Four Priorities for Aligning Your Insider Threat Program

by | May 6, 2020 | Blog, Trust and Safety

Organizations based in the United States continue to deal with considerable intellectual property theft and largely do not address the issue until there is a problem. The ability to effectively monitor for negligent or malicious insider threat activity is largely dependent on four main factors:

Aligning the Stakeholders

Generally, three main stakeholders must come together: legal, human resources, and some combination of security and information technology understanding the technical components depending on the organization. Technical stakeholders may include many subcomponents such as network infrastructure or application development.

Implement for Quick Wins

Insider threat alerts generally arise from two areas:

  • Technical monitoring
  • Reporting suspicious behavior

Aggregating the right internal telemetry to conduct appropriate technical monitoring is a tremendous challenge as companies grow in size and scale. According to Ramsey, “organizations always have to align on policy in terms of comfort levels of monitoring for extended periods versus monitoring around immediate administrative terminations”. It’s important to set limited scope monitoring efforts that can be effective. Initial steps can include implementing alerts against suspicious emails and data movement to unauthorized third-party file sharing sites. If such an alert is triggered,the appropriate stakeholders come together and authorize additional, more invasive monitoring measures.

Joining Internal Resources with External Resources

After implementing technical and HR/legal human elements that allow a company to respond quickly to insider threats, it then becomes critical to join internal data analysis and investigations into activity happening outside a company’s network and physical perimeter. In most IP theft cases he sees, Ramsey indicates it is critical to marry up internal investigations (network monitoring, employee interviews, etc) with outside information from security experts to discover the true intent, purpose and motivations behind insider threat actions. External diligence can include reviews of employee social media and forum activity, travel patterns and online footprint often providing illuminating detail on an individual’s connections, interests and activities. Leveraging this information together with internal investigative findings can give the suspicious activity important context, often allowing for a comprehensive narrative to form and enabling decisive action.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks