Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

How Do I Monitor for Malicious Insiders?

Big picture: Think holistic, with appropriate levels of visibility into each stage of the insider threat kill chain.

Katie Burnell, Global Insider Threat Specialist, Dtex Systems

August 5, 2019

1 Min Read

Question: What things should I be scanning for that could, collectively, indicate I've got a malicious insider?

Katie Burnell, global insider threat specialist at Dtex Systems: Put simply, you should be scanning the full spectrum of user behaviours that lead up to an actual theft or sabotage of data. Without insight into exactly what your users are doing on their endpoints, you are blind to symptomatic behaviours that malicious users exhibit ahead of any data exfiltration or sabotage, for example.

A malicious insider will intentionally perform activities that may harm the company – for example, data-based activities through exfiltration or sabotage, or deliberate acts to compromise the operations of the business. In order to succeed in these activities, the user will likely need to circumvent corporate security measures, whether it be disabling existing tools, such as VPNs, or adopting alternative applications akin to private browsing or elevating their privileges. Security bypass activity is a conscious violation of security policy and is consistently used to engage in high-risk behaviour. Visibility into these actions and tell-tale early warning signs is vital. 

Your monitoring approach must be holistic and involve appropriate levels of visibility into each stage of the insider threat kill chain. Focusing exclusively on the latter stages – aggregation and exfiltration – is a common shortfall of many approaches and fails to spot initial indicators of questionable and potentially high-risk user activity.

What do you advise? Let us know in the Comments section, below.

Do you have questions you'd like answered? Send them to [email protected].


About the Author(s)

Katie Burnell

Global Insider Threat Specialist, Dtex Systems

When Katie Burnell went to work for the Bank of England as a data processor, she didn't intend to switch career paths into cybersecurity. She was on the digital media team when she learned the bank was creating an IT security department. As she moved up through the ranks, Burnell helped build the bank's first security operations center and insider threat capability, eventually landing a role as cyber investigator. Now she works as a Global Insider Threat Specialist at Dtex, where she analyzes user activity, conducts threat assessments, and communicates security risks to a pool of clients that includes large global financial institutions, power suppliers, and government agencies.

As an expert threat specialist, Burnell splits her time between US-based large financial institutions and Dtex's EMEA customer base. She also fulfills a role in the EMEA pre-sales strategy, meeting with prospective customers, providing strategic consultations, and representing Dtex at partner events. On top of that, Burnell helps develop the "Dtex Insider Threat Intelligence Report" and works with other teams to advance Dtex technology and expertise in detecting insider threats. Her time with the Bank of England helped establish her skills in detecting insider threats, she says, and her interest and qualifications in open source intelligence (OSINT) helped grow them. Burnell is a qualified OSINT practitioner, certified "human hacker," Maltego CTF champion, and advocate for women in cybersecurity.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights