Hello, this is Daniel Costa, Cyber Security Solutions Developer for the CERT Program, with the seventeenth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The seventeenth of the 19 best practices follows.

Practice 17: Establish a baseline of normal network device behavior.

Anomalous network activity can be a key indicator of security incidents, including insider threats. To detect anomalous activity requires that you first create a baseline of normal network activity. Establishing a trusted baseline involves identifying the following:

• network data points of interest
• length of the baseline data collection period
• methods and tools used to collect and store data

Suggested network data points of interest include the following:

• a list of predetermined devices a given workstation or server should communicate with
• VPN usage, including access times, bandwidth and resources used, source IP addresses, and geolocation information
• the known set of ports and protocols in use by the network
• firewall and intrusion detection system logs

The longer the period of data collection is, the higher the quality of the baseline because longer baseline data collection periods provide data that accounts for a wider range of the organization's normal behaviors and trends for an organization's network and users. By monitoring network and user activity and comparing current activity against the established baseline, you can identify anomalous behavior and take appropriate steps to further investigate it.

The investigation of anomalous activity can lead to the detection of malicious insider activity. For example, the CERT Insider Threat Center's collection of insider threat cases includes instances in which insiders stole an organization's intellectual property by accessing and downloading large volumes of information that were well beyond normal use by an average user. With an established baseline of normal network and user activity and vigilant monitoring of current activity, you can more effectively detect and respond to similar situations.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 18, Be especially vigilant regarding social media, or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.