Cybersecurity Blog: The Cyber Scene is evolving, are you?

Return to blog

The recipe for success = employee behavioral data + user behavior analytics

Insider incidents are on the rise. In fact, recent Ponemon Institute survey indicated that malicious insiders pose the greatest cyber risk to organizations today. No wonder trade secrets and IP theft are projected to double by 2017, approaching a half a trillion dollars annually. But what can security leaders do to successfully address this scale of problem and protect their organization?

“If you’re making money today – you’re a target.”

– Kevin Shewbridge, Intelligence Analyst Lockheed Martin

Building an insider threat program is much less daunting than it appears. Many data points needed to build a program already exist in tools your organization is leveraging today. There is no magic bullet or a one-size-fits-all solution, however, by establishing a program with the right elements, you can significantly reduce your likelihood of compromise. We have listed below some of the most critical components of a successful program. For more detailed information, join us for our session at Gartner Security & Risk next week!

  • Ownership – In your organization identify who specifically is responsible for insider threat defense
  • Stakeholders – Who in the organization are the critical stakeholders (i.e. IT security, HR, compliance, legal, etc.)
  • Assets – Identify critical assets; people, processes, data and technology
  • Data sources – Technical and non-technical sources throughout the organization will provide the visibility and insight the program needs for analysts to be timely and accurate in incident identification and response
  • Integration – A good insider threat detection program integrates with existing policies and procedures whether in HR or in IT
  • Awareness – Train organization and they will support the effort
  • Incident Management – Once an incident happens, what steps happen next? A well-defined process will both protect your organization and the individual employee.
  • Privacy Concerns and Communications Plans – It’s critical to let your employees know that you’re essentially protecting them by establishing an insider threat program. Putting privacy concerns to rest is the value of a solid communications plan.

Of all the components of a successful program, the ability to analyze employee behavioral data with user behavior analytics to track both the cyber footprint and non-technical indicators is most critical. Understanding where technical and non-technical behavioral elements intersect is the key to proactively identifying potential insider threats.

We group data sources into two major categories: non-IT (human behaviors) and IT (IT user behaviors).  The good news is that the non-IT data sources are accessible throughout your organization (HR data, travel, compliance violations, work pattern changes, etc.). And for the IT data, big data technology tools provide the visibility required to find the bad apple. User behavior analytics creates behavior baselines and then using advanced analytics, ferrets out specific behaviors and risk profiles for those individuals who are above the norm and hence reflect a potential incident.

Why is getting all of the data, IT and non-IT, analyzed in this same way important? As we have found no single data source, IT or non-IT tells the entire story.

Figure 1: Potential Data Sources

For example, traditional IT-only oriented user behavioral analytics focuses on analysis of log data from a SIEM’s, or authentication servers like Active Directory, servers. This is great for analytics on login times and traffic flow analysis, but it won’t tell you whether the person who logged in is just doing their normal job or is an incident in the making. This is where having the entire context of the user, not just a set of IP addresses, times and files accessed, makes a real difference. A big difference in having both data sources, IT and non-IT, is having all of the context and being able to track the dynamics in both contexts.

How might this benefit a security analyst?

Say for example a project lead that normally accesses IP related documents logs-in late at night. There’s nothing yet to be worried about right? Let’s than say that they downloads a few gigabytes of files, more than their normal amount. Suspicious but not yet incriminating. However, when you add in user behavioral analytics from the non-IT side, you notice their personal record has a flag on a performance review and the employee is on an “improvement plan”. Now the behavior is suspect and an analyst should receive an alert pointing to all of the relevant data.  An insider threat solution that provides context from both non-IT and IT behaviors through the user behavioral analytics decreases false positives and maximizes resources. Moving from millions of potential indicators down to just a few relevant, actionable data points is the essential functionality that sets an insider threat solution apart.

8 Components to Develop a Successful Insider Threat Program


Ollie Luba is a principal systems engineer at Leidos with 30 years of experience in analyzing, modeling and designing complex analytic systems for government and commercial clients. Currently, Ollie is the Product Manager and Technical lead for Leidos' insider threat identification solution. His educational background includes a BSEE from University of Pennsylvania, MSEE from Drexel University and a MS in Technology Management from the Wharton School/Penn Engineering. Ollie is based in Valley Forge, PA.