56% of breaches take months or longer to discover, according to this year’s Verizon DBIR.
In particular, Insider Threat incidents have a tendency to go unnoticed for far too long, which means that investigations do not kickstart when they should. Even when an investigation is begun, it often takes far too long to complete because of the difficulty of finding and correlating the necessary information and then communicating the outcome to stakeholders.
Tips for Speeding Up Cybercrime Investigations
This is why, when an Insider Threat incident or other type of cybercrime takes place, your organization needs to be able to move quickly and not waste any time figuring out what happened, when, and why. Today, we’ll share some tips for speeding up your Insider Threat investigation processes to prevent major financial and reputational consequences.
1. Discovering the Threat
The Challenge: The first step in any cybercrime investigation? Knowing one needs to take place. Unfortunately many investigations are hampered by a slow time to detect. This is especially true of Insider Threats, since they often do not trigger typical alerting systems like DLPs or SIEMs. This can dramatically slow down Insider Threat investigations, because they don’t begin in a timely fashion.
How to Speed it Up: To rectify this situation in the case of Insider Threats, all out-of-policy actions by employees and third parties (insiders) should trigger an alert. When the alert is triggered, analysts should be prepared with the tools they need to assemble context (we’ll discuss this next). Ideally, you want an automated and integrated process in place for monitoring and alerting an analyst about any suspicious user or data activity.
Takeaway: Investigative strategies need to be proactive. Many are limited to DLP alerts or referrals that lack context. A more robust toolset enables a proactive strategy for investigations by speeding time to detection.
2. Assembling a Team
The Challenge: Many organizations do not know exactly who will pick up the mantle of investigations if and when they are required. In some cases, this is delegated to the CSO or CISO, who may preside over a siloed team. Many investigations are also slowed down by a lack of feedback loops and collaboration between SOC analysts and investigators.
How to Speed it Up: It’s best to build a cross-disciplinary Insider Threat management program team, rather than relying on a separate CSO or CISO function. An effective investigative team should have cross-functional capabilities, including the ability to obtain necessary information, analyze it across domains, and leverage any resources needed to further the investigative report.
Takeaway: To speed up investigations, put a plan in place as to who will handle what and how teams will communicate before an actual incident occurs. Ideally, this takes the form of building an Insider Threat management program. If an outside firm needs to be on retainer, don’t wait until an incident to find and vet them, or hasty decisions are likely to cause trouble.
3. Gathering Context
The Challenge: Analysts know something bad happened, but they don’t know much else. Often Insider Threat investigations are slowed down because it is so difficult to find and correlate appropriate user and data activity with certain log-based tools. In other words, it’s too hard to build context.
How to Speed it Up: Maintain immutable logs and video recordings to support forensic investigations. Cybercrime investigations go smoothly when analysts are able to quickly correlate data points and understand who did what, when, where, and why. Video logs are particularly valuable, because they enable security and IT teams to quickly communicate to less technical team members what happened.
Takeaway: Invest in a toolset that enables your Insider Threat team to determine all of the facts and the root cause of any security event and to communicate that information to anyone who requires it.
4. Compiling Unassailable Proof
The Challenge: It’s one thing for internal teams to understand what happened. It’s quite another to be able to prove it to law enforcement or the court system. Analysts must be able to build unequivocal proof in the event of an intentional Insider Threat incident.
How to Speed it Up: Just as with context-gathering, video logs are an ideal way to capture user and data behavior. They provide the level of proof that is required for a legal investigation and/or criminal proceeding. If you do not have a strong method for gathering this proof, it’s quite possible your organization will find itself with a case that can’t be proven.
Takeaway: Monitoring user behavior, ideally using video capture tools, will provide unequivocal proof during the investigation process and significantly reduce end-to-end investigation time while increasing the likelihood of a successful prosecution should one be required.
5. Taking Action
The Challenge: Of course, not every alert that requires an investigation will ultimately end in a prosecution. Regardless of the outcome, it’s necessary to have all of the user and data activity in a consumable and clear format in order to determine the appropriate course of action to conclude an investigation.
How to Speed it Up: Fortunately, as with context assembly and proof gathering, if appropriate tools are in place to understand the full scope of what happened, action can be taken in a swift and appropriate manner. If, after a thorough investigation, the insider’s activity is deemed to have been within the acceptable business policy, the incident will be closed. If the employee’s activity was not within the acceptable business policy, the Insider Threat team will consult with the legal department on necessary follow-up actions.
Takeaway: The faster any investigation is concluded, the better, since it means any insider who represents an ongoing threat will be neutralized before they can continue to wreak havoc.
How to Speed Up Cybercrime Investigations
There is one final area of focus that can dramatically increase the velocity of cybercrime investigations: An iterative learning model. The five areas where investigations are often slowed, described above, are all areas where teams can seek continuous improvement. After any incident takes place, whether it is ultimately disregarded or prosecuted, there will be useful data in play that a strong Insider Threat management team can use to improve processes. Taking this approach means that your investigations should get faster and faster over time, which ultimately means less risk for the business.
Enable quick and thorough investigations of Insider Threat incidents with complete visibility into user activity with an Insider Threat management platform like Proofpoint ITM. The Proofpoint ITM platform simplifies and speeds up the investigation process by providing detailed visual captures, precise activity trails, and direct visibility into user and data activity.
Subscribe to the Proofpoint Blog