Transcript
new threat actor TPTs, and real-world case studies. UNA42 is a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for UNA42. In today's episode, I'm going to talk with Chris Tillett. Chris is a Senior Research Engineer at Palo Alto and a member of the Advisory Board for Titanium Labs. Chris, your bio on LinkedIn was really short. It says author, speaker, technologist, and failure expert. Before we get into today's topic on Insider Threat, I want you to talk to me a little bit about what you mean by failure expert. Yeah, that's a title I've earned through pain and experience. I had to really learn by doing, and I have a natural curiosity. So by me looking at something and going, well, I wonder if we did this, how would that impact the network? Or if we did that, how would that impact the systems? It helped me learn and fail fast. I love it. You've got to be fearless to be able to go into something knowing that the odds could be stacked against you, but no risk, no reward. What is Insider Threat, and why has that become such a growing concern in today's cybersecurity landscape? Insider Threats are probably the most difficult thing to address because in reality they start in a person's figurative heart. To catch the early traces of it is extremely difficult. There are just some people that are wired to find the loopholes in an organization. When we look at what an Insider Threat is, in reality, it's anyone who has access to our systems, our data, our information that could use that for their own gain or the gain for somebody else. So tell our audience the common motivations or factors that you've seen that lead individuals to become Insider Threats, and then how understanding those motivations help on identifying and mitigating those risks. So I call it the 10-80-10 rule. I talked earlier of there are people that are just wired to find the holes in your organization. That's about 10% of your employees. Sometimes that's data theft. Sometimes that could actually be money theft. That's also why you put controls in place. Typically those controls are going to catch people where it starts with a dollar or two and then eventually they get more and more bold and then they trip a control later on. The other 10% of people that are on the other opposite end of that spectrum are people that we never have to worry about. They will never steal from the organization. As a matter of fact, they won't even borrow a pencil and take it home. That's just not how they're wired and they refuse to do it. To me, those two sides are very easy. You have the ones that are just going to get bold and eventually screw up, and then you got others that you never have to worry about. The hard part is the 80% in the middle, and the reason why is many of them will never become Insider Threats ever, but all it takes is a change in their circumstances, a change in the organization, and all of a sudden the thoughts creep in. That seed of motivation, the 80% are the hardest to find. So what are some of those key indicators or behavioral patterns that organizations should be aware of when trying to identify those Insiders in their workforce? Is it crucial for the management to know their employees and for the SOC to be in communication with that management and track normal across an organization? Having something that does behavioral tracking is absolutely crucial. What is Insider Threat for HR? What is Insider Threat for accounting, for IT? When we're using digital assets, we are creating a profile of what is normal. If we're not able to track that, then when a user deviates from that normal, we're not going to catch those beginning indicators. CISOs need to leverage the business units. Having that baseline on behavior immediately is one of the most important things an organization should do, but that's just my opinion. That's absolutely true, David. And so when you look at this, that baseline in comparison, not only to themselves, but their organization and their peers is going to be truly enlightening to the SOC. Being able to evaluate an individual against their peer groups is going to be crucial to see whether or not they're really deviating from their norm. Chris, thanks for joining me today on Threat Vector. We'll be back on The Cyber Wire daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now.