Human behaviour and insider threat: Part One

An Alton Corporation report by the company’s President and CEO Michael Berk highlights the importance of deterrence and early detection in the prevention of insider threat, highlighting that one of the biggest problems with existing countermeasures is insufficient information in regards to possible malicious intent and a lack of tools for its detection.

The report highlights that most employees executing insider attacks joined the organisation with no malicious intent. However, over time an unexpected opportunity might arise, or growing resentment can lead to the perfect conditions for attack.

A huge number of contextual, socio-psychological and economic factors relating to the business environment or personal circumstances might influence a decision to engage in sabotage or fraudulent activities.

Existing approaches

The main focus of corporate security to date, in regards to human behaviour, has been on monitoring and auditing network activities. Physical security layers are largely aimed at preventing unauthorized access of external intruders. Smart video analytics solutions concentrate on pattern recognition and can easily be circumvented with enough preparation.

Over the last decade, a number of commercial tools, techniques and procedures have been developed concentrating on the detection of malicious activity in a local network. Most of these technologies and processes were designed with hackers in mind. The problem is that their utility is limited to identifying suspicious network activities when they occur. While providing a certain deterrence capability and being instrumental in post-event investigations, they are not effective at preventing crimes related to insider threat.

According to Berk, another problem with many existing tools is that they monitor network activity without providing additional information to put events into context. The two biggest challenges companies face when addressing insider threats are not having enough contextual information provided by security tools (69%) and security tools that yield too many false positives (56%).

A new approach

Understanding the above limitations, a more effective emerging approach to mitigating privileged user abuses can be developed, with a focus on suspicious behaviours.

The cornerstone of such a program is a layered monitoring system that incorporates both technical (network, biometric data analysis, video analytics) and non-technical indicators (HR, legal, other support departments) derived from a clear understanding of possible adversarial modes of operations (AMOs) that relate to insider threat scenarios.

For more information on this new approach to tackling insider threat, see also 'Human behaviour and insider threat: Part two'.

Adapted from a report by Emma McAleavey.

Read the article online at: https://www.oilfieldtechnology.com/exploration/06082014/identifying-insider-threat-1081/