The M.O. of Insider Threats


Public concern for defending against cyber threats has grown exponentially over the past five years. However, perhaps the most recognizable U.S. government breach during that time was perpetrated by an insider, Edward Snowden. I recently participated in a webinar that explored how public and private sector organizations should be auditing their data for insider threats. During the conversation, I provided a high-level breakdown of insider threats to help organizations think ahead as they implement new processes and technology solutions to detect threats within their networks.

Who might be considered an insider threatening your system?
There are multiple attributes to consider when identifying potential insider threats. The individual could be a current or former employee, a contractor or business associate. The key points to consider are whether they possess malicious intent, have the credentials to gain access to the network and if they have access to sensitive information that should not be shared with those outside of the organization. Another important point is that someone can be an insider threat risk without evening knowing it. For example, an individual who does not always follow security protocols could unintentionally put the organization at risk for a breach. In this case, while there is not malicious intent, the end result could still be very serious.

What are insider threats trying to achieve?
Where there is a will, there is a way. There are three core reasons we like to call out when addressing this question. First, this individual may just be a whistleblower. This basically means the person thinks your information or activities going on behind the scenes are shady, illegal or morally wrong. As such, they feel the need to expose the organization (e.g. Edward Snowden). Another common motivation for insider attacks is financial gain. From credit card numbers to personally identifiable information (PII), this data is a central target for insider attacks. Lastly, couple financial gain with the desire to get revenge on others within the organization, and you have your third top reason for insider threats.

How can you detect insider threats?
There are a number of behaviors that should raise a flag when analyzing your machine data. These could include an abnormally high number of file transfers to external sources, physical building access after normal hours, employees accessing project files they don’t typically need or even excessive printer activity. There are hundreds of behaviors that should be incorporated into employees’ risk profiles, but do not let this overwhelm you. We’ve determined a four-step process to detect potential insider threats:

1. Determine what data is critical within your organization and how it could get misused or stolen.

2. Collect relevant machine data that tracks user activities on the network.

3. Expand your knowledge with external data from human resources, mapping IPs and all assets you can collect on your employees and business associates.

4. Identify and flag possible insider threats through behavioral analysis and data correlations. The key is identifying anomalies from your established baseline and putting that information into risk profiles or scoring.

splunk_LogoSplunk for Insider Threat Detection
Splunk’s platform can ingest machine data from traditional and non-traditional sources to provide enterprise-wide visibility of your system for better decision making and improved threat detection. The first thing government agencies should do to combat insider threat is expand their data sources. More data will result in a more comprehensive risk profile. During the webinar, we demonstrated how Splunk’s solutions address and monitor for possible insider threats through a combination of behavioral analysis tools and external data factors. The information is used to create risk profiles for employees and other users, providing key decision makers with greater visibility of potential threats. Users with behaviors deviating away from the norm are identified as outliers. This does not necessarily mean that this person is an insider threat, but it does flag the behavior so the organization can take the necessary steps to investigate further.

At the end of the day, everyone wants to steer clear of negative headlines and protect employees’, customers’ and the organizations’ data. Splunk’s platform for security intelligence addresses a number of security use cases and can provide your organization greater flexibility than a traditional Security Information and Event Management (SIEM) solution. Our goal is to provide improved visibility, in real time, for a more holistic approach when it comes to combating insider threats.

If you missed the webinar, I highly recommend registering for the upcoming Go Big Security webinar on June 4. The session, which includes the Department of the Treasury and Department of Homeland Security, will explore what agencies are currently doing to manage cyber risk and how government can be more proactive on cybersecurity.

Visit the Splunk events page for updates on all Splunk activities.

For more on the latest public sector happenings:


Mike Wilson
Principal Sales Engineer
Splunk Inc.