BackStory
The data needed to
detect insider threats
Given how many breaches originate from insider threats (whether malicious or unwitting), the government must improve its ability to spot and mitigate such risks. A new book by Deloitte Consulting’s Michael Gelles details 25 data streams that agencies can use as potential risk indicators.
Access attributes andbehaviors
• Access levels •Securityclearance
• Privileged user rights
Compliance cases
Data exfiltration
• Largeoutbound email traffic volume
• Emailmessageswith attachments sent to suspicious recipients
• Anomalieswith copiers, fax machines and other transmittal devices
• Removablemedia alerts and anomalies
Network activity
• Collection of large quantities of files
• Antivirus/anti- malware alerts
• Excessively large downloads
• Access request denials
• • •
Auditremediation process Noncompliancewith training requirements Organizationalpolicy violations
Personnel management
• Decliningperformance ratings
• Noticeofresignation or termination
• Reprimandorwarning
• Temporarydutystatus
and location
• Title42employees
• Visitingstaff
External data
• Social media anomalies
• Financial stressors
• Criminal and civil
history background
checks
• Foreign contacts and
non-temporary duty foreign travel
Physical security
• Physicalaccessrequest denials
• Physicalaccessanomalies
Time and expense
•Expenseviolations
• Time entry violations
34
August 30, 2016
FCW.COM
Source: “Insider Threat: Prevention, Detection, Mitigation and Deterrence” by Michael G. Gelles