Unfortunately I made two assumptions:
1 . I assumed everyone already knew how hard that was.
2. I was speaking to an audience of peers and not how I would have presented this to senior leadership. While I could absolutely stroll into MY leadership dressed as the Schrodinger Necromancer Level 863 and do this, I recognize that would not fly in 99.99999% of other organizations. Rest assured I own "big girl" clothes and can talk that talk as well.
But, in the event there were those in the audience that were not aware:
Yes. It can be difficult to identify anomalies but time and experience and instinct* can make that easier. Note, I did not say "easy" but I did say "easiER".
When I was a young rookie cop, I was amazed at how my FTO (Field Training Officer) would notice things and call my attention to them. I recall thinking I would never be that "smart" and how in the world did they do that?
(I was the only female at the time so I did get the occasional "honey" but they were good men and had my back and treated me with respect)
But they were good guys and taught me SO much and I found that many years later, I was the one that would notice little things out of place or off or "anomalous".
When I was on Field Patrol, I was taught to take the time to drive every single street in my area. Why? Drive and observe. Drive and observe. This sets a baseline for what is "normal".
The essence of establishing a baseline includes time. Time turns into experience.
One thing I tend to see with security folks is that they tend to isolate themselves (very often due to being introverts). They do not go out and "mingle" or socialize with others outside their own area of expertise or if they do so, it is rare.
When I transitioned from being a cop to being a corporate security officer, I brought my "patrol" practices with me. I made it a point to spend time each day "patrolling" my facility. This was simply walking the perimeter, introducing myself to folks, asking questions, getting to know things. In my first month could I have told you if something was out of place or anomalous? Probably not. But in my fifth year? I could have told you if a window had a leak based on feeling a current where I shouldn't when I walked a hall. Why?
Through time and observation, I had established a BASELINE to measure future observations off.
(If you are an introvert and pale at the thought of this, find me and ask me for tips, because I am an introvert, too)
THIS is why it is so critical to engage people across your enterprise. It is going to be difficult for you to be able to realistically and personally be THE "monitor" for everything. But you can train others to be YOUR "sensors".
Think of it like a human IDS/IPS in a way. You want to deploy your sensors (trained people in various departments and geographical areas) who can start to establish a baseline then "alert" and come to the Insider Threat Team with their "alert" and then you can all go over it and consider and "put it into context".
When I am training staff, I love to use one of our executive assistants as an example (she enjoys that I do this). In a nutshell, she is only working for us because she got bored in retirement and wanted something to do. But not everyone is going to know that so I would EXPECT others to look at her as an assistant and then look at the car she rolls into the parking lot in and think, "Now that doesn't make sense."
Most of us know what the average executive assistant roughly makes so if you see her drive into the lot in her Bently then this is (should) raise an eyebrow. Where is that money coming from? It could be coming from the proprietary materials she is stealing from us and selling!
Orrrrrrrrr it could be that her husband is uber rich and bought it for her for Christmas.
Now, if a staff member brings this odd observation to me, I can then get some context like, "Oh, yes. I actually know her and her husband Bob and know what's up there so no worries".
So, deploying those "sensors" is part of the process. The ultimate goal is to make everyone in your organization a "sensor".
I am going to stop here because I feel this urge to write a novel and I want to not go on forever.
1. Yes, it can be difficult to identify anomalies.
2. Difficult doesn't mean impossible.
3. The more time and attention you pay to your staff, your physical environment, and your logs and sensors (both physical and virtual) the better you are going to get at noticing anomalies.
Remember, the point is not to have a list of "things that are anomalies". The point is to establish your baseline of "regular operations" or "regular behavior" or "regular network traffic" etc.
Then you aren't going to sit down each day with a check list of anomalies to look for. You are going to look at your baseline and see if something is out of place.
In closing, a good example I actually used in a meeting many years ago:
We had this guy (programmer) who was the living breathing embodiment of Grumpy Cat. Older gentleman and I swear he actually looked like Grumpy Cat. I was sitting in a meeting with his entire dev team and going over this very topic and I pointed to Grumpy Dev and said:
Grumpy Dev is grumpy. Always. He rarely smiles and he has a gruff grumpy pessimistic presentation. Now, this team had been together for years and this was actually a running joke so everyone was nodding and smiling (even Grumpy Dev smiled). Then I asked, "If Happy Joe over there comes in tomorrow happy and smiling with donuts for everyone and is his jovial happy self, is that anything odd?"
The answer was of course not.
But if Grumpy Dev walked in and was acting suddenly like Happy Joe...
Someone yelled, "I'd assume he'd sold out to the Russians and was about to head to the airport and make a break!"
Good behavior isn't "good".
Bad behavior isn't "bad".
It is that DELTA you have to look for.
THAT is your anomaly.
That is what is going to be your "alert".
That's with people but it's essentially the same thing in your network and on your systems. You need to
1. Learn what is "normal".
2. PAY ATTENTION so you will notice when things are not.
3. Investigate and determine if it's of concern.
I'll be around through Sunday if anyone wants to discuss or ask more questions!
*It is, in my opinion, a common misconception that instinct is not based in anything solid. Many assume instinct is just a "feeling" and has no true merit and should not be used as a tool. If you are interested, there is literature on the topic that shows how instinct is actually based in science and observation that the observer is not usually cognitive of. A wonderful introduction to this concept is the work of Gavin de Becker The Gift of Fear: Survival Signals That Protect Us from Violence.
From Wikipedia: "By finding patterns in stories of violence and abuse, de Becker seeks to highlight the inherent predictability of violence. The book explores various settings where violence may be found—the workplace, the home, the school, dating—and describes what de Becker calls pre-incident indicators (PINS). When properly identified, these PINS can help violence be avoided; when violence is unavoidable, de Becker claims it can usually be predicted and better understood. The Gift of Fear also describes de Becker’s MOSAIC Threat Assessment Systems, which have been employed by various celebrities and government agencies to predict and prevent violence."
This is a good intro to the concept. In one case study, he walks through the story of a woman who survived being killed by an intruder into her apartment by paying attention to what she called her instinct. Mr. de Becker was able to break down moment by moment what the intruder did that triggered an unconscious realization in the woman and caused her to react in a certain way that saved her life. Looking back on it, it made sense but AS it was happening, it feels like instinct.
His PINS are:
- Forced Teaming. This is when a person implies that they have something in common with their chosen victim, acting as if they have a shared predicament when that isn't really true. Speaking in "we" terms is a mark of this, i.e. "We don't need to talk outside... Let's go in."
- Charm and Niceness. This is being polite and friendly to a chosen victim in order to manipulate him or her by disarming their mistrust.
- Too many details. If a person is lying they will add excessive details to make themselves sound more credible to their chosen victim.
- Typecasting. An insult is used to get a chosen victim who would otherwise ignore one to engage in conversation to counteract the insult. For example: "Oh, I bet you're too stuck-up to talk to a guy like me." The tendency is for the chosen victim to want to prove the insult untrue.
- Loan Sharking. Giving unsolicited help to the chosen victim and anticipating they'll feel obliged to extend some reciprocal openness in return.
- The Unsolicited Promise. A promise to do (or not do) something when no such promise is asked for; this usually means that such a promise will be broken. For example: an unsolicited, "I promise I'll leave you alone after this," usually means the chosen victim will not be left alone. Similarly, an unsolicited "I promise I won't hurt you" usually means the person intends to hurt their chosen victim.
- Discounting the Word "No". Refusing to accept rejection.
Mr. de Becker has an entire body of work that is good reading and one that is also relevant to our field is Fear Less: real truth about risk, safety, and security in a time of terrorism.
And your trivia for the day:
Gavin de Becker gave the eulogy at Carrie Fisher's memorial service.