Doing business in a connected world requires employees, partners and customers to have access to an ever increasing range of information channels. Along with the benefits this access provides, the risk of insider security threats increases. Network complexity, a dissolved perimeter, and the proliferation of alternative communications channels (instant messaging, VoIP, removable media, etc.) all make it more difficult for IT and security managers to detect, control and prevent behaviors that violate policies or create risk.

Ironically, technology — while increasing productivity — has obfuscated insider behavior. Left unchecked or unmonitored, many of these behaviors — whether unintentional or malicious — have the potential to put the viability of the company or its business continuity at risk.

Most companies would be shocked to discover what percentage of their employees' daily activity was geared towards non-business related activities such as online shopping, stock trading, and travel planning. While not the kind of thing that threatens a company's core viability, the impact on profit margins from lost productivity can be substantial — headcount is nearly always a company's largest expense. Even pornography — much of which easily bypasses most URL filtering solution — can become an incredible legal liability if exposed inappropriately or accidentally.

More borderline activities, such as employees making their own judgment calls for behavior at the margin of acceptability, or even activities which appear threatening but are in fact legitimate, are almost impossible to detect without false positives. Truly contextual activities such as sexual harassment are nearly impossible to detect, much less prove, with conventional solutions. And the true bad guys — the ones who are clearly out to cause malicious damage and will take great pains to hide or cover their tracks — require not just sophisticated detection but also court-worthy forensic evidence to support a termination or even prosecution. This is a tall order.

Already stretched to the limit, IT and security organizations must respond to the specific problem with tailored remediation to the entire range of behaviors, not generalized reactions to general threats. In short, enterprises need to attack the root cause of the insider threat itself — activity at the endpoint, as well as monitoring broadly at the network.


Given this new landscape, organizations need to take a number of steps to regain visibility and control of their computing environments.

1) Begin at the source

Edge security such as firewalls enjoy broad acceptance not only because they are easy to deploy but also because they deliver value in a fairly quantifiable and deterministic way. Not surprisingly, therefore, some IT organizations have reacted to the insider threat by essentially turning the firewall concept inside out. Rather than stopping bad stuff from getting in, these solutions attempt to keep good stuff protected by monitoring it preventing it from leaving the network. The trouble is, while some of these point solutions are effective, they do little to address the root cause of insider threats — the user's behavior.

2) Keep things in context 

To deal with the risks posed by user behavior, you need a solution that broadly monitors the type and quantity of data moving across the network in the context of activity on users' desktops. Without a way to analyze traffic, content, and behavior and incidents in context, enterprises lack the means to respond appropriately with policies or practices for near-term remediation or long-term prevention of insider threats. 

Truly understanding the risk posed by insider behavior requires fairly granular situational context, such knowing what the user was doing immediately before and after the actual incident. Were they using shareware programs to manipulate the data format? Who did they receive an IM from or what website did they visit just before they touched the data? What actually happened when they sent the data? For example, an incident that might appear to be malicious from a data leakage standpoint—let's say a person sending an email with sensitive information to an unauthorized recipient—might be completely legitimate or clearly accidental when view in context. With advanced monitoring capabilities such as DVR-like replay of events on the user's desktop, this same incident could be revealed as an accident involving type-down addressing, where the person sent an emergency email to the wrong person just one name down the list. It would just as easily show a malicious data theft in complete context.

3) Expose hidden events

With more and more data being encrypted, workforces becoming increasingly mobile and companies expanding the use of outsourcing and contractors, it becomes critical for organization to broadly monitor user behaviors — at both the network and desktop levels — to expose hidden events. For example, you may want the capability to view a record of the content of encrypted transmissions — such as if an employee copies the contents of an Excel spreadsheet to the clipboard and then saves it to an encrypted USB drive. You also may want to the capability to record and track this type of activity and many other behaviors even when the user is offline. Monitoring at the network level will also allow you to keep track of incidents on unmanaged desktops such as at outsourced call centers or contract workers location, and it can spot anomalies such spikes in after-hours FTP traffic so you can implement policies or more closely monitor specific individuals.

4) Deal with complex malicious acts

Unlike accidental acts or cases where workers push the boundaries of acceptable behavior to get their jobs done, most malicious acts involve multiple behaviors. This means you need a solution that lets you easily search for all of a user's other activities and easily analyze them for related behaviors or trends. Desktop monitoring — even when the user is offline — can also help you detect users "covering their tracks" — such as changing a file name or type, or cutting and pasting data. For example, you need to know when someone changes a potentially sensitive file such as from a CAD application to a JPEG, PDF or other unusual format, and then emails it with a name like "Wedding Pictures." You also need to monitor and detect other "multi-vector" behaviors, such as screen capturing from a custom application, dropping the result into a word file, and sending over instant messaging.

5) Get management involved

Armed with this type context-driven solution, security professionals can mitigate business risks by making informed decisions and implementing policies and training to achieve desired behaviors. Visual tools — such as DVR-like incident replay and network content gallery displays — also allow non-technical management and staff to spot and respond to threatening behaviors. Galleries that give a visual picture of content moving over a network can give non-technical management staff a quick and unambiguous assessment of a wide range of threatening and non-productive behaviors. With a glance at one of these visual galleries, an HR director could, for example, see that large amounts of offensive material is being viewed inside the organization. Or, a section manager could see that employees are spending valuable time on auction sites, online gambling or other non-productive activities.

Improve visibility and secure your business from the inside


Only by moving beyond the reverse firewall mentality and into the actual root cause of threatening behavior, can organizations achieve the nuanced visibility required to mitigate insider threats and truly optimize business processes and procedures; making the organizations security posture fundamentally more secure, profitable, and compliant. The ability to differentiate users, data, threats, responses and corresponding management requirements for each will enable companies to take appropriate steps to end insider threats where they begin — in the behavior of privileged users. Anything less leaves the door open to significant risks.