Seeing Beyond the Firewall to Detect Insider Threats

Beyond traditional detection 

Many organizations rely on background checks and internal telemetry to identify risk. Where do those methods fall short, and how does “outside-the-firewall” visibility fill the gap? 

Companies have always struggled with identifying insider risks before their true impact was felt. They look at indications from data loss prevention, access logs, activity patterns and more to try to spot behaviors that are concerning and putting the company at risk for IP loss, sabotage or theft. 

We have found that understanding the behaviors of people when they are off-system, in the real world, improves a company’s chances of identifying the precursors to those impacts, including financial duress, disparagement, high-risk or illicit transactions, fraudulent identities and more. Identifying these insider threat indicators early enables organizations to proactively prevent insider threats — both during the pre-employment hiring process or afterwards. 

What kinds of digital breadcrumbs or external data sources can provide early warning of insider risk — and how should companies separate meaningful signals from noise?

While any one behavior can be concerning, it’s the culmination of risky behaviors that get the most attention from security teams. Digital breadcrumbs can indicate risks ranging from an individual selling or brokering employee credentials, working multiple jobs, leaking intellectual property to competitors, publicly disparaging the company, its executives or fellow employees and much more.

These behaviors can be detected only by reviewing a huge ecosystem of online data sets. It’s difficult for companies to build the sensing capabilities or distill down all the signals without partners or tools to help them review and connect red flags with real insight. 

Can you share an example where analyzing digital behavior outside the network uncovered a hidden insider threat or “polywork” arrangement?

One thing we are seeing now is that an employment fraud actor will steal a legitimate identity, create a persona with a background and set of skills to prop up that identity, and then — when they get hired — go out to freelance sites to find other IT freelancers to deliver on the work with the skills they claimed to have. 

In these cases, we’re able to help companies recognize the inauthentic employee, as well as to see their recruitment of third parties to do the actual work. Identifying these issues early enables companies to quickly limit the exposure of their brand reputation, IP and customer data from illicit access.

Balancing visibility and privacy 

What governance and privacy guardrails are essential to keep external digital monitoring ethical and legally compliant?

Companies have legitimate business interests in protecting their assets, employees and operations from internal threats. That said, there are some best practices that will help ensure compliance when using external intelligence, digital monitoring and the analysis of publicly available information: 

• Base decisions upon the totality of the data, rather than on isolated data points;
• Ensure actions taken are in proportionate response to the risk, and are well documented;
• Communicate policies and obtain consent through employee policies, handbooks and training; and
• Review policies and procedures regularly to ensure compliance, especially around protecting sensitive and personal information. 

Measuring and collaborating

How should physical security, cybersecurity and HR teams collaborate to operationalize these insights in day-to-day risk management?

This is a new evolution in how those teams work together. The cybersecurity teams usually have the know-how and processes both for internal and external monitoring. The corporate security team has the investigative remit. And the HR teams write the policy, control the hiring pipelines, and set the tone and tenor for preventing the hiring of insiders. 

Of course, they also get the challenge of being the front line to an insider threat who is already an employee. HR plays a critical role in making sure the other teams remember there is a person at the center of all this activity, because that can easily get lost in all the flurry of technology, analytics and data. 

For integrators and enterprise security leaders, what metrics or leading indicators should they track to know if their insider threat program is working effectively?

There are three key indicators for demonstrating the effectiveness of insider threat programs:

Faster detection. Are you detecting faster — Mean Time To Detection or MTTD — or detecting precursors to incidents before it’s too late to do something about it? Catching the IP before it leaves the company, catching code written from illicit third parties before it’s introduced into your repo, and catching angry or disgruntled employees before they turn violent is critical. 

Acting earlier to minimize impact. Are you intervening earlier, before insider threat incidents can have an impact? You can measure that by looking at how the impact of incidents changes over time. Ideally, you’re seeing the average cost per incident go down. You can also look at the positive side, where early interventions help employees stay engaged instead of turning into full-blown insider threats, things like retention or other HR ‘thrive’ metrics. 

Red teaming for preparedness. Red teaming delivers results. Test the controls in your hiring process for detecting malicious insiders, and more, just as you test cyber controls in intelligence-driven red teaming. Over time, your controls should adapt to the shifting tactics of motivated insiders. And you should learn from the red team failures to improve your real world results.