Insider Threat Monitoring Tactics
What does it take to stay ahead of insider threats? A monitoring program that includes a combination of profiling, policies and processes, and software.
Put these six monitoring tactics in your toolkit to ensure you are listening for insider threats.
1.First, establish a baseline of normal network device behavior to help you listen for and identify what is NOT normal. Anomalous network activity can be a key indicator of insider threats. Daniel Costa, Cyber Security Solutions Developer for the CERT Program, suggests establishing a trusted baseline to identify network data points of interest like:
- a list of predetermined devices a given workstation or server should communicate with
- VPN usage, including access times, bandwidth and resources used, source IP addresses, and geolocation information
- the known set of ports and protocols in use by the network
2.Be aware of those employees who may represent a higher risk factor, such as employees who have resigned or are about to resign; contractors, outsourced call or service center employees; technically sophisticated users; and employees with privileged access, such as system administrators. For these profiles, deploy more focused policies and procedures, and be watchful for anomalous activity.
3.Clearly communicate and consistently enforce workplace policies and procedures. By doing so, you ensure staff are aware of what is and is not allowed, and you foster a fair environment that helps to reduce employee disgruntlement.
4.Anticipate and manage negative issues in the workplace. For example, if you’re unable to meet prior projections around bonus or salary, you may want to be extra vigilant in terms of monitoring employees at higher risk.
5.Use insider threat detection software to detect anomalies, monitor specific applications and websites, and enable IT forensics
6.Additional online monitoring tactics that Dawn Cappelli, the Technical Manager of CERT’s Threat and Incident Management team, recommends include:
- Logging, monitoring and auditing system logs for queries, downloads, print jobs and email messages containing unusually large amounts of data, particularly proprietary information.
- Alerting on emails to competitors, foreign locations or personal email accounts.
- Monitoring network flow data for abnormally large file transfers, long connections, odd ports and suspicious source/destination IP addresses.
No one tactic alone is sufficient as you listen for insider threats in your organization. Use a combination of policies, profiling, and online monitoring to ensure you hear the signs of a threat.
For Further Reading
Best Practices Against Insider Threats in All Nations, Carnegie Mellon University, Software Engineering Institute.