Implementing Insider Defenses

Quite a considerable look at the problem.   With video and overview.  Hardly all encompassing, but a useful broad look at the problem.

Implementing Insider Defenses By Eric Grosse, Fred B. Schneider, Lynette L. Millett  in CACM

Communications of the ACM, May 2021, Vol. 64 No. 5, Pages 60-65  10.1145/3418296

Classical approaches to cyber-security—isolation, monitoring, and the like—are a good starting point for defending against attacks, regardless of perpetrator. But implementations of those approaches in hardware and/or software can invariably be circumvented by insiders, individuals who abuse privileges and access their trusted status affords. An organizational culture in which people and procedures are part of the system's defenses is thus necessary. Such a culture would instantiate classical approaches to cyber-security but implemented by people who follow administrative procedures. So, a careful look at a system's defenses finds that many of the same classical approaches reappear at each level. But the implementation at the lowest layers—structures we might term insider defenses—involves people.

People do not slavishly follow administrative procedures the way a computing system executes its programs. In addition, people are more prone than computing systems to making errors, and people can be distracted or fooled. Finally, because they can be influenced by events both inside and outside of the workplace, people have very different kinds of vulnerabilities than computing systems. But people alter their behaviors in response to incentives and disincentives and, when empowered by organizational culture, they will (unlike computing systems) respond in reasonable ways to unusual or unanticipated circumstances. Thus, the use of people in a defense both offers benefits and brings different challenges than using hardware or software.

Those benefits and challenges are the focus of this article, which is informed by some recent discussions about best practices being employed at global IT companies and at the U.S. Department of Defense (DoD) for defense against insider attacks. The private sector and DoD are quite different in their willingness and ability to invest in defenses, in the consequences of successful attacks, and in the inclinations of their employees to tolerate strict workplace restrictions. Given those differences, two things we heard seemed striking and worth documenting for broader dissemination: How similar are the practices being used, and how these organizational structures and procedures to defend against insider threats can be seen as instantiating some classical approaches to cyber-security.  ..... "