Daniel Costa of the Software Engineering Institute (SEI) at Carnegie Mellon University, writes about operational resilience in the face of insider threats:
This September is the federal government’s second annual insider threat awareness month, and this year’s theme is resilience. The SEI has a significant body of research in resilience, and in the CERT National Insider Threat Center, we apply many of the principles and best practices for resilience to the insider threat problem. In this blog post, we will discuss the relationship between resilience and insider threat, discuss how to make organizations operationally resilient to insider threats, present strategies for making your insider threat program resilient, and highlight some of the key activities the CERT National Insider Threat Center will be conducting in support of National Insider Threat Awareness Month.
Making Your Organization Operationally Resilient to Insider Threats
Operational resilience is an emergent property of an organization that can continue to carry out its mission in the presence of operational stress and disruption that does not exceed its limit. Operational resilience isn’t something an organization does. An organization is operationally resilient, or aspires to be.
Operational resilience can also be thought of across multiple types of operational stress and disruption – an organization can be operationally resilient to some types (for example, environmental threats such as fires and floods), and not operationally resilient to others (insider threats, for example). The question, then, is how do I make my organization operationally resilient?
The CERT Resilience Management Model (CERT-RMM) is a collection of best practices for managing operational resilience. Organizations can use CERT-RMM to determine their current capabilities for managing operational resilience, identify capability gaps, and develop plans to close those gaps. The model contains 26 process areas, and goals and specific practices within each process area. Many of the CERT-RMM process areas are directly applicable to insider threats:
- Asset definition and management–What critical assets must the organization protect from authorized access misuse by insiders?
- Organizational training and awareness–How does the organization ensure its workforce understands the threats to its critical assets that insiders pose, and what are the responsibilities of individual employees to protect the organization’s critical assets from misuse?
- Risk management–What is the impact and likelihood of insider attacks based on the organization’s current capabilities, and how can the organization prioritize investments in reducing the impacts and likelihoods of certain attacks?
- Access management–How can the organization ensure that authorized access to its critical assets is granted only to those with a critical business need?
- Monitoring–How can the organization detect not only the harmful acts associated with insider misuse of authorized access, but the concerning behavior and activity that precede the harmful acts as well?
The CERT-RMM process areas listed above just scratch the surface of how to make an organization operationally resilient to insider threats. Nearly every process provides guidance and recommendations applicable to making your organization operationally resilient to insider threats.
The past year has emphasized the need for organizations to focus on operational resilience to insider threats, as the COVID-19 pandemic has placed employees under significant personal and professional stress, changed what “normal” operations and access to critical assets look like, and highlighted the need for mature, institutionalized processes that can adapt to an ever-changing risk landscape.
Building a Resilient Insider Threat Program
Organizations can also apply the principles of operational resilience management directly to insider threat program operations. A number of CERT-RMM process areas can help organizations mature their formalized insider threat programs:
- Knowledge and information management–Detailed and thorough documentation of insider threat data collection and analysis strategies can ensure that the same inputs produce the same outputs, regardless of who performs the analysis, and can avoid biased insider threat analysis.
- People management–Insider threat analysts can be exposed to traumatic information while collecting and analyzing data, particularly for insider threat programs with workplace violence in their scope. Insider threat programs should ensure that they provide their team members adequate resources, supports, and coping mechanisms.
- Risk management–Adopting risk management principles into insider threat program operations can help with scoping an insider threat program, determining threat impact and likelihood, and measuring insider threat program effectiveness.
- Compliance–Insider threat program detection and response mechanisms should be tied closely to the organization’s policies and procedures that govern authorized access to the organization’s critical assets and how critical business processes should be conducted.
The insider threat program of the future is an integrated, proactive, risk-based mission enabler that makes its organization operationally resilient against insider threats. This future state can be realized by expanding relationships with traditionally under-represented insider threat program stakeholders; clearly articulating program goals and risk appetite; and emphasizing process institutionalization, yielding more stable processes that produce consistent results over time that are retained during times of stress.
The CERT National Insider Threat Center will engage in a variety of activities in support of National Insider Threat Awareness Month this September.