Mitigating the Insider Threat: Boeing's Successful Approach
Why you need an insider threat program, and 10 steps to help you to establish one
In many cases, they look, act, speak and dress like every other company employee. Contrary to belief, today’s most damaging security threats are not originating from malicious outsiders or malware but from trusted insiders, both malicious insiders and negligent insiders.
Increasingly, global enterprises are responding to insider threat actors with established mitigation programs. According to the 2018 Insider Threat report by Cybersecurity Insiders, the vast majority (86 percent) of organizations already have or are building an insider threat program. Thirty-six percent have a formal program in place to respond to insider attacks, while 50 percent are focused on developing their program. They are employing Data Loss Prevention (DLP), encryption, and identity and access management solutions. To better detect active insider threats, companies also deploy Intrusion Detection Prevention Solutions (IDPS), log management and SIEM platforms, the report says.
In addition, says the report, user behavior monitoring is accelerating; 94 percent of organizations deploy some method of monitoring users and 93 percent monitor access to sensitive data.
The Boeing Company is not immune from insider threats. Greg Chung, a Chinese-born former Boeing Co. engineer was sentenced to more than 15 years in prison in 2009 for hoarding sensitive information about the U.S. space shuttle that he said he intended to share with China. During his sentencing, he told the Court that he took the Boeing documents home to write a book.
Boeing corporate security is working to ensure that a Greg Chung type incident doesn’t happen again. It’s had a corporate-wide insider threat program in place since 2014. Dave Komendat, Vice President and Chief Security Officer, The Boeing Company, says the program was spurred back in 2013 by senior leaders who expressed concerns about how much proprietary information is lost each year.
“We knew that we were no different than any other company; that information was leaving our fenceline,” Komendat says. “We had two senior respected leaders from our leadership team communicate the importance of protecting our proprietary information, and that was a green light for me.”
Komendat, working with the Boeing CIO, General Counsel, senior VP of Human Resources, leader of the Office of Internal Governance and the CTO, developed how the program should look, be implemented and managed.
“We got support from senior management, but we still had to put a team together to develop the set of guiding principles,” he explains. “This is one of those key points for any company that’s putting a program like this together. You have to understand your company’s culture. Is it aggressive from a security posture? Is it conservative? How well does the company communicate with employees? All those things are important for a program, because you can have the best ideas, yet if your company culture is not conducive with your goals, your program will fail.”
To begin, Komendat and a small team of subject matter experts created a pilot program that used existing Boeing company technology to capture and learn the types of threats that existed within the enterprise. “Early on we learned we were no different than any other company in the United States,” Komendat explains. “There are people inside Boeing that are going to take information, for a variety of reasons. Some people take it because they were part of the creation of the information, and rightly or wrongly, they believe that they own it, even though all employees sign proprietary information agreements. Others mistakenly transfer files that they shouldn’t because they’re not technically savvy, but they could be walking out with a lot of technology on a thumb drive. The third group of people is intent on taking information for their personal advantage. They see an opportunity to exploit that information either with a new employer, or they believe there’s a market to sell the information. Even though our pilot early on was small and controlled, we started to see all three of those types of behaviors within The Boeing Company.”
Armed with data, Komendat presented to senior management and received approval to implement an insider threat program. “I think that leaders are always surprised by the behavior of some employees, even if it’s a very small population at the company. They were most surprised how folks will justify the behavior and/or the lengths they’ll go to take information. I think they were surprised by the fact that it actually was happening within our fence line.”
Komendat’s Insider Threat Team then employed several other steps to build the program (see sidebar, How to Create an Insider Threat Program), and that included transparency about the fact that The Boeing Company has an insider threat issue, something most companies might not acknowledge. “We made a decision early on that we weren’t going to keep our program a secret,” he explains. “We were going to share the program with our employees, including the outcome of a number of investigations, to change the culture internally. We wanted employees to know that it was not okay to take information, and that we have robust rules and capability in the company to find behavior like that. The goal over time is that through communication, people will realize this is the company’s information, not theirs; all employees have a personal responsibility and obligation to protect it, and if you are considering taking information, you will get caught.”
Komendat stresses the importance of having top-notch employees to run an insider threat program. He brought Rowan Kelly, who has past experience with the CIA, on board to manage the program, in addition to leaders from NCIS, military intelligence and more.
“In 2013 as we were developing the program, the Snowden leaks happened,” Kelly explains. “That was a turning point for us, and it reinforced the importance of our work. It also helped senior management who may have been apprehensive about the program to appreciate the importance of it, as well.”
One of the specific tools that Kelly and the Boeing insider threat team use is Boeing-developed and owned software that aggregates and crunches data into digestible bits. It also uses pre-defined queries to help the team to ascertain whether a person-of-interest has changed their normal set of work behaviors. “The machine just doesn’t kick out the answer for us,” Kelly says, “but it’s how we get our tips and leads. Then we dig in on the people whose network work behaviors have been flagged. Having a talented and experienced investigative team is invaluable when it comes to turning the data-generated lead information into substantiated case results.”
Another tool the team uses is training business leaders. “Part of our approach is to develop ways to prevent insider threats from developing in the first place,” Komendat says. “Working with the Boeing corporate communications team, we are getting people to understand what an insider threat looks like. It’s using our company culture, with tools that are already in place, to create a comprehensive solution to the problem. I’ve been able to talk to our executive council, which includes our CEO, about how well this program is working. They have had the opportunity to see the types, frequency and the outcome of cases. There is tremendous support internally for the program because they’re seeing the type of data that Rowan’s team is recovering before it leaves our company. Employees have to understand there are parameters for what you can take home with you.”
Komendat appreciates the position that he is in with a large company such as Boeing that has the resources to implement a large and multi-approach insider threat program. “I realize not everybody has that, but you can do simple things, such as communicating to company employees the expectations for handling company information. That also includes letting employees know that if they believe that coworkers or colleagues aren’t handling data properly, they can report it and be protected.”
He adds, “If you have a corporate investigations team or some investigative ability, at the very least you can work with your IT team to establish parameters for recognizing behavior shifts, whether it’s on network use, print use, or something else. It’s not going to be exact, but it at least gives you a heads-up that something’s different with a person’s behavior and that it warrants a look.”
Overall, says Komendat, his goal is to change the corporate culture on data and network use and protection. “In the 1990s when we gave Internet access to all employees, we found some employees were abusing it by visiting inappropriate websites. Our corporate investigations team put a full-court press on not only finding those people and taking appropriate discipline, but also communicating the outcome of those cases to all employees. As a result you’ve seen a complete culture shift at our company where people don’t visit those sites. They don’t misuse their computers because they’ve seen the outcome. That’s exactly what we’re trying to do with this program. My goal is to change the behavior of people so that those few people who are going to make bad decisions are going to be found.”
The program’s success has defied his expectations, Komendat says. “The level of success, the number of people that we’ve been able to identify and investigate, and the amount of stolen information that we have recovered was larger than I think anybody expected. The ROI in this program is incredible: Rowan’s team recovers the annual cost of the Insider Threat Program in less than one work week. That should tell you how successful the program is.”
How to Create an Insider Threat Program
There are 10 steps to create a successful insider threat program, according to Komendat:
- Know your company’s culture. The success of an organization’s insider threat program may depend on the organization’s culture.
- Build your program with leadership support. “No matter how hard you try, if you don’t have that buy-in at the top, the program’s going to fail,” Komendat says.
- Develop and follow a set of guiding principles. Guiding principles should dictate how an organization intends to approach insider threat detection. “Every decision we’ve made has been based off those guiding principles,” Komendat says.
- Determine who is in charge. “You have to think very clear around who is in charge of the program, or it’s going to get cloudy and murky very quickly, and it’s probably not going to be as effective.”
- Build the right team. The right team should include a combination of employees across multiple departments to share knowledge and insights and work together to reduce the risks. “Build your team with first-round draft choices: the best and brightest talent,” Komendat says.
- Find skilled personnel to drive program improvement. “You can have a great technology tool, which we have, but without people who have experience in investigative backgrounds who understand human nature, your program will not be successful. Technology is an enabler, but your skilled people find your insiders,” Komendat says.
- Follow regulations. “Your legal department will play a huge role in the development of your program,” Komendat advises. “We were challenged by our legal department early on but quickly embedded them in what we do. They’re now one of our biggest advocates, and they’ve brought forward great ideas to further advance the program.”
- Perform regular program audits. “Keep the program sold through metrics that show the value of the program.”
- Invest the necessary time and resources in your program. There may be a substantial upfront cost associated with the development of an insider threat program. Over time, though, says Komendat, the ROI will outweigh the initial cost.
- Drive a culture change. A successful insider threat program won’t happen overnight. Conversely, an organization that remains focused on educating employees about insider threats can drive a cultural transformation, one that stretches across all levels of the organization.