In light of recent news that the FBI arrested another NSA contractor for allegedly stealing state secrets in August, we sat down with insider threat expert Dawn Cappelli, Vice President and Chief Information Security Officer at Rockwell Automation, to talk about what businesses can do to combat malicious insider activity.
RSAC: What are the different types of insider threats companies need to be aware of?
Cappelli: There are different types of insider threats. The case you referred to above involves classified information. Those types of espionage cases are typically very different than the theft of Intellectual Property (IP) cases that most companies experience in the private sector – companies that are concerned about protecting unclassified, confidential corporate information. Another type is insider fraud, but I find that usually falls under the responsibility of internal audit departments. So I’m going to focus on two of the types of insider threats that most private sector companies need to consider as part of their Insider Threat (or Risk) Programs.
One is theft of IP, like engineering information, source code, strategic plans, and trade secrets. Insiders typically take this type of information as they are leaving their job: either they’re going to the next job, or they expect that they’re going to be fired and they decide to take information with them as they leave so that they have it for the next job.
According to a global survey that Symantec did in 2013, about 50 percent of people who are leaving their jobs take confidential corporate information with them. Fifty percent admitted it— and 40 percent of those people said they intended to use it at the next job.
Some companies woke up when that survey was released and they now are auditing employees and contractors as they’re leaving the company. According to the research that we did when I was in CERT at Carnegie Mellon University, if you can go back and look at 90 days of activity before someone leaves your company, you will catch almost all of the insiders who have stolen your IP.
You also have people driven by ideology or activism, which we’re seeing more of lately—such as Edward Snowden or Bradley Manning. They want to publicly expose information that the organization did not want to be exposed. Those people are more like people who commit insider cyber-sabotage, which I’ll talk about next.
People who steal IP can be very nice people. They rationalize that it’s okay to take the information with them. But insiders who commit sabotage and who are willing to expose information that they feel the organization is hiding, tend to have what psychologists call personal predispositions. Let’s put it this way: nice people do not take steps to cause harm to people or organizations.
RSAC: What are personal pre-dispositions?
Cappelli: That means they don’t get along well with people. They think they’re above the rules. They can’t take criticism well. You walk on eggshells around them. It’s important to remember that a lot of people who have those traits never commit any malicious activity. But if something goes wrong at work – no bonuses, no raises, new boss they don’t like, they don’t get the promotion they think they deserve – then you need to keep an eye on how they handle it. Many people will be upset under those circumstances, but they “get over it” as time goes on. The people who commit insider cyber sabotage don’t get over it – instead they get worse and worse as time goes on. That’s when you need to recognize the concerning pattern and take steps to mitigate the increased insider risk.
RSAC: What can companies do to recognize people that could pose an insider threat?
Cappelli: I recommend that companies train their managers and their HR department to recognize the pattern I just described. The good news is that most people will not commit sabotage. Good ethical people don’t try to harm their company or harm people. The people who are willing to cross that ethical line and harm people; first of all they have those personal predispositions. And secondly they’re very upset about something and everybody knows it. They don’t just clam up and hide away in their office. They exhibit concerning behaviors in the workplace. Their behaviors get so bad that they end up “on the HR radar”. Management goes to HR for help because the situation gets so bad.
We train our managers and our HR staff to look for that pattern of behavior that’s getting worse instead of better. Everybody gets upset about things, but they tend to get over it. These people get worse over time. You really need to key in on those behavioral indicators and based on that, investigate their online activity. Because most insider cyber sabotage attacks are set up before the employee or contractor leaves the company, but are only carried out after they leave.
RSAC: What kind of online activity do you look for?
Cappelli: First, you can’t just start investigating people because they’re crabby. You need to have a process defined where you go to your legal department and you describe the behaviors that have been observed. It can’t be a witch-hunt. Once legal approval is obtained for an investigation, then you can proceed.
Remember that in most of the cases, insiders set up their attack before they leave the organization, but they carry it out after they leave. Just firing someone who is causing problems isn’t necessarily taking care of your problem, because they might have already planted something. It’s really a matter of educating managers and HR, and having the legal process worked out so that your lawyers understand it and give you the approval you need to investigate someone’s online activity. Balancing security and employee privacy is critical in any Insider Risk Program.
RSAC: What can IT do to minimize the damage these people can do?
Cappelli: Let’s start with theft of IP. One control is having good access controls in place. In a lot of instances insiders have been able to steal information that they shouldn’t have even been able to access. Proactively, you want to limit access and do periodic access control audits to make sure that everyone really needs the access that they have.
Secondly think about the ways that insiders can exfiltrate information. A lot of insiders use USB drives, email, and cloud sites to steal information. Think about whether your employees and contractors really need to be able to use those mechanisms. Can you lock down use of USB drives? Does everyone really need to be able to use USB drives? Can you block cloud sites? Does everybody need to use Google Drive and Dropbox or can you block those, at least for the majority of your users?
There are also tools – user behavior analytics - that can take data feeds from all of your different systems logging relevant data, and enable you to build custom risk models that will tell you the people you need to look at—whose activity looks anomalous or suspicious. You can also bring in HR data feeds. If you know that a person has turned in their notice and are leaving the company, you know that’s a high-risk period in which they might take information. These tools are good at helping you to sift through that mountain of data.
Those systems are not going to help you with sabotage though, because in insider cyber sabotage cases, insiders tend to do what they do everyday. I have seen cases in which software engineers planted malicious code in their company’s source code for their product or their service, but they did it in the course of doing what they do everyday – working on source code. They did the same thing they do everyday, it just happened to be malicious one day.
RSAC: How can you train your staff to know what to look for?
Cappelli: Last year at the RSA Conference I did a presentation with our chief HR officer—she’s probably the first HR person who spoke at RSA!—and I think we got the highest scores that I’ve ever gotten at the RSA Conference. The executive sponsor of our insider risk program is our chief HR officer. When you think about it, who knows that people are leaving the company? HR. Who knows when people are extremely disgruntled? HR. if you’re a global company, how can you best get the word out across the whole world on behaviors to be on the lookout for? How can you train all of those managers?
The best way to get to them is through HR. I focus our insider risk training on our HR department, and that way I have eyes and ears all around the world. That’s a cost-effective way of expanding your influence and your team by hundreds without actually hiring hundreds of people.
RSAC: What about training for managers?
Cappelli: I use stories. The CERT website has a lot of information on real cases. I try to find cases that will resonate with my audience. If I’m speaking to IT, then I look for cases that involve privileged IT users. If I’m meeting with a software development team, I look for cases involving software engineers. I find real cases that have actually happened and talk about those. That really opens their eyes and makes them realize that “Oh jeez, this has happened, and it could happen here.”
I want them to realize it has happened in teams just like theirs, and secondly it’s still happening. And it’s been happening in the past few months—there have been recent cases that made the news. Doing that really helps to open their eyes.
RSAC: What is the one point you want them to take away?
Cappelli: A lot of companies think that it takes a lot of money to put together an insider risk program, but when Rockwell Automation decided to start a program, they hired me as the director, and that was it. That was the only investment they made. I began running reports on employees and contractors who were leaving the company using IT tools we already had in place.
Companies can start a program just by having someone start to run those audit reports. It’s really easy to get started. And remember that 50 percent number from the Symantec survey - they’re going to be successful pretty quickly.
Within two weeks of me launching my original pilot program, I was contacted by HR about four engineers that had all quit within two weeks of each other and started a competing company. HR thought they might have taken Rockwell information with them when they left. We found that they had taken thousands of files with them. They took information that team had taken six years to create—millions of dollars had been invested in that business. And they walked away with it and started to compete with us.
With that, my pilot was over, the program went global, and that was after two weeks. Just get started. You’re going to find something fairly quickly.
When you do, it will make you think: how much of this has been going on that we didn’t know about? That’s the real shocker, when you do start a program. You think, how much have we been missing?