The Insider Threat

A layered approach can help mitigate the risks

Gelles and Brant encourage security leaders to work closely with employee assistance programs and Human Resources, both of which have unique insight into the lives of employees going through personal struggles that might spark a desire to harm the company.

Halt the Damage in Progress

If no other methods stop the insider's malicious intent, a layer of technology solutions can assist the organization in catching him or her in the act.

William Crowell, a member of the Security Executive Council Board of Advisors, recommends security incident and event monitoring (SIEM) tools, offered by companies like ArcSight and RSA. Crowell, who is also a Director of ArcSight, recently acquired by HP, further recommends tools that enable you to track the behavior of people regardless of their credentials across applications and databases.

"Those are very powerful tools because if you have suspicions about an insider you can essentially monitor all their behaviors and activities inside your network," Crowell says. "Also important are forensic tools that allow you to capture things in memory of endpoints or workstations. If you can capture all the data surrounding the behavior in the memory of the endpoint without them knowing you're doing it, it's very powerful forensic tool for finding malicious behavior. Several companies also make ESM tools and audit and logging tools that are in appliances," Crowell continues, "which can be deployed in small to mid-size companies to pretty good effect."

It is also important to maintain robust access controls and access tracking within physical facilities to ensure employees are not attempting to access areas in which they do not belong. Lefler further emphasizes audit control over inventory, if shrinkage could be a factor: "If a company purchases 5,000 new computers and hires a company to install them, for instance, then you can control some risk by doing inventory control," he says. "Release only the number of computers that can be installed day-by-day. Maintain audit control over inventory so that shrinkage is detectable. Ask the installer to prove that computers that were provided were truly installed."

The location and value of the organization's assets at risk will determine the best technologies and policies for detecting potential insider misconduct. But all organizations can benefit from a layered strategy that has the best potential for stopping potentially malicious insiders both before and during an event.

Marleah Blades is senior editor for the Security Executive Council (, which provides strategy, insight and resources to risk mitigation decision makers. The Council incorporates input from industry segments into proven practices to provide options that solve pressing issues. With a faculty of more than 100 successful experienced security executives, we work one-on-one with Tier 1 Security Leaders(tm) to help them reduce risk and add to corporate profitability. To learn about becoming involved, e-mail




Develop the workforce as a security sensor and collector
Steps to consider

- Assess the degree of vulnerability to exploitation across the employee network, including those vulnerable to exploitation and unwitting disclosures in support of their work because of a need for validation or support of a dual loyalty.
- Develop workforce standards to mitigate risk, including hiring practices, security requirements, management practices for problem employees, disciplinary procedures, resources provided to employees in crisis, and crisis management practices.
- Develop a curriculum that includes observation skills, targeted behaviors, reporting protocols, and quality assurance mechanisms (e.g., techniques to minimize false positives).
- Develop a set of specific targeted behaviors that are consistent with current preoperational tactics (e.g., patterns discerned from the case studies database, individuals who demonstrate undue interest in specific areas and functions, unusual patterns of activity such as employees being in places that are not relevant to their tasks).
- Develop training for reporting suspicious and aberrant behavior consistent with a process designed to capture data collected and reported by the workforce.
- Develop baseline awareness training as part of the on-boarding process for all employees working in the transportation system.
- Develop a generalized training for employees in noncritical vantage points, and targeted and specific training for employees in critical vantage points.
- Develop a continuing education program for all employees to update their initial training and reinforce awareness and vigilance practices as the adversary evolves.
- Develop a security plan that includes roaming interviews of the workforce in real time.
- Develop a test mechanism to ensure quality assurance and determine where additional training should be conducted.

From Deloitte Federal Government Services, "Building a Secure Workforce: Guard Against Insider Threat." Full report available from Deloitte at A related paper on maintaining the cyber secure workforce is available at