June 30 2020

The Limitations of Training and Trust: What We can Learn About Insider Threats from the Coronavirus Pandemic

In March the White House and the CDC asked Americans to socially distance for 15 days to slow the spread of coronavirus. The guidelines from Coronavirus.gov read:

null

President Trump, Dr. Fauci, Governors of several states, and the CDC were training Americans on the importance of social distancing as the primary and most effective way to combat the spread of the coronavirus pandemic. They took to the airwaves, and media outlets nationwide repeated their message. And then they trusted Americans to do the right thing and socially distance themselves.

Lots of things have happened since - several states have taken steps to reopen businesses as part of the overall effort to give the economy a boost. But everyone across the board included in their message the need to continue social distancing and use of masks in crowded, public spaces.

So how did humans respond to these messages and "training"?

People gathered on beaches in Florida and California, crowds visited the cherry blossoms in Washington DC, people viewed an illegal car sideshow in Oakland, CA, and crowds gathered to watch the USS Comfort pull into NYC. The list goes on.

null

 

null

 

null


It’s not just everyday citizens. Even Senators were seen not appropriately social distancing or wearing masks in close quarters.

Key Learning

Old habits die hard. Even when administrations "train and trust" Americans to do the right thing. While many of us stayed at home and sheltered in place, some (if not many of us) had playdates, conducted birthday parties, visited a beach, or attended church, and didn’t appropriately social distance.

"Humans gonna human."

People are human. Training and trust will always have their limitations with human beings.

How can I trust humans (our employees) with sensitive data?

When it comes to internal use of sensitive data, most companies also employ the standard 1-2 punch of training and trust. And it is the right thing to do - these are employees you've vetted and selected based on some thorough checks. You have to be able to trust them to do what's right for the company.

You train these employees in security, privacy, and other compliance best practices:

  • They watch videos of cute interactive animations with ninjas on them.
  • They attend seminars on an ongoing basis.
  • They all have a big binder or a large PDF file with all the rules, guidelines and best practices that we expect them to follow.

And then we trust our co-workers to:

  • Not click on that fun attachment
  • Not fall for a spear-phishing attack that seemed like it was written by our CEO and was linked to a page which asked for their SSO credentials
  • Have not only read, but also abide by the company handbook
  • Value and protect our customers’ privacy
  • Not be curious and spy at their ex’s purchases or look up the history of celebrities in the database
  • Behave responsibly even when they're disgruntled about a negative performance review or being put on a performance improvement plan

So, what's the right approach?

In almost every scenario, employees are likely to do the right thing. The real challenge for security teams is to be able to detect and mitigate that one situation where an insider accidentally/ mistakenly/ maliciously does something harmful.

We have to assume the worst is always just waiting to happen and plan accordingly. There are three fundamental things that CISOs and security teams can do in this regard:

  1. Communicate that you are going to lead with training & trust, but that you are monitoring behaviors and looking for anomalies. In the case of an anomaly, follow up quickly to prove to insiders that their behaviors are indeed being observed. This can be an additional deterrent for intentional or unintentional lapses of judgement.
  2. Monitor and report on behaviors as far upstream as you can. Alongside approaches that focus downstream on endpoints or access perimeters, security teams must secure data at the source i.e. when the first interaction between humans and data happens.
  3. Automate as much as you can so that every little anomaly does not end up as an alert in your team's radar. Hold vendors responsible for delivering solutions that can tackle blatant errors automatically, e.g. changing a Select * query that would run for hours to return fewer fields, rows, or simple statistical output.

At Dasera, these are the principles we will closely align with as we build a robust security solution that protects data in use. We understand and accept the fallacies in humans and behaviors. What we have built and are building towards enables security teams to lead with trust and yet be ready for the inevitable risk situations.

dasera-red-book-insider-threats-submit-entry