, and proactive strategy and they may still use generic training material when educating their employees.
Developing an effective security program is a complex endeavor that requires time, experience, financial resources, stakeholder support, and strong leadership. Nevertheless, well-designed programs necessitate and benefit from strategic planning. Established programs place value not only on data but also on grasping the underlying motives for behavior, taking proactive measures, maintaining repeatable and defensible procedures, and fostering a culture of trust in the workplace by transparently sharing their understanding of risk with the most susceptible employees.