In God We Trust, All The Others We Monitor!

Thomas Frénéhard

Part of theControls and Risk Management” series

Sorry to disappoint you, but no, NSA’s mission statement is not “In God We Trust, All the Others We Monitor” but something I find much less controversial, albeit more ambitious: “Defending our Nation. Securing the Future.

Regardless, I felt this urban legend was a perfect introduction to this blog, where I am sharing a few thoughts on how companies can address the “insider threat” issue.

Insider threat – be it with malicious intent or due to erroneous actions from a current or previous employee, contractor, etc. – is regularly cited as the primary source of data breaches (see GRC Tuesdays: Efficient Cybersecurity Response Requires Profiling of Data Breaches).

This finding is far from new and is regularly raised by expert analysts. Yet many companies are still in the early maturity phase of mitigating this risk.

In this short blog, I’d like to suggest a few options that, combined, can help companies better protect the information held in their systems: hence, monitor not the perimeter, but the data itself.

Of course, my first suggestion is to employ an access-governance process that defines with precise policies the user’s accesses and authorizations. But I’d like to go a step further, as I think the access-governance approach is already perfectly understood by most organizations.

Lock the information

The first step you might consider is to limit the attack surface by reducing the risk of leaking sensitive data. To do so, why not mask specific data that is not required by users to perform their daily tasks? In short: work on a need-to-know basis. This protection could be associated with roles or via attributes for more granular and precise rules so that unmasking requires explicit access rights. For instance, does an IT help-desk operator who is troubleshooting access to your insurance portal need to be able to see your detailed medical information?

Consider this to be the cruise control on your car. If set, unless you decide to overwrite it, you won’t get caught speeding.

Log users’ actions

In some cases, masking information is not possible since users need to access it to perform their work. Here, the idea is to keep data accessible, but log access for further analysis. This will help ensure compliant data access but also enable the fast and undisputable identification of irregular data access, if needed.

Continuing my automotive analogy, this would be the speed camera. If you knew that there was a speed camera active on the portion of the road you are driving on and that it would flash your registration if you fail to comply with the speed limit, would you really drive in front of it at high speed?

This “logging” option might seem appealing but could also mean that cybersecurity departments are rapidly overwhelmed by logs to analyze, especially in case of large organizations that deal with personal information in the course of most processes. Indeed, this increases the risk of false positives and, therefore, could require a lot of manual review.

Monitor logs to identify anomalies and extent of a breach

This brings us to our third and last point: monitoring.

Using all the logs from above but also potentially logs from other solutions, cyber experts could automatically run detection patterns to identify anomalies. With the right activity-monitoring tool, finding the needle in the haystack actually becomes possible without having to burn the entire haystack and go over the ashes with a magnet.

Further, this helps investigators identify and stop the perpetrator(s) in a timely manner. If the malicious actions have already been carried out, this will also help them get the scope of the data breach for notifying relevant parties, including impacted customers and regulators.

This, of course, can include logs of actions performed with temporary super-user status (a.k.a. firefighter IDs). This is one of the most sensitive forms of access, as it grants the ability to change critical information directly in a productive system.

Most companies of course track these privileged accesses, but some aren’t able to get precise information about what has really been performed – except in the report made by the super-user after the fact. These companies, therefore, have to rely on the perfect execution (no error made) and good faith (no malicious intent) of the super-user operator. Both are part of the definition of an insider threat.

Looking for additional suggestions?

There are of course many organizations that publish frameworks, recommendations, etc. But, since I used NSA’s fake motto as a honey trap to get you to read this blog, I’ll render unto Caesar the things that are Caesar’s and suggest you browse through the NSA’s Cybersecurity Advisories & Technical Guidance site. One of my favorite assets they release is the Top 10 Cybersecurity Mitigation Strategies since it’s very succinct and pragmatic.

What about you? How does your organization manage the insider threat topic? I look forward to reading your thoughts and comments on Twitter @TFrenehard.

Learn more about SAP software for enterprise risk management. 

This article originally appeared on SAP Community and is republished by permission.


Thomas Frénéhard

About Thomas Frénéhard

Thomas is part of the Global Centre of Excellence for Finance and Risk solutions where he has a focus on Governance, Risk, and Compliance topics. Prior to that, he was a Senior Director in the Governance, Risk, and Compliance Solution Management team. His particular responsibility was with Risk Management but other functional areas of focus were in Internal Control & Compliance Management and Audit Management. He is also a regular contributor on social media and presenter at various SAP and non-SAP conferences on GRC matters.