• United States




Insider threat mitigation techniques worth considering

Jun 02, 20165 mins
CybercrimeData BreachIT Skills

laser protection
Credit: Thinkstock

Insider threats are a constant that all organizations regardless of being in the public or private sectors face. At their core, insiders are those very people you have hired to work in your business, allowed access to your information systems and sensitive data, and trusted to work competently, effectively, and honorably. For some organizations, the vetting of an employee stops after the interview process and when they are hired.  Certainly, some businesses may have a probationary period during which time new hires must prove themselves capable to meet their job responsibilities, but this has more to do with performance than trustworthiness. 

[ ALSO ON CSO: Review: Hot new tools to fight insider threats ]

Insiders can be either complicit (malicious) or unwitting (careless) in their motivations to cause harm to the organization. While insiders are generally regarded as individuals that work inside the organization, increased hacker efforts that steal legitimate credentials that can be used to compromise the network has provided these remote actors (masquerading insiders) the same direct access to information and/or networks as the victimized employee. What’s more, most organizations have very little in place to potentially detect and identify these individuals prior to their negligent or intended malfeasant behavior, as many security technologies are not focused on this type of activity. 

Insider threat activity has gained prominence recently, thanks to well publicized incidents such as Edward Snowden data leaks, as well as the insider stock trader scheme that used hackers to target press releases before they were released.  According to one 2015 news report, a typical organization experiences 3.8 insider security incidents on an annual basis. This figure bears noting particularly when a study conducted by a user activity monitoring company determined that nearly 62 percent of polled security professionals said that insider incidents had increased at their organizations. Data leaks, inadvertent data breaches, and malicious data breaches were the top insider threats identified in the study, with an overall average cost of $445,000 to remediate a successful attack.

Previously I discussed trying to mitigate the insider threat from a people perspective; this article looks at several techniques that can be implemented to mitigate this threat.

Anomaly detection: Detecting anomalous behavior is one way to help identify suspicious activity that is out of the employee’s normal standard. The first step in detecting anomalies is to first establish an employee’s baseline activity, which includes types of accesses and information he or she typically accesses, volumes of printing or downloading, work hours spent during the work week as well as weekends. For example, if a user is trying to access directories that he doesn’t typically, this may trigger alerts for closer scrutiny. Once established, any deviation should trigger an alert that warrants closer investigation. It should be noted that not all anomalous behavior is necessarily hostile in nature, but anything inconsistent with the baseline may be an early indicator of such. Such activity can be reduced by employees simply alerting management ahead of time before accessing information and networks they don’t usually access, working on weekends or doing extensive printing and/or downloading.

Process modelling: A research paper highlights a process-based approach to identify places in organizational processes where insider attacks may transpire. Knowing how such activities may take place can better position organizations to reduce their exposure to such attacks and be able to focus their detection efforts in those areas rather than the entire enterprise. Another similar approach focuses on business process modelling that enhances monitoring tools with information evaluated from social media via the examination of the online behavior of users. Potential insiders are identified with critical roles in an organization’s business operations.

Hybrid analytics: Hybrid analytics refers to the combination of proven threat detection technologies with informed behavioral analytics in order to provide a forward looking threat detection capability. The idea is that the aggregation of these efforts will help organizations proactively detect threats before it suffers any grave data loss. Hybrid analytics will take into account automated processes, prioritized and more meaningful alerts, rich analytics, and an intelligent model from which to enhance an organization’s ability to identify and ultimately reduce its exposure to insider threat risks.

[ MORE: 11 tips for spotting insider threats  ]

In today’s data rich threat landscape, it is no longer enough to just be able to detect anomalous behavior. It is, however, important to be able to detect those meaningful anomalies. Establishing an insider threat detection that incorporates mitigation techniques from a process perspective will help reduce the volume of alerts into a manageable number that warrants further investigation. The objective is to be able to prevent the loss of valuable data. In a domain where activities occur in nanoseconds, defenders need as much time as possible to quickly identify and prevent insider attacks before it’s too late. Placing more emphasis on advanced techniques such as anomaly detection, process modelling and hybrid analytics may result in that needed edge.


Over the last two decades Brian Contos helped build some of the most successful and disruptive cybersecurity companies in the world. He is a published author and proven business leader.

After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents and is a fellow with the Ponemon Institute and ICIT.

The opinions expressed in this blog are those of Brian Contos and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.