But we needn\u2019t throw up our hands and surrender. There are technical measures that can be embraced to help mitigate the risks brought upon by malicious insiders. These technical measures work in tandem with non-technical measures and can be leveraged before, during and after an incident.\tBefore the incident\tBefore an incident there has to be some prep work to better understand your environment. In particular, knowing what you\u2019ve got and who\u2019s interacting with it just makes intuitive sense. Not knowing this doesn\u2019t pass the \u201cduh\u201d test but unfortunately it can be difficult to resolve.\t#1 Know your assets\tDetermining where all your assets are, what they do, who owns them, etc. can be difficult, especially in the world of VDI, mobile, cloud and BYOD. One type of asset, data, can be structured (databases) and unstructured (file servers). Data can also exist in storage, in transit and in use.\u00a0 This makes \u201cknowing\u201d complex.\tEncryption solutions will help protect sensitive data across its various incarnations from those lacking keys. But a holistic asset discovery and management solution can help keep track of what you\u2019ve got and where it is. Fundamentally this sounds simple, but even with the right tools it\u2019s challenging. However without it a malicious insider will have a huge advantage that\u2019s analogous to a bank hiding money in different locations around a building but not remembering where they put it.\t#2 Know your people\tOnly second to identifying assets are identifying those individuals interacting with your assets. Users can have dozens or even hundreds of identifiers from MAC and IP addresses to user IDs and phone numbers. Since you can\u2019t arrest an IP address, obtaining attribution \u2013 identifying \u201cwho,\u201d is paramount.\tRobust identity management solutions will integrate with active directory, LDAP, DHCP, MDMs, NAC, incident detection systems and asset management systems to help associate a user persona with an incident tied to packets, sessions and logs.\tDuring the incident\tThe prep work has been completed, you have your hands around your sensitive assets and you can identify who is interacting with them. Now it\u2019s 4:00PM on a Friday and Alice, a system administrator, has begun her exfiltration mission, using legitimate trust and access to steal intellectual property.\t#3 Monitor activity\tThere are few red flags for an insider incident, but there are yellow flags. Taking advantage of log data across endpoints as well as network and data security solutions provide yellow flags. This is a bit like looking at a phone bill and being able to derive the individuals on the call, when it happened and duration.\u00a0 This may create a yellow flag or group of yellow flags warranting more investigation.\tThese logs are extremely valuable, especially if you are able to augment them with much richer packet and session information to reconstruct exactly what Alice did and even open up the file she stole. Various solutions including SIEM, log management, data loss monitoring and Big Data Security Analytics can assist in activity monitoring.\t#4 Monitor encrypted activity\tRoughly 30-40 percent of today\u2019s network traffic is over SSL including many popular providers of social media, email, and file sharing. Most organizations aren\u2019t comfortable only being able to monitor 60-70 percent of their traffic.\tMonitoring is essential, but equally essential is the ability to take advantage of solutions that allow for decrypted analysis. Some proxies, next generation firewalls, IPS solutions and purpose-built decryption devices can provide this elevated visibility. As such, it doesn\u2019t matter that Alice\u2019s PDF file was sent through email using HTTPs.\t#5 Apply analytics\tJust as with external threats, analytics can be leveraged to take advantage of automated machine-based analysis and augment human intuition. These analytics can be applied to log and alert data, as well as packet captures and sessions collected before, during and after an incident \u2013 much like a surveillance camera. Key analytics include:\t\t\tVisualization \u2013 as anyone that has spent time looking over log files or packet captures will tell you, visual analytics allow an analyst to work more quickly\t\t\tCorrelation \u2013 correlation helps to find causal relationships amongst seemingly unrelated or benign activity\t\t\tPattern discovery and anomaly detection \u2013 building up baselines of normal or expected activity helps analysts prioritize investigations\tWith analytics we see that Alice used her administrative privileges to access a particularly sensitive server. Based on her profile within the identity management solution she should only be accessing that server to conduct backups but access controls didn\u2019t limit her movements. We determined that she used these elevated privileges to access a secure folder, create a copy of the file, and rename it. She later downloaded the file to her laptop and eventually emailed the file to herself. Analytics across solutions that aggregate packets, sessions or logs help gather these details or yellow flags.\tAfter the incident\tWe are confident that something suspicious is happening. We might not know for sure if Alice is malicious or careless but we are sure that the evidence warrants further investigation.\t#6 Conduct forensic analysis\tInsider threat investigations are always a combination of real-time and forensic analysis. Discovering an insider yellow flag in real-time starts a response but you\u2019ll also want to see what else Alice has been doing, how long she has been doing it and who else she has be doing it with.\tResponding to the Alice incident may include explicit real-time monitoring and forensic analysis directed at Alice\u2019s devices and identities. We might want to every file she has sent to her personal email. We might want to know if she has been uploading information to external file shares, other internal servers she has been accessing and what she has been saying over IM and email.\u00a0\tOrganizations can successfully mitigate insider threats using the measures I\u2019ve outlined. This will decrease the insider\u2019s operational window and reduce the damage they can inflict. What other steps does your organization take?