Exploring Gartner’s Rule of Three for Proactive Insider Risk Management


Gartner analysts Paul Furtado and Jonathan Care recently published a short article on insider risk management titled: The rule of 3 for proactive insider risk management. The research note provides readers new to the subject with a solid foundation of insider risk management and how to meet the challenge of insider risk. For example, he points out the difference between insider risk and insider threats: every user presents a risk, but malicious intent defines a threat. He also highlights the clear advantage of an insider attacker over an external threat: they know where the target data is and usually have authorized access to it.

The “rule of three” also states what we at DTEX Systems take for granted: security and compliance teams must understand threat types, threat activities, and mitigation goals.

We agree with most of the approach suggested by the Gartner team, but recommend a bit of adjustment based on our experience with hundreds of enterprise clients and the The MITER Behavioral Science Team.

Remote workers act differently
Gartner points out that insider threat defense is more difficult in a Work from anywhere environment. The most common explanation is that employees, contractors, and partners are working outside the protection of the corporate network. They have access to hardware and software that may not be trusted, and home networks are often poorly secured. Behavioral scientists add other factors. When working remotely, employees may have a greater perception of anonymity and less perception of surveillance. There are often fewer interactions with supervisors for remote workers, which adds to the feeling of less oversight.

For advocates, remote workers are complicating already difficult issues. There is no monitoring or detection of unauthorized visitors in a home office, no reliable method of determining who is on the keyboard or what other equipment is in use. Work hours may differ, making it more difficult to rely on rules-based indicators of abnormal behavior.

The rule of three
Gartner’s Rule of Three divides insider risk into (you guessed it) three categories:

  1. Types of threats
    Gartner classifies threats as careless users, malicious users, and compromised credentials (essentially malicious strangers). Careless users endanger sensitive data through negligence. They either ignore good security practices or circumvent them in an effort to be more efficient (sending sensitive data via email, storing on unauthorized devices, etc.). Malicious users have malicious intent. They deliberately take measures to collect and exfiltrate data. The third category, compromised credentialsare certainly a concern. At DTEX, we have come to understand a fourth category, the one we call the Super Malicious Insiders. Somewhat similar to an outside hacker using stolen credentials, super malicious insiders have the intent and technical skill to steal data undetected. Importantly, they also often have information that the malicious outsider lacks, including an accurate understanding of how an organization’s defenses work, having received training from their employer. If you want to know more about super malicious insiders, download the DTEX Insider Threat Report 2022 here.
  2. Threat activities
    The Gartner article divides this into fraud, data theft, and system sabotage. While endpoint detection and response solutions can help with the third category (malware and ransomware), an increasingly system-wide perspective is needed. A malware signature might be recognized, but alerts about unusual activity (e.g. high file access counts, high encryption rates) are best detected by a solution such as DTEX INTERCEPTION.
  3. Mitigation goals
    Gartner’s third rule defines the goals of an insider risk program: to deter individuals; Detect activity; Interrupt the effort. The former largely deals with careless users and focuses on cybersecurity awareness programs. We would go further and use real-time warnings to notify users when their actions could put information at risk.

The second objective falls a little short in our eyes. Gartner recommends “tooling and personnel to be able to detect any signs of inappropriate data exfiltration before it leaves the organization’s custody and control.” Our experience, and that of our customers, has proven that using rules based on specific actions by specific individuals (or roles) on specific data leads to false positives, creating alert fatigue for SOC teams. and InsiderRisk. A skilled attacker, whether a Super Malicious Insider or an external attacker with stolen credentials, knows how to accomplish their goals without alerting the SOC. A better approach is to understand each action in the context of what happened before, after, and even relative to the past few months, to identify indicators of intent as well as deviations from the norm. This means understanding every step an attacker can take and correlating them, regardless of the order in which they occur.

The end goal – to disrupt the effort – is one we fully endorse in our solution. It requires understanding the Insider Threat Kill Chain and the ability to automatically block threats. As noted, SOC teams are overwhelmed with issues. Using automation to implement app locks or device quarantines for careless or abnormal behavior, session locks for malicious insiders, or network locks for compromised accounts prevents an attack from happening. to chase.
We encourage you to review Gartner’s Rule of Three note in detail. It’s a solid piece and offers solid recommendations for those starting to dig into their insider risk management initiatives. Download your free copy here.

The post office Exploring Gartner’s Rule of Three for Proactive Insider Risk Management appeared first on DTEX Systems Inc..

*** This is a syndicated blog from the Security Bloggers Network of DTEX Systems Inc. written by Jonathan Daly. Read the original post at: https://www.dtexsystems.com/blog/gartner-rule-of-three-for-proactive-insider-risk-management/


About Author

Comments are closed.