Documente Academic
Documente Profesional
Documente Cultură
insider threat
A holistic approach to
dealing with risk from within
How safe are your critical assets?
An organizations critical digital and physical assets are becoming more and more exposed through
increased connectivity, differing global regulatory requirements, joint ventures and business
alliances, and potential security weaknesses within complex multinational supply chains.
42%
a key information security Are within an organizations confines, so their illicit activities
are harder to detect via traditional signature-based detection
challenge.
than an external attacker
An insider threat may be present or developing over a period These red flags alone should not be viewed as demonstrations
of time with indications that can be categorized as direct of harm; instead, they should invoke a process of review and
or indirect, each requiring different types of tracking clarification. The review process needs to amalgamate the risk
mechanisms. Direct risk indicators are usually abnormal indicators and analyze them collectively in order to uncover
activities that deviate from day-to-day work activities. Examples hidden relationships, which usually reveal more detail than when
include downloading large volumes of data to external drives, they are examined individually. To assess these risk indicators,
accessing sensitive information that bears no direct relevance organizations need to access both structured and unstructured
to normal job duties or emailing confidential data to a personal data sources. Examples of data and risk pairs include:
account. Indirect risk indicators are usually patterns of human
Structured information:
behavior that require analysis to reveal suspicious motives.
Travel and entertainment data: violation of corporate policies
Examples include sudden overuse of negative emotive words
in electronic communications, expressing desire to resign over Network access data: web browsing history, network crawling,
social media, and demonstrating ties to high-risk personnel or data hoarding, copying from internal repositories
outside parties.
Physical facility access logs: anomalies in employee work hours,
Other common insider threat indicators include: attempts to access restricted areas
Attempts to bypass security controls Travel records: countries known for IP theft or hosting competitors
Requests for clearance or higher-level access without need Phone logs: calls with known high-risk personnel or
externalparties
Frequent access of workspace outside of normal working hours
Unstructured information:
Irresponsible social media habits
Social media postings (public view only): indications of
Behaviors that demonstrate sudden affluence without obvious living beyond means, discussions of resigning or new
cause, such as large pay raise, inheritance, etc. businessventure
Maintaining access to sensitive data after termination notice Emails/instant messages: malicious intent
Use of unauthorized external storage devices HR records: terminations, layoffs and performance issues
Visible disgruntlement toward employer or coworkers Employee hotline logs: complaints of hostile, abnormal,
Chronic violation of organization policies unethical or illegal behaviors
The starting point for an insider threat program is to determine the organizations ability to detect
and mitigate insider threats and to develop a strategy that will both evolve with shifting risk
priorities and grow to the level of desired maturity.
Software development has long used maturity models as a tool Our maturity model consists of a set of characteristics that
to objectively assess the degree of repeatability, consistency and classify an organizations capabilities to detect insider threats
effectiveness of certain activities or processes. Insider threat is and represent a progression in managing insider threat risk. The
not a new risk, but it is a relatively new practice for companies to model reflects leading practices gleaned from both private and
implement a risk management program that specifically targets public sectors and incorporates relevant industry standards,
insider threats. To help companies develop an insider threat such as the Cybersecurity Framework from National Institute
strategy that aligns with their risk profiles and growth priorities, of Standards and Technology. It provides a benchmark against
EY developed an insider threat maturity model based on our which an organization can evaluate the capability of its insider
experience in helping companies detect and mitigate insider threats. threat program and set goals and priorities for improvement.
Characteristics:
Managed Insider threat program fully
integrated into the enterprise
risk management strategy
Characteristics:
Defined Key performance indicators
Increased focus on proactively
defending and responding to
in place to assess program insider threats
Characteristics: effectiveness
Repeatable Formal insider threat program with An iterative approach that
Big data infrastructure
that provides access to and
dedicated policies and processes provides continuous integrates all required data
that align with and leverage improvement sources across the organization
Characteristics:
Initial Leverages existing security
existing information security and Strong information governance
disciplines underpinning the
Expanded suite of risk
corporate security programs indicators leveraging the big
processes or functions to insider threat program
Defined insider threat detection data platform, advanced data
prevent insider threat, with no
Characteristics: formal insider threat program
strategy Some risk indicators developed analytics technologies and
Ad hoc or siloed processes Incident response plans that to monitor criticalassets organizational knowledge
No formalized training for Leverages data analytics
or functions incorporate insider threat event
employees or vendors
Lacks defined roles and handling technologies, such as Outcome:
Underdeveloped procedure behavioral analytics, to
responsibilities Formal consequence management Significant decrease in insider
communication strategies identifyhidden relationships
Largely reactive activities procedures in place threat incidents
and motives Extends benefits of the insider
with minimal to no formal Outcome: Defined program governance with
prevention strategy buy-in by key stakeholders threat program into other
Limited detection capabilities Outcome: business imperatives, such as
Dedicated insider threat resources
Outcome: Inconsistent ability to respond, Comprehensive understanding risk management, compliance,
depending on the nature of Developed training curriculum for of the organizations critical
Higher risk of insider employees and vendors internal controls and talent
incident assets and their related risks management
threat Lacks full understanding of the
Inadequate consequence Enhanced ability to monitor Enhanced defensibility of the
Delayed response in the organizations critical assets
management procedures and mitigate insider threats organizations internal controls
event of an insider breach
Continuous improvement as and risk management capability
Outcome: the program evolves over time
Enterprise-wide awareness of Timely response to litigation
Captures previously missed and regulatory requests
insider threats
signals predicting potential fordata
Increased ability to detect insider
insider threats
threats through traditional
Measurable reduction in
information security technologies
insider threat incidents
such as data loss protection,
endpoint monitoring, etc.
Operational efficiency realized
through coordinated efforts by
allstakeholders
Consistency in how assets are
monitored and protected A strong insider threat program is
Uniformity in how incidents are
handled effective in preventing, detecting and
Some critical assets more exposed
to insider threats than others mitigating insider threat.
EYs Insider Threat Program Framework helps organizations develop an integrated risk management
program to protect their critical assets against insider threats. It offers a data-driven approach to
manage insider threat risk while taking advantage of the advanced analytical tools and information
governance disciplines.
e
forensic investigation, data sciences,
information security and enterprise risk
management, developed this framework.
Full-spectrum
management
Res po
t
o te c
existing corporate security and
cybersecurity programs. Insider threat
needs to be part of enterprise-wide risk
Pr
nd
s ev
pr
oa
ch
re
R
Full spectrum
Insider threat
Continuou
management
Res po
t
o te c
Pr
nd
s ev
ap
alu
pr
program via cross-functional
oa
D e te c t
a tio
ch
n
collaboration
When developing an insider threat program, organizations should start with a clearly defined governance model, through which
stakeholders collaborate to identify critical assets, risk indicators, relevant data sources, compliance requirements, cultural concerns
and privacy implications. The success of an insider threat program depends on the support and participation of its stakeholders. The
stakeholders need to develop constructive working relationships to manage risk from within. Keys to success include clearly defined
and easy-to-follow policies, succinct communication protocols, and rigorous training curriculums.
Board a
n
Leg
al comm d risk Integrity of the financial controls
itte
Data privacy and disclosure laws e and data
Industry-specific regulatory e Financial impact
nc
requirements
Fi
Insurance claims
na
lia
nc
mp
e
Co
External communication
Collaboration Business continuity
Investigations
rit ion
cu at
Hu urc
res
Internal communication/ /
in
IT
awareness building Impact assessment and
Employee/vendor screening
Pr
o cu ess containment
reme Busin ons
nt i
Consequence protocols divis Remediation
Eradication
Identify program owners and key Evaluate the effectiveness of existing Formalize program objectives and obtain
stakeholders relevant policies and processes buy-in from key stakeholders
Gather current security-related Examine corporate hiring and Create insider threat detection framework
policies and procedures screening procedures and high-level process flows
Catalog past incidents within the Determine the requirements Formulate program implementation
organization to drive use case and scope for each component roadmap
development of the program (e.g., internal Define program resource requirements
Key activities
e
Full spectrum
Insider threat
Continuou
management
t
Res po
o te c
nd
Pr
s ev
ap
alu
pr
protect data assets
oa
D e te c t
a tio
ch
n
Digitization has led to the arrival of big
data and the explosion of new data assets
that are becoming more valuable and
e of Kno
more vulnerable. Information governance
ispos hing info w wh
D ryt r
is paramount to protect critical data e you mati at
assets from insider threats. It provides ev else ha on
ve
business intelligence to help configure
1
security controls, which improves
risk management and coordination of
as long only
you nee as
d it
whe ve it
Keep it
Know
ha
re you
helps organizations adopt a risk-based
approach to protect their most valuable
assets, while instilling sound data
2
management hygiene.
Kn it is cted
ce ha o
ow
ss ve
pro
ld w h
w
ho
o
te
K n ou
4 K n ow h o w
it can be 3
s h ac
shared
analytics is becoming an
e
Full spectrum
Insider threat
Continuou
management
Res po
t
o te c
Pr
nd
s ev
ap
alu
pr
D e te c t
oa
a tio
ch
n
insider threats
Applying advanced data analytics techniques, we are able to help helps to enhance the information security posture by making
organizations objectively analyze insider behaviors and generate it more difficult to work around the security controls than the
risk rankings within the insider population. Data analytics also traditional signature-detection methods.
Create a risk-
ranking score
system
Anomaly Assessment
detection through
machine learning
+ Linguistic
analysis + of indirect
indicators
= Risk
ranking
77% 70%
Internal fraud risk, an area that has Cyber breach or insider threat
long been managed using forensic data is the second-highest risk area,
analytics, was ranked as the top use where 70% of respondents are using
case at 77%. forensic data analytics.
60
40
20
0 20 40 80 100
Level of entitlements
Re
e
Full spectrum
Insider threat
Continuou
Res po
management
t
o te c
Pr
nd
s ev
ap
alu
pr
oa
D e te c t
a tio
ch
n
While there are nuances between external and insider breaches, the more likely that its impact can be reduced. While the
the negative impacts are similar and should therefore leverage organization strives to build as strong an insider threat program
the same response program in anticipation of a major breach. as possible, it must also develop a breach response program that
The more an organization is prepared for a major breach, considers both insider and external breaches.
Investigation
How and when the compromise occurred
A high-impact breach
What systems and data are impacted Internal stakeholders
Theft of personally Who was responsible for the compromise The board
identifiable information (PII)
In-house counsel
Sabotage of industrial Outcome Compliance
control systems Finance
Forensic activities Information security
Highly confidential data theft
Corporate security
Denial of service Identify, collect and preserve evidence
Public relations
Perform forensic analysis and data analysis
Industrial property theft
Develop and understand fact patterns
Broad malware infection Resolution
Compromise to the integrity The output may determine more in-depth
of financial reporting investigation is needed.
systems
External stakeholders
Law enforcement
Damage assessment and agencies
containment Regulators
Remediation Outside counsel
Eradication Insurance companies
Crisis management Vendors
Customers
Media
Market analysts
Shareholders
Implementing an insider threat program cannot be successful without careful consideration of the
legal and regulatory implications.
Insider monitoring must comply with a proliferation of new state The member economies of Asia-Pacific Economic Cooperation
and national privacy legislation: (APEC) endorse the APEC Privacy Framework.
In the United States, the Electronic Communications Privacy Companies dealing with multinational matters encounter added
Act allows employers, under certain provisions, to monitor complications that may prevent them from coordinating data
email and other electronic communications of their employees. transfer activities across borders. For example:
In Canada, the Personal Information Protection and Electronic EU-US Privacy Shield On October 6, 2015, the European Court
Documents Act (PIPEDA) limits how employers may collect, store of Justice invalidated the Safe Harbor Framework on the basis
and use electronic data. Some provincial governments in Canada that the European Commission had not appropriately evaluated
have opted out of PIPEDA in favor of stricter privacy laws. whether the US maintains essentially equivalent protections
of EU citizen data. The EU-US Privacy Shield was announced in
The Member States of the European Union, in compliance
early 2016 by the European Commission and US Department of
with the European Convention on Human Rights, adhere to
Commerce as a replacement for the Safe Harbor Framework. The
privacy laws under the Data Protection Directive. A draft of
agreement intends to protect personal information of EU citizens
the European General Data Protection Regulation (GDPR)
to EU standards when it is sent to the US.
was recently finalized and will supersede the Data Protection
Directive in 2018. China state secrecy laws Firms doing business in China
must contend with Chinas state secrets laws, which enable
The United Kingdom has its own privacy restrictions, described
state control of sensitive technical or commercial information.
within the Data Protection Act 1998 and the Regulation of
Compliance with these laws, which can also create difficulties
Investigatory Powers Act 2000. It will be subjected to the GDPR
in complying with US regulations and disclosure requirements,
when it comes into force in 2018.
makes it challenging to gain a universal view of corporate data.
Our services
Insider threat program: Cyber breach response management:
Current and future state assessments Impact assessment
Program and policy development Litigation support
Awareness campaigns and training Support for parallel proceedings
Risk indicator development and data modeling End-to-end eDiscovery engagement support
Response and investigation Cyber investigation
User behavior analytics implementation Cyber forensics
Information governance: Data recovery and remediation
Data carve-outs Cyber and network security insurance claims
Storage reclamation Forensic data analytics:
Insider threat prioritization Surveillance and behavioral analytics
Legacy backup tape retirement Digital forensics and investigation
Data disposition consulting Anti-fraud and compliance risk analytics
Global presence
Amsterdam Saarbrcken Vilnius
Countries with FIDS offices Brussels Dsseldorf Moscow
Forensic labs Paris Oslo Warsaw
Advanced Security Centers London Frankfurt Prague
Data centers Manchester Stuttgart Vienna
Dublin Zrich Budapest
Madrid Milan Istanbul
Calgary
Chicago
San Francisco Toronto Beijing
San Jose Boston Seoul
Secaucus Tokyo
Los Angeles
New York Shanghai
Dallas Washington, DC Hong Kong
Houston Ashburn Hanoi
Atlanta Kuala Lumpur
Singapore
Mexico City Manila
Jakarta
Bogota
Chennai
Hyderabad
Lima New Delhi
Dubai
Tel Aviv
Johannesburg
So Paulo Durban
Santiago Cape Town
Buenos Aires
Perth
Adelaide
Melbourne
Sydney
Brisbane
Auckland
EMEIA and Northern Europe leader Africa EY refers to the global organization, and may refer to oneor
+44 20 795 15386 +27 11 772 3150 more, of the member firms of Ernst & Young GlobalLimited,
jmccurry@uk.ey.com sharon.vanrooyen@za.ey.com each of which is a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, does not
provide services to clients. For more information about our
Stefan Heissner Arpinder Singh organization, please visit ey.com.
Central and Eastern Europe India About EYs Fraud Investigation & Dispute Services
+49 211 9352 11397 +91 22 6192 0160 Dealing with complex issues of fraud, regulatory compliance
stefan.heissner@de.ey.com arpinder.singh@in.ey.com and business disputes can detract from efforts to succeed.
Better management of fraud risk and compliance exposure
is a critical business priority no matter the size or industry
Michael Adlem Ricardo Norea sector. With over 4,500 fraud investigation and dispute
Middle East Western Europe professionals around the world, we will assemble the right
+971 4701 0524 +34 91 572 5097 multidisciplinary and culturally aligned team to work with you
michael.adlem@ae.ey.com ricardo.norenaherrera@es.ey.com and your legal advisors. We work to give you the benefit of our
broad sector experience, our deep subject matter knowledge
and the latest insights from our work worldwide.
Rowena Fell
Ernst & Young LLP is a client-serving member firm of
UK
Ernst & Young Global Limited operating in the US.
+44 207 951 4185
rfell@uk.ey.com 2016 Ernst & Young LLP.
All Rights Reserved.
ED None
This material has been prepared for general informational purposes only and is not
intended to be relied upon as accounting, tax or other professional advice. Please
refer to your advisors for specific advice.
ey.com