you've caught an insider threat, now what? the human side of insider threat investigations

Doug Sampson, Founder & CEO at Soteritech

The Human Side of Insider Threat Investigations

Copyright 2016 Soteritech LLC

● Assume: Robust Program Installed● Our Scenario… A Threat is Detected

Context

Dashboard

Examples● Repeated access attempts● Secret discussions at lunch● Confidential emails sent home● Cell phone in the SCIF● Documents to competitors

● Why do people turn?● So what’s next?

A Threat Detected

● Notification comes in● Triage within 10 minutes● Initial level assigned

● Green (low risk potential, no further investigation needed)

● Yellow (unsure risk potential, needs immediate initial investigation)

● Red (sure risk, needs immediate investigation and action)

The Hub

● Person’s behavior is deemed normal for his or her job function and responsibility level

● Examples

Green

● Questionable behavior that deserves further investigation.

● Widest reporting of incidents● Could be broken down further● Broad range of

● Communication● Collection● Consequence

● Examples

Yellow

● Behavior unacceptable and against company policy

● Significant information gathering (proof)

● Severe consequences● Examples

Red

Communicate with certain groups based on severity scale● Green – maintain internal log● Yellow – involve HR, IT, Security

Office, Legal and Exec (possibly Govt - COTR) depending on level

● Red – involve HR, IT, Legal, Security Office, Exec, COTR (if applicable) and Authorities

Hub Communication

●Green – none●Yellow – mild to

moderate/intense●Red – intense/severe

Employee Communication

Know your organization’s policies and stance ● Employee Agreement● Rules of Behavior● Handling of Trade Secrets ● Employee Training● Manager/Exec Training● Consequences

ITPM ResponsibilityKnow Where You Stand

● Do Your Homework… Investigate quickly● Collect data – start case● Engage with HR, Legal, Finance, IT, Exec-

Level● Possibly… talk to manager/supervisor

depending on situation

● Engage the right people, and● Prepare to have a frank conversation with the

employee

ITPM Activity

● Logistics● Who to have involved?● How to prepare?● What if they go sour?● What to do?

Conversations

● Pre-discussion preparations● Situational awareness● Discussion Part 1: Accusation● Discussion Part 2: Consequences● Successful outcomes● Un-successful outcomes● Monitoring

Yellow Stage 1Scenario: Attempting to access unauthorized shared drive folders


Yellow Stage 2Scenario: Employee overhead talking about the new rocket guidance kit to a fellow employee at a local restaurant


Yellow Stage 3Scenario: Sending confidentical work emails home

Yellow Stage 4Scenario: Getting caught in a SCIF with an unauthorized PED


Yellow Stage 5Scenario: Being witnessed giving classified documents/hardware/thumb drives to competitors/foreign nationals


● HUB communications● Pre-discussion preparations● Situational awareness● Discussion Parts 1&2● Successful outcomes● Un-successful outcomes

RedScenario: Leaving the premises with prototype radar sensors

Conversation Decision Tree

Accusation -Are you aware?

YesNo

Provide Proof – Do you understand consequences?

YesNo

Explain improvement plan – Do you accept?

YesNo

Explain unacceptable behavior – Do you accept?

YesNo

Explain consequences – Do you understand?

YesNo

Explain improvement plan – Do you accept?

YesNo

Explain consequences – Do you understand?

YesNo

Conversation Plan

●Simulation/Role Play●Repetition

How to Get Better at the Conversation

Doug SampsonSoteritech, LLC (@soteritech)

[email protected]

Questions

David MaiObserveIT(observeIT.com)

[email protected]

mailto:[email protected]

mailto:[email protected]

you've caught an insider threat, now what? the human side of insider threat investigations

Software