The new Inside-R program looks to collect historical insider threat data to more deeply analyze behaviors that signal risk. Credit: Thinkstock Insider threat and risk management programs are the Achilles heel of every corporate and information security program, as many a CISO can attest to. The MITRE Inside-R Protect program is the organization’s latest initiative to assist both public and private sector efforts in addressing the insider threat. The Inside-R program’s bar for success is high. The focus of Inside-R is on evolving analytic capabilities focused on the behavior of the insider. To that end, MITRE invites the participation of government and private organizations to provide their historical insider incident data to the organization’s corpora of information from which findings are derived.MITRE Insider-R Protect focuses on behavior, not technologyWhile at a nascent stage, the focus on human behavior across a wide swath of historical cases has long been sought and needed by corporate counterespionage programs.I spoke with Dr. Deanna Caputo, MITRE’s chief scientist for behavioral sciences and cybersecurity, who emphasizes how the focus of the Insider-R is on the individual’s behavior and is non-technical. Indeed, the invitation to industry and government to provide their raw investigative records no doubt will cause some to raise an eyebrow or two. To this end, she comments on how the program’s laboratory creation was funded by the financial sector and is an isolated, air-gapped environment. Furthermore, such is the respect to the sensitivity of the data provided from participating partners, there isn’t a backup of the labs data. If the building burns, it is a start-over scenario. Caputo notes that participation of entities of all sizes is desired, be it an entity with five cases or one with 5,000 cases which were investigated, regardless of sector. The bar must be raised for insider threat risk “First, there is a lack of data-driven, behavior-based, and rigorous scientific evidence to understand these escalating risks. Second, there is an over-reliance on frameworks and security controls focused on addressing external cyber threats. And third, insights are being made from a small pool of case studies that lack sufficient detail. We feel that these challenges must be addressed immediately as a component of our mission to solve problems for a safer world. We needed to raise the bar,” says Caputo.Who may participate in Inside-R? At this time, only companies and government entities associated with countries comprising the membership of the Five Eyes (FVEY) may participate: United States, United Kingdom, Australia, Canada, and New Zealand. The FVEY countries intelligence cooperation is broad and is not limited to signals intelligence (SIGINT). It also includes human intelligence (HUMINT), geospatial intelligence (GEOINT), and electronics intelligence (ELINT). In addition, any qualified private entity wishing to participate and obtain a capabilities brief will be required to undergo a “screening process” conducted by MITRE.Coupling the MITRE-R Protect program with the MITRE Engenuity’s Center for Informed Defense and their tactics, techniques, and procedures (TTP) used by insiders makes eminent sense. However, Jon Baker, director of research and development at the Center for Informed Defense, admonishes not to “focus on the TTPs of the last major insider threat case to hit the news.”Clearly trust in MITRE’s ability to protect one’s data is paramount and each CISO should contact MITRE to determine their own level of comfort prior to participation. Afterall, one will be sharing insider incident raw investigative notes and data to be amalgamated into MITRE-R Protect. Insider threat risk management companies will want to engage with MITRE. To date, DTEX Systems has embraced the evolution of the program’s capability, while others have appeared to have adopted a wait-and-see position. Broad participation needed to analyze insider riskThe reality is, for MITRE to be successful and to provide meaningful information back to participants, broad participation will be required. The more entities that participate, the richer the information and the more refined the analytic results. As an individual who has been on both sides of the covert information acquisition process, I attest to the value of understanding the behavior of the individual to be of paramount importance. Many fall back on the acronym MICE – money, ideology, compromise, and ego — as the four areas in which to invest in counterespionage/insider threat programs. MICE over-simplifies the engagement and exacerbates the theory that employees are not trustworthy.That said, following the TTPs of the latest incident is indeed the equivalent of watching your neighbor’s cows bolt down the road and you’re thankful your cows are safely in the barn. Where value exists is exactly where this new initiative’s sweet spot resides: within the raw data, the investigative notes, the court records, and the interviews of all concerned. CISOs whose insider threat programs do not have a behavioral component are shorting themselves. As they may be assured the unscrupulous competitor, the criminal entity, and the nation-state are studying the behavior of individuals in their targeting matrix looking for windows of opportunity. Related content news analysis SEC rule for finance firms boosts disclosure requirements Amendments to Regulation S-P requires broker-dealers, investment companies, registered investment advisers, and transfer agents to disclose incidents to customers. By Evan Schuman May 17, 2024 5 mins Data Breach Financial Services Industry Data Privacy feature DDoS attacks: Definition, examples, and techniques Distributed denial of service (DDoS) attacks have been part of the criminal toolbox for over twenty years, and they’re only growing more prevalent and stronger. By Josh Fruhlinger May 17, 2024 10 mins DDoS Cyberattacks news FCC proposes BGP security measures Protecting the Border Gateway Protocol is as important as protecting the border. By Gyana Swain May 17, 2024 1 min Regulation Network Security news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe