February 27, 2013 by
The Inside Liar
This was originally posted on blogger here.
A significant topic for risk management these days is the insider threat. While it is accepted that the insider is the most likely threat actor, we have very little ability to deal with the insider threat. We generally treat them as an exterior threat: we look for their malicious actions and consequences. Whether it be sabotage or the loss of an organization's protected data, we see the results of the threat's actions and then attempt to find the root cause of what happened, hopefully associated with a threat actor (be it insider or exterior threat). However this is extremely hard. The complexity of our information systems provides ample space to hide malice.There is another way: FIND THE LIE
If you ever watch an episode of COPS, after they have the situation under control, they break up the parties and ask a simple question, "So what happened here?" The reason is that, once they have the statements of the various parties, their job changes. They are no longer trying to find 'root cause', they are trying to figure out who is lying. When they find the liar, they've found the threat.
This offers a unique way for us to find insider threats. Rather than look for the consequences of their actions, look for the lies. From the second they get to the door to the minute they leave we expect our staff to assert information. They assert that they have a legitimate badge and that the badge represents them. They assert that they have a legitimate account on our information systems. They assert that they have a legitimate reason to access information through access forms and user agreements.
To realize a consequence, our threat must lie. Whether it's about why they are accessing information, why they are using a system, or why they are entering an area, they must lie. Those lies provide us an opportunity to detect our insiders. By processing the wealth of information we have on our users, we can look not for malicious actions and consequences, but instead for the lies that precede them. While threats will actively attempt to cover up their their malicious actions and consequences, they will continuously generate more and more lies as they do so providing us additional opportunities to detect them.
It is time we focused our defensive efforts where we have the advantage and where our attackers do not. While threats may have the advantage when it comes to hiding their malicious actions within the vast complexity of our information systems, a lie begets a lie. And a lie has short legs.