You've caught an Insider Threat, now what? The Human Side of Insider Threat Investigations
Transcript of You've caught an Insider Threat, now what? The Human Side of Insider Threat Investigations
Doug Sampson, Founder & CEO at Soteritech
The Human Side of Insider Threat Investigations
Copyright 2016 Soteritech LLC
● Assume: Robust Program Installed● Our Scenario… A Threat is Detected
Context
Dashboard
Examples● Repeated access attempts● Secret discussions at lunch● Confidential emails sent home● Cell phone in the SCIF● Documents to competitors
● Why do people turn?● So what’s next?
A Threat Detected
● Notification comes in● Triage within 10 minutes● Initial level assigned
● Green (low risk potential, no further investigation needed)
● Yellow (unsure risk potential, needs immediate initial investigation)
● Red (sure risk, needs immediate investigation and action)
The Hub
● Person’s behavior is deemed normal for his or her job function and responsibility level
● Examples
Green
● Questionable behavior that deserves further investigation.
● Widest reporting of incidents● Could be broken down further● Broad range of
● Communication● Collection● Consequence
● Examples
Yellow
● Behavior unacceptable and against company policy
● Significant information gathering (proof)
● Severe consequences● Examples
Red
Communicate with certain groups based on severity scale● Green – maintain internal log● Yellow – involve HR, IT, Security
Office, Legal and Exec (possibly Govt - COTR) depending on level
● Red – involve HR, IT, Legal, Security Office, Exec, COTR (if applicable) and Authorities
Hub Communication
●Green – none●Yellow – mild to
moderate/intense●Red – intense/severe
Employee Communication
Know your organization’s policies and stance ● Employee Agreement● Rules of Behavior● Handling of Trade Secrets ● Employee Training● Manager/Exec Training● Consequences
ITPM ResponsibilityKnow Where You Stand
● Do Your Homework… Investigate quickly● Collect data – start case● Engage with HR, Legal, Finance, IT, Exec-
Level● Possibly… talk to manager/supervisor
depending on situation
● Engage the right people, and● Prepare to have a frank conversation with the
employee
ITPM Activity
● Logistics● Who to have involved?● How to prepare?● What if they go sour?● What to do?
Conversations
● Pre-discussion preparations● Situational awareness● Discussion Part 1: Accusation● Discussion Part 2: Consequences● Successful outcomes● Un-successful outcomes● Monitoring
Yellow Stage 1Scenario: Attempting to access unauthorized shared drive folders
● Pre-discussion preparations● Situational awareness● Discussion Part 1: Accusation● Discussion Part 2: Consequences● Successful outcomes● Un-successful outcomes● Monitoring
Yellow Stage 2Scenario: Employee overhead talking about the new rocket guidance kit to a fellow employee at a local restaurant
● Pre-discussion preparations● Situational awareness● Discussion Part 1: Accusation● Discussion Part 2: Consequences● Successful outcomes● Un-successful outcomes● Monitoring
Yellow Stage 3Scenario: Sending confidentical work emails home
Yellow Stage 4Scenario: Getting caught in a SCIF with an unauthorized PED
● Pre-discussion preparations● Situational awareness● Discussion Part 1: Accusation● Discussion Part 2: Consequences● Successful outcomes● Un-successful outcomes● Monitoring
Yellow Stage 5Scenario: Being witnessed giving classified documents/hardware/thumb drives to competitors/foreign nationals
● Pre-discussion preparations● Situational awareness● Discussion Part 1: Accusation● Discussion Part 2: Consequences● Successful outcomes● Un-successful outcomes● Monitoring
● HUB communications● Pre-discussion preparations● Situational awareness● Discussion Parts 1&2● Successful outcomes● Un-successful outcomes
RedScenario: Leaving the premises with prototype radar sensors
Conversation Decision Tree
Accusation -Are you aware?
YesNo
Provide Proof – Do you understand consequences?
YesNo
Explain improvement plan – Do you accept?
YesNo
Explain unacceptable behavior – Do you accept?
YesNo
Explain consequences – Do you understand?
YesNo
Explain improvement plan – Do you accept?
YesNo
Explain consequences – Do you understand?
YesNo
Conversation Plan
●Simulation/Role Play●Repetition
How to Get Better at the Conversation
Doug SampsonSoteritech, LLC (@soteritech)
Questions
David MaiObserveIT(observeIT.com)