Insider threats come from legal users who are actually authorized to access the network’s system and data. According to the Computer Crime and Security survey sponsored by the FBI and the CSI, 20% of the losses of respondents (including major organizations in the USA) said that more than 20% of their losses should be attributed to malicious insiders.


Learn More About Teramind

Users can misuse their privileges, while still complying with the enterprise’s security rules, so preventing threats and in fact detecting a threat when under attack. Development in monitoring software can track users’ behavior to detect malicious behavior such as data transfers or access to files that are not necessary for the employee’s role for example. One of the ways this can be done is via a data driven approach. This article discusses how employers can detect insider threats via the data that employees produce according to their behavior patterns.

To use data in order to analyse whether an employee’s behavior is a threat to the company’s information security, employee’s – both as in individuals and groups according to their roles – first need to have their ‘normal’ behavior analysed and so routine patterns can be determined. Then if employees divert from these patterns, the IT or security team can be alerted and the company can respond according to their cyber attack threat protocol. Without a data driven approach to insider threats, an anomaly in user behavior can often go undetected putting the company’s information security at risk.

Detecting Abnormal Behaviors

A data driven approach to protecting information security from insider threats is essentially a way to identify abnormal behaviors that are statistical outliers. By storing the user’s historical data and seeing what they have accessed and used in the past over a certain period of time, the user’s behavior during the current period of time can be analysed to see how far it deviates from the historical norm of both that user and their peers and colleagues. If the deviation is considered large – and it is up to each company to decide what large is according to their network’s terms of use – then the user can be flagger for further investigation.

At this point the security team and managers can decide whether to continue analyzing their behavior. Data analysis can be applied to all devices that the user uses while connected to the network, helping to improve the likelihood of insider threat detection as well as minimizing the number of false positives. Using software especially developed scientific data analysis technology, means this kind of analysis can be done in real time, and a ‘red flag’ takes only a fraction of a second to come up. If this is coupled with other information gathered about the user such as by the Human Resources team for example, the chances of catching the insider threat and stopping it can increase by as much as 80%.

To reiterate, a data driven approach to tackling insider threats can only be truly successful if as much data as possible is collected to begin with.