DPS staff provides expertise in performing Insider Threat Mitigation. Attention needs to be given to not only external threats, but also internal threats that may lurk within your organization. Inside threats are very real and cost a company not only financial but also legal troubles depending on the information that is leaked. Implementation of a just a single commercial-off-the-shelf (COTS) solution is no longer a viable solution to simply prevent data breaches or users from attempting malicious acts on your network. At DPS we provide a multi-step approach to assist with helping to identify possible insider threat risks and monitor those threats to prevent them from occurring.

Assets within the organization must be analyzed to determine their level of sensitivity/importance. High value assets/information are most likely what threat actors will attempt to attack and these items in turn must be protected accordingly. Implementation of a data loss prevention solution (DLP) to identify/prevent possible exfiltration of data is important (whether the data is exfiltrated via e-mail, web or through removable media). Sensitive data/documents should digitally fingerprinted in order to protect sensitive information and identify if it does in fact get leaked.

Revising roles and enforcing core security principles as least privilege access and separation of duty can help assist with providing individuals the necessary/required access to resources on the network in order to prevent unauthorized individuals from accessing resources that are not within their purview.

Account monitoring is also an important step and allows an organization to identify normal user activity from any deviations that may be occurring. Whether that be a user accessing new resources, connecting to the organization at unusually hours or unusual site access (competitor sites, job posting, etc). Aside from regular accounts privilege accounts must be monitored in order to monitor potential abuse/malicious use of privileges. By performing account logging (at network and system level) as well as a privilege identify management solution all activity can be recorded and monitored. All this logging and information can assist with the not only prevention but analysis of a potential incident. This data can be used to help reconstruct activity performed by a user by our Digital Media Analysis (DMA) team to reconstruct a timeline of events for the system to help identify if any malicious activities occurred on the endpoint by the user.

With monitoring/logging, a DLP solution in place and proper policy/role enforcement the next step would be to mine the data generated by these alerts and formulate signatures for patterns within these events and look to determine possible rules/methods to identify possibly insider threat activity within a network.