Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

07:00 AM
Katie Burnell
Katie Burnell
Edge Ask The Experts

How Do I Monitor for Malicious Insiders?

Big picture: Think holistic, with appropriate levels of visibility into each stage of the insider threat kill chain.

Question: What things should I be scanning for that could, collectively, indicate I've got a malicious insider?

Katie Burnell, global insider threat specialist at Dtex Systems: Put simply, you should be scanning the full spectrum of user behaviours that lead up to an actual theft or sabotage of data. Without insight into exactly what your users are doing on their endpoints, you are blind to symptomatic behaviours that malicious users exhibit ahead of any data exfiltration or sabotage, for example.

A malicious insider will intentionally perform activities that may harm the company – for example, data-based activities through exfiltration or sabotage, or deliberate acts to compromise the operations of the business. In order to succeed in these activities, the user will likely need to circumvent corporate security measures, whether it be disabling existing tools, such as VPNs, or adopting alternative applications akin to private browsing or elevating their privileges. Security bypass activity is a conscious violation of security policy and is consistently used to engage in high-risk behaviour. Visibility into these actions and tell-tale early warning signs is vital. 

Your monitoring approach must be holistic and involve appropriate levels of visibility into each stage of the insider threat kill chain. Focusing exclusively on the latter stages – aggregation and exfiltration – is a common shortfall of many approaches and fails to spot initial indicators of questionable and potentially high-risk user activity.

What do you advise? Let us know in the Comments section, below.

Do you have questions you'd like answered? Send them to [email protected].


When Katie Burnell went to work for the Bank of England as a data processor, she didn't intend to switch career paths into cybersecurity. She was on the digital media team when she learned the bank was creating an IT security department. As she moved up through the ranks, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
8/25/2019 | 8:17:06 AM
Much easier than identified in the post
During the inception of the cloud, it has become extremely easy to extract information from company servers. I do think the problem is with visibility into all aspects of the network and cloud are not being performed. that is an extremely daunting task where users have private accounts business accounts and all these various accounts have multi-factor authentication, they give the user the ability to share data amongst cloud providers without having a demarcation point or have a clear separate data structure where VDI is used to protect sensitive data (think of how the nuclear scientist process radioactive material). You don't have to to be a hacker to do this oh, it is becoming commonplace for corporate employees to save data to external cloud repositories and then use that information at another site. That's a major problem if the data is classified. They really need to look into creating a way similar to the nuclear industry where the information is stored in a central place and can only be modified in that place, also use a two-person authentication mechanism to validate access to sensitive material (physists use this method, we could employ this strategy). T
Cartoon Caption Winner: Be Careful Who You Trust
Flash Poll