Email Twitter LinkedIn Google Plus Hamburger
Incident Response
Get in touch

Hunting for Insider Threats: Technical Measures

Last week, we looked at a number of inexpensive, non – technical and practical measures you can take to identify behavioural patterns that are indicative of a potential insider threat whilst instilling a culture of security awareness within your organisation. Today we turn our attentions to the technical measures you can employ to detect malicious insiders.

To recap, insiders are usually individuals who have legitimate access to your secure data, putting them into an ideal position to threaten its safety. However, not all insiders have the same level of access, and thus, not every one of them presents the same level of threat.

The most dangerous type of insiders includes:

  • Privileged users –Individuals with unrestricted access to sensitive data, most often system and database administrators, as well as upper management. While usually being the most trusted employees in an organisation, they also pose the highest threat.
  • Third party providers, partners and contractors – Usually, you have little control over cyber security on the third-party provider’s end. While you may audit their security controls as a part of your selection process and as part of regular reviews, this still does not guarantee complete safety. It is necessary to add additional protection to your remote connections from potential malicious insiders or compromised accounts.
  • Remote workers – By connecting to your corporate infrastructure using unpatched and out of compliance devices, these individuals put your data under the threat of malicious attack and inadvertent leakage.

Regular employees with limited access to sensitive data aren’t the most dangerous. However, they can leak data or compromise your corporate infrastructure inadvertently, either by mistake or by becoming a victim of a phishing attack.

Logging and Monitoring

Simply logging all network activity is not adequate to protect an organisation from malicious insider activity. As the number of data sources used for insider threat analysis increases, so too does an organisation's ability to produce more relevant alerts and make informed decisions regarding potential insider threats. The volume of data that must be collected, aggregated, correlated, and analysed drives the need for tools that can combine data from different sources into an environment where alerts can be developed that identify actions indicative of potential insider activity. Solutions for monitoring employee actions should be implemented using a risk-based approach and focusing first on the organisation's critical assets.

User activity can be monitored on the network and at the host. Most actions performed on computers involve network communications, often allowing network-based analysis to provide a detailed view into user activity. The volume of information necessary for network-based monitoring is often much less than is required for collecting host-based logs and information from every system on the network.

Insider threat related activities identifiable through network analysis can include authentication, access to sensitive files, unauthorised software installations, web browsing activity, email/chat, printing, and many others. However, there are some actions that organisation may be interested in monitoring that do not leave any traces on the network. These can include copying local files to removable media, local privilege escalation attempts, and many others. These actions can be monitored through host-based log collection as well as through host-based monitoring systems.



One of the most powerful tools an organisation can use to perform event correlation is a Security Information and Event Management (SIEM) solution. SIEM tools are designed to provide a centralised view of a wide array of logs from sources including databases, applications, networks, and servers. SIEM tools provide the ability to write queries or generate alerts that pull together data from different data sources, enhancing potential analytic capabilities for insider threat prevention, detection, and response. A SIEM system allows organisations to continuously monitor both employee and entity actions. This further allows organisations to establish a baseline level of normal activity as well as detect irregular events. Organisations can use a SIEM system to conduct more granular monitoring of privileged accounts. The SIEM system can highlight events related to any actions a normal user cannot perform, such as installing software or disabling security software. Increasing the auditing level for certain events will create additional audit records that must be reviewed.

A SIEM system will facilitate sorting through these events by highlighting those that need further review and discarding background noise. Organisations can also use a SIEM system for enhanced monitoring. This is especially important for employees who are leaving your organisation or who have violated/ are suspected of violating an organisational policy. Malicious insiders often conduct illicit activities within 90 days of their termination.

SIEM tools are not limited to information security events. Physical security events should also be sent to the SIEM system for analysis, creating a more complete set of events to detect insider activity. For example, if an organisation sends employee door access records to a SIEM system, it would be possible to detect unauthorised account usage by checking to see if an employee who is logged into a workstation locally is physically present within the building. This same method could also be used to detect unauthorised remote access if an employee is inside the building at the time. It would also be possible to detect after-hours physical access and correlate it with logical access logs. It should be noted that many alerts, triggers, and indicators will be organisation specific.

Anything you do to improve the security of your organisation will fail if done in isolation. So, while this article talks about implementation of technical monitoring solutions to identify malicious insiders, it mustn’t be the only thing you do. Talk to us about the full range of security methods and technologies available that will suit your enterprise. Commissum provides fully outsourced Managed Detection and Response services levering SIEM, End User Entity and Behavioural Analytics, Managed Firewalls, Domain abuse monitoring and feeds the data to its experienced analysts in its UK SOC (Security Operation Centre). This is further enhanced by its Cyber Incident Response service should the worst happen.

Talk to us today about the full range of security methods and technologies available that will suit your enterprise.

In order for this site to work properly, and in order to evaluate and improve the site, we have placed cookies on your computer.

That's fine!