Global AppSec DC 2019

Giving organizations a proactive, situational procedure to validate their insider threat program reduces gaps in coverage, limits tool or service misconfigurations, helps prevent system and model oversights, and provides real world practice scenarios. Over the last decade, there has been an influx of tools, task forces, and end-to-end solutions created to supplement insider threat programs. "An effective insider threat program incorporates a number of technical controls to assist with preventing, detecting, and responding to concerning behaviors and activity" (Spooner et al, 2018). In that same white paper, the authors also indicate that organizations, at a minimum, should adopt tools from each of the following categories: user activity monitoring (UAM), data loss prevention (DLP), security information and event management (SIEM), analytics, and digital forensics. The breadth of functionality and wide array of available tools, pose a challenge to organizations looking to build or strengthen their insider threat program. Furthermore, the panacea for all insider threats does not exist and methods must be adopted that are specific to organizational assets. This presentation builds on a review of the existing insider threat tool landscape and introduces a methodology to validate configurations and coverage through a situational insider threat assessment. Insider threat kill chains, how to simulate relevant risks, and quantifying key asset identification will also be covered.