Preview Mode Links will not work in preview mode

the CYBER5


Sep 14, 2022

In episode 81 of The Cyber5, we are joined by the Head of Insider Threat at Uber and CEO of Vaillance Group, Shawnee Delaney. 

In this episode, we provide an overview of different functions within an insider threat program. We also discuss the support open source intelligence provides to such programs and how to change company culture to care about insider threats. We also discuss the ROI metrics that are important to different stakeholders when implementing an insider threat program. 

Three Takeaways:

  1. Departments and Functions within Insider Threat 

Insider threat programs are relatively new in enterprise security and often change from company to company. Open source intelligence can be a standalone role or be cross functional among all departments. Common departments and functions can be:

  1. Open source intelligence. 
  2. Forensics monitoring.
  3. Training and awareness (steering committees for stakeholders, benchmarking).
  4. Technical and behavioral monitoring (UEBA or DLP).
  5. Supplier due diligence.
  6. Global investigations.
  7. Global intelligence analysis.

2) Common Problems Faced by Insider Threat Teams

Common challenges faced by insider threat teams:

  1. Privacy to ensure employee confidentiality is not violated.
  2. Tooling to have visibility into malicious events from normal behavior.
  3. Finding practitioners that can do the technical monitoring and open source intelligence.
  4. Shifting culture to be more security conscious.
  5. Focus on physical security issues, like active shooter situations, just as much as data exfiltration and other cyber concerns.

3) Role of Open Source intelligence in Insider Threat Programs

An Insider threat program is a key stakeholder for a threat intelligence program, not the individual buyer. Three key areas where open source intelligence (OSINT) supports insider threat programs:

  1. Employee lifecycle management: ensuring employees, former employees, and prospects are not an insider threat based on what they post on the internet. 
  2. Validating red flag indicators with OSINT.
  3. Investigations into vendors.