Insider Threat: The Risk of Inaction Lockheed Martin’s Thomas on How to Spur the Board into Action
Lockheed Martin (LM) is a global provider of cybersecurity solutions focused on developing, implementing, maintaining, and securing critical infrastructures for both government and commercial clients in Oil &
The insider threat is one that organizations often want to overlook. But it’s hard to ignore when they are losing critical assets. Lockheed Martin’s Douglas Thomas tells how to sell an insider threat program.
Gas, Utilities, Financial Services, Healthcare and Chemical industries. LM engineers
The first hurdle is to convince senior leaders that they even have an insider threat problem,
literally span the globe, overseeing more
says Thomas, Director, Counterintelligence Operations and Investigations for Lockheed Martin
than 4,000 programs at 600 locations in all
Corporation.
50 states and in 75 countries. For more info, visit: www.lockheedmartin.com
“It’s becoming harder and harder to justify to leadership that they need to invest in a program, when it’s overhead,” Thomas says. “However, when you describe how the threat landscape has shifted from primarily nation-states stealing classified information to stealing research and development, trade secrets and intellectual property ... and you share federal government trends that demonstrate the insider threat problem is trending in the wrong direction, it
“When you describe how the threat landscape has shifted from primarily nation states stealing classified information to stealing research and development, trade secrets, and intellectual property... it usually gets [the board’s] attention.”
usually gets their attention.”
But once you get their attention, then you need to convince them that the insider threat requires unique treatment.
“Today, I think most companies don’t act proactively on insider threat issues,” Thomas says. “I think they believe their data loss prevention tools equate to an insider threat program, and I’m not of that opinion.”
In an exclusive interview, Thomas discusses: •
How to convince the board to fund an insider threat program;
•
Essential elements of a program;
•
The business risks of doing nothing to address the threat.
This is the second in a series of three interviews dedicated to “Selling Security to the Board,” all sponsored by Lockheed Martin. The first interview is titled, “ Securing Buy-in to Fight APT” featuring Justin Lachesky, Manager and Lead Analyst for Lockheed Martin’s Commercial Cyber Services Cyber Intel Analyst team, and the third is titled, “Rise of Security Intelligence Centers,” featuring Greg Boison, Director of Homeland and Cyber Security at Lockheed Martin.
Thomas is the Director, Counterintelligence Operations and Investigations for Lockheed Martin Corporation. In this capacity, he leads a staff that is responsible for providing advice
© 2015 Information Security Media Group
Securing Buy-in to Fight APT
Convincing the Board TOM FIELD: Doug, I love this topic of the insider threat. It is one that I have spoken about a lot at the events that we’ve put on, and I am familiar with a lot of the research. I want to begin with this notion of talking to the board. In an organization, how do you even convince your board that you have an insider threat problem?
DOUG THOMAS: Well, Tom, this is actually one of the biggest challenges to establishing a program. It is becoming harder and harder to justify to the leadership to invest in a program when it’s overhead. However, when you describe how the threat landscape has shifted from primarily nation-states stealing classified information to stealing research and development, trade secrets and intellectual property ... When you provide the results of various studies by prominent universities and companies and you share federal government trends, that demonstrates the insider threat problem set is trending the wrong direction, and it usually gets their attention. Douglas Thomas
Some examples of that data: The FBI reports that they have had 105 percent increase in economic espionage cases since 2009. Another powerful message is when you discuss the many examples of economic espionage that have occurred in the United States in the
and guidance relative to investigations, counterintelligence and counterterrorism matters impacting the corporation. He is also the primary face to the intelligence community. His primary roles are to identify intelligence and terrorism threats to Lockheed Martin Corporation, work with internal and external partners to mitigate those threats, and provide oversight over security-related investigations across the enterprise.
Prior to joining Lockheed Martin, Thomas was the Principal Deputy Director of Counterintelligence for the U.S. following a miniconfirmation process by the White House, and the House and Senate Select Committees on Intelligence. He was the counterintelligence advisor to the Director of National Intelligence and the President of the United States.
© 2015 Information Security Media Group
past five years, and the harm that those cases have caused to those companies. Then there are some stats from different universities and companies. According to Carnegie Mellon studies, 75 percent of incidents go unreported. According to a Cisco study, 46 percent of workers admit to transferring work files to home computers without authorization. I think these are the things we use to win over the board, if you will, on why you should invest in a program.
Unintentional Insider FIELD: Now, Doug, as a follow-up to that, are you pointing out to the board that it isn’t necessarily just a malicious insider? You’ve got employees that are being taken advantage of now by outside agencies, and they could be entirely oblivious to how they are being used.
Securing Buy-in to Fight APT
“[When] I hear the ageold problem of budget and resources with the reported trends, the state of the global economy, and the emphasis placed on the theft of sensitive data, I am not sure how a company can afford not to invest in [an insider threat] program.”
THOMAS: Oh, absolutely. I mean, the program isn’t necessarily there to look for just malicious acts. It is also there to intervene and to get in front of a person who might be at risk or somebody who is doing something unwittingly. So I mean there is application beyond just looking for an insider threat.
Funding an Insider Program FIELD: Okay, so we talked about convincing the board that there is an insider threat problem. A bigger challenge: How do you gain the leadership support and buy-in to fund an insider threat program?
THOMAS: Well, obtaining consensus among the leadership, it’s going to require strong understanding of the types of threats that organizations face today and what’s at stake. Such as lost revenue, harm to their brand or reputation, shareholder and customer confidence, loss of jobs and technological edge. You must demonstrate that the program is legally sound and in line with the corporation’s culture and values.
You also must demonstrate privacy considerations will be instituted and adhered to. You must develop a robust communications campaign to the workforce and be careful with words you use to describe the program. And last, it’s imperative you establish a sound governance structure. Our governance structure includes a steering committee at the vice president’s level with membership from the right functions. It includes an internal audit, and it includes presentations to the executive leadership team and the board of directors. What we’re trying to show is we’re going to execute the mission based on what was approved in our concept of operations. The bottom line is top-level executives must actively support and participate in the program for it to be truly successful.
Common Insider Challenges FIELD: Doug, at the start of our conversation, you cited some pretty compelling statistics from places such as Carnegie Mellon University’s Insider Threat Program. If you look at the organizations that Lockheed Martin typically works with, what do you find to be the common insider challenges that your customers face, whether it be both from intentional insiders or the unintentional threat?
THOMAS: I think that the current business environment, the global economy are some of the drivers for why the insider threat trend is going in the wrong direction Businesses need to do
© 2015 Information Security Media Group
Securing Buy-in to Fight APT
several things to survive and thrive. But some of those things expose
an insider threat will cause great harm to them. It will hurt their
companies to more vulnerability and exploitations, such as mergers
reputation or hurt their revenue. It will hurt shareholder/stockholder
and acquisitions, joint ventures, divestitures and large lay-offs. The
confidence. But they’ll probably survive because it is large and
ease of stealing anything stored electronically and the intense use of
diverse. But if you’re a small company or a medium sized company,
social media by adversaries for targeting purposes. And if you are a
you could very well go bankrupt, and we’ve got case examples along
company where a portion of employees hold security clearances, the
those lines. Especially if you’re a company with a single-niched
recent OPM breech just increased the insider threat problem set.
product. If you lose that product through a competitor or to a nation
Today, I think most companies don’t act proactively on insider threat
state, in time you will probably be out of business.
issues. I think they are in a reactive approach to business. Too many companies today, I think they believe that their data loss prevention tools equate to an insider threat program, and I am not of that opinion. Often I hear the age-old problem of budget and resources. But with the reported trends, the state of the global economy, and the emphasis placed on the theft of sensitive data, I am not sure how a
Lockheed Martin’s Approach FIELD: So what are some of the ways that Lockheed Martin is helping organizations to improve both detection and prevention of insider crimes?
company can afford not to invest in a program. THOMAS: So we’ve offered our experience and our expertise based If you think about it for a second, Tom, a large diverse company with
© 2015 Information Security Media Group
on capabilities built on decades of experience in a kind of down
Securing Buy-in to Fight APT
“I would argue that the damage by an insider who has unfettered access could be much more damaging than an advanced persistent threat attack.”
discipline. All of our folks came from the federal government at some point. And now they have the luxury of executing this mission in industry. So they’ve got the government background, the government knowledge of the problem set, and now they’ve got the luxury of executing this in an industry culture.
We can demonstrate a holistic approach, meaning the integration of data across the entire enterprise, which gives us a baseline for human behavior and digital behavior. Our approach is proactive as opposed to the typical reactive approach. We’ve been able to identify potential problems and mitigate those problems with real results. The benefits or the results have included deterring potential insiders through a comprehensive program, safeguarding corporate brand and reputation, preserving competitive edge through protection of intellectual property, protecting current and future revenue by safeguarding information assets, and improving shareholder and customer confidence in us in our ability to deliver a product that hasn’t been compromised.
Core Elements of an Insider Program FIELD: Doug, one of the things that Lockheed Martin offers is an insider threat program for customers. What would you say are the core elements of that program?
THOMAS: So I would say a robust program requires an effort -- it’s a team sport, okay? Critical members of that team include data intelligence, security, information and security, ethics, legal, privacy, HR and communications. Now they are all critical to the program, but it’s executed by a kind of intelligence element. Through the use of technology and understanding employees’ human and digital behavior, highlighting anomalies and in some cases intervening before a situation becomes a problem, perhaps the biggest thing that we focus on is training and awareness; it’s critical. Making sure employees know they are a target, the company is a target and signs to look for, and then what to do when you see one of those signs.
And I don’t want to be over-dramatic when I talk about companies and individuals being a target. Today we’re in an environment that if you’re a company that’s making a profit and you have the future of making a profit, you’re a target because it goes back to the global economy.
FIELD: And really, there is so much that the employees even can be looking for. One of the things that people have taught me is that if you see someone that’s working different hours or is printing out an inordinate amount of material on the printer or taking an inordinate amount
© 2015 Information Security Media Group
Securing Buy-in to Fight APT
“I don’t want to be over-dramatic when I talk about companies and individuals being a target. Today we’re in an environment that if you’re a company that’s making a profit and you have the future of making a profit, you’re a target.”
of material home, those are things to pay attention to and notify someone about.
THOMAS: Yes, that’s absolutely right. I mean, it goes back to that training and awareness. You want all the employees out there to be your eyes and ears. And one thing that we did in our communication strategy is we don’t use the word “report.” We are not trying to create a culture of snitches. What we are trying to do is create an environment where all employees feel like they need to be engaged, engaged for their job, engaged for the sake of the company, engaged for the sake of their co-workers, so we try to stay away from the word “report.” But it comes back to what you just mentioned. It is all about training and awareness.
The Risk of Doing Nothing FIELD: Doug, at the very start of our conversation, you talked about the figure of 75 percent of incidents go unreported. And in the past too often organizations, if they uncovered an insider crime, they were embarrassed by it and didn’t want anyone to know, so they just sort of let it go away. What would you say are the potential risks of organizations doing absolutely nothing about their insider threat?
THOMAS: Well, I kind of covered some of these already, but I think they’re worthy to repeat if you don’t mind. When a company gets hit like this, the damage from an insider is very significant. In fact, I would argue that the damage by an insider who has unfettered access could be much more damaging than an advanced persistent threat attack, a cyber-attack. So you’re looking at damage to your brand and your reputation, which is a big deal to companies. Loss of revenue and competitive position, issuance of regulatory fines, losing clients, legal repercussions, increased security risks, loss of critical high-value personnel and technology.
I mean, if you take a look at what’s going on in the United States over the past five or six years, the technological gap that we enjoyed from other nation-states, that gap has gotten smaller and smaller and smaller. Some of it is because nations-states have invested more in their R&D, but a lot of it has to do with their stealing our technology and our know-how. n
Hear the entire interview: http://www.inforisktoday.com/interviews/insider-threat-risk-inaction-i-2824
© 2015 Information Security Media Group
Securing Buy-in to Fight APT
About ISMG
Contact
Headquartered in Princeton, New Jersey, Information Security Media Group, Corp.
(800) 944-0401
(ISMG) is a media company focusing on Information Technology Risk Management for
[email protected]
vertical industries. The company provides news, training, education and other related content for risk management professionals in their respective industries. This information is used by ISMG’s subscribers in a variety of ways—researching for a specific information security compliance issue, learning from their peers in the industry, gaining insights into compliance related regulatory guidance and simply keeping up with the Information Technology Risk Management landscape.
902 Carnegie Center • Princeton, NJ • 08540 • www.ismgcorp.com
