MindPoint Group: Insider Threat

Insider Threat – Closing Security Gaps

The MindPoint Group Insider Threat Program (ITP) assesses the organization to identify security gaps and implement safeguards to improve the overall security posture. Awareness of the need for improved insider threat safeguards and more advanced cybersecurity is a crucial first step toward protecting your data. The expertise provided by MindPoint Group will allow organizations to breathe easier knowing that we can root out the gaps and close them.

Assessing Your Insider Threat Level

We begin by evaluating a customer’s counter insider threat capabilities. Utilizing an insider threat program maturity model that is holistic, neutral, and unbiased, we benchmark a customer’s current ability to monitor, deter, detect, mitigate, and respond to insider threats.  

Reactive vs Proactive vs Predictive Threat Solution Organizations

There are three levels of Insider threat maturity: reactive, proactive, and predictive. These levels can display the maturity of an organization’s security posture.

A reactive organization has no formal insider threat program in place and is aware that insider threats exist. Information Technology (IT) is mainly responding to any realized threat actions. Policy and People training is the most important aspect of their ITP.  

A proactive organization is focused on the use of technologies and tools that will assist them in spotting insider threats within a core group of “high-risk” employees.  

A predictive organization has a formalized insider threat program in place that seeks to identify potential or active threats as early on as possible. Its Insider threat program policies, processes, and technologies are deployed enterprise-wide. A Predictive and optimized organization is holistic, dynamic, and responsive to the insider threat concerns by continually addressing shifting risk and changes in business operations that impact needed policy, processes, and technologies.

At MindPoint Group, the ITP’s goal is to identify the gaps of a reactive agency and implement the necessary changes to make them proactive and make a proactive agency predictive and optimized. Only by identifying gaps can we take the necessary steps to close the security gaps.

Tailored Insider Threat Solutions

Once we have a fair assessment of an organization’s current capabilities, we are able to tailor our service in such a way that provides the most effective security solutions for your organization’s needs. By uncovering and closing security gaps we are able to take an organization that has nonexistent or reactive insider threat policies and help them achieve proactive, predictive, and optimized insider threat performance.

Insider Threat Program in Action

Scenario 1 – Continuous Monitoring

In one such example of successful ITP implementation, MindPoint Group analysts identified a technology-based vulnerability while conducting continuous monitoring on data exfiltration from a customer. Specifically, it was discovered that Bluetooth technology could be utilized to circumvent security controls, as Windows provides a utility for transferring files to any Bluetooth-connected device with storage capability. This allowed a user to establish a private filesharing network with a phone or personal laptop. Anyone with a laptop from the customer could connect to any personally owned phone, laptop, or mass storage device within Bluetooth range and copy single or bulk quantities of files without any restrictions. Upon this discovery, our analysts determined they could develop and implement a User Activity Monitoring trigger to close the gap by logging the use of this technology and retaining the file for supplementary analyst review. This security gap and technologic challenge was brought to the attention of policy personnel for their review and consideration.

Bad actors are continuously looking for and discovering new ways to circumvent Agencies’ security to steal data. MindPoint Group is constantly updating, checking, and tuning our security tools in hopes of out-maneuvering with our adversaries. While testing and tuning our security posture, we discover functional and policy gaps that could be used to exfiltrate data. We were able to leverage existing security tools to minimize the risk of data leakages while allowing employees to accomplish their mission. The scope of closing this gap was recognized on a national level by the National Insider Threat Task Force in its 2021 Federal Counter Insider Threat Community Recognition Program, being selected for special recognition in the category of closing gaps.

Scenario 2 – Automation to the rescue

In another example, MindPoint Group made great strides in advancing a customer’s insider threat services automation. On 17 May 2022, after several months of effort, MindPoint Group completed an automated data forwarder project, which allows for Advanced Security Analytics (ASA) data to be directly (and in near real-time) fed into the customer’s Splunk environment. The previous system required manual data pulls and manual uploads into the customer’s Splunk environment, creating a data lag. Where 24 hours could make the difference between preventing an insider threat or not, it was crucial to close this gap. Now the customer is provided real-time actionable information, which vastly improves its security posture. Data pulls occurred approximately three times per week and were a laborious process that could take several hours to complete. Data pull errors we also a concern that could render key information unusable. By automating the process, approximately 10-to-15-man hours per week have been saved, and data pull errors have been virtually eliminated. The automation of data forwarding also improves the customer’s security posture as it relates to the insider threat maturity model. Whereas before the manual process by its nature created a reactive security posture, the data automation will allow for greater focus on tuning and improving information quality. This will allow the customer’s program to become predictive and eventually completely optimized for insider threat detection and deterrence.

Scenario 3 – Policies and procedures

New security rule and policy updates can have an immediate impact on an organization’s ability to identify, respond, and mitigate insider threats. Protecting Controlled Unclassified Information (CUI) is still a challenge for many organizations. In May 2022, MindPoint Group implemented CUI security controls on a customer’s network that, for the first time, provided visibility on CUI data transfers from the customer’s network to personally owned devices. Within a matter of days of implementing these security controls, it was discovered that an off-boarding contractor sent nearly a dozen emails to themselves containing over 130 proprietary documents. Armed with this information, and more importantly prior to the employee leaving the customer’s organization, the customer was able to take action to secure its data and oversee the deletion of all relevant emails and files. Providing this customer with the ability to identify a potential insider threat and quickly putting information into the hands of decision-makers so they may respond and mitigate these threats is exactly what MindPoint Group excels at.

Where to start your Insider Threat Program

As each organization is unique, it’s important to create an ITP that’s been crafted specifically to meet your needs, as opposed to a “one-size-fits-all" solution. Through a gap assessment and a customized plan with MindPoint Group, we can set you up for success in finding and closing security gaps. If you’d like to learn more about what a partnership with MindPoint Group could look like for you, let’s connect.  

More from Our Cybersecurity Experts