Skip to main content

Addressing insider threat

Oilfield Technology,

According to EY, many companies have already made investments in security monitoring suites, such as Security Information and Event Management (SIEM) technology, allowing them to aggregate security logs and data from across their environment into a central location for correlation and analysis.

However, SIEM technology only allows security analysts visibility into the environments that they have integrated. Due to the damage caused by publicity from external attacks, oil and gas security departments have focused on integrating leading edge network monitoring and end point solutions into their SIEM in order to identify and contain commonly known external threats such as malware.

Oil and gas companies have numerous business critical data sources. In order to strategically focus on the company’s internal critical applications, databases and host servers must be integrated into the SIEM for monitoring. However, security logs from these sources are not sufficient for identifying insider threats.

Bahavioral analytics can allow a company to understand the behaviour of users to quickly identify anomalies. According to EY, this approach can be explained through the following principles:


The baselining process involves building a behavioral profile. This process looks at 6 – 12 months of access and activity logs to form a profile of normal behaviour based on strategically extracted access and activity attributes from the system’s logs

To be most effective, companies should leverage their existing centralized security log system, such as SIEM solution or log warehouse to perform the baselining process. Once established, the bahavioral profile can be integrated into the SIEM to assist security analysts in identifying outliers, or indicators of a potential insider threat within their environment.


Behavioral analytics allows security analysts to detect threats through anomalous behaviour. Anomalous behaviour can be identified in two ways:

Peer anomalies

A peer group can be formed by any attribute derived from the human resource data obtained. This analytical capability is derived from the principle that users within the same peer group will behave similarly. If a user has access to systems outside of their peer group or performs activities that their peers do not, the behaviour would be considered anomalous.

Bahaviour-based anomalies

A user can be expected to access similar systems and perform similar activities on a day-to-day basis. A behavioral anomaly occurs when a user’s access of activity varies from his/her baseline activity. This type of anomaly is useful in identifying compromised credentials, rogue accounts, disgruntled employees or malicious use.

Detection and response

Once an anomaly is identified through behaviour analytics, immediate alerts can be triggered within the SIEM for security analyst investigation and response. For best results, the anomalous behaviour should be associated with specific access or activity. This anomalous activity or access is referred to as an outlier. 

Adapted from a report by Emma McAleavey.

Read the article online at:


Embed article link: (copy the HTML code below):