Software Engineering Institute | Carnegie Mellon University

SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Your incident response plan should cover the entire incident lifecycle, including processes for how incidents are detected, reported, contained, remediated, documented, and prosecuted (if applicable).

Hello, this is Mark Zajicek at the CERT Insider Threat Center. In this week's blog post, I summarize some guidance and suggest considerations to help you to develop an insider incident response plan.

A core capability of any insider threat program (InTP) involves collecting data from multiple sources and analyzing that data to identify indicators of insider anomalous activity or an increase in the probability of future insider activity.

This is Dan Costa, a cybersecurity solutions developer at the CERT Insider Threat Center. This week, in the eleventh installment of the InTP blog series, I'll present strategies for increasing the effectiveness of an InTP's data collection and analysis capabilities.

In today's business environment, few organizations are able to operate without contractors, subcontractors, temporary employees, contract employees, or other trusted business partners. Understanding how they fit into your insider threat program (InTP) and how to manage your organization's relationships with trusted business partners is critical to protecting your organization's data, assets, and reputation.

Hi, this is Ian McIntyre of the CERT Insider Threat Center. In this 10th installment of our blog series on establishing an insider threat program, I'll explore three considerations for dealing with trusted business partners.

"If you see something, say something." That phrase has been a popular security slogan for some time, and it applies to insider threat as well as other security arenas. Organizations need to develop a robust reporting capability that their employees can use because they may observe concerning behaviors and dispositions that technical controls might miss.

Hi, this is David McIntire of the CERT Insider Threat Center. In this installment of our blog series on establishing insider threat programs, I'll discuss the importance of confidential reporting capabilities within an insider threat program.

The cornerstones of any insider threat program (InTP) are a formal training and awareness curriculum and a defined set of educational activities. A successful InTP requires multiple levels of training for different parts of the organization and different types of employees. Of course, any training program should fit within the mission and culture of the implementing organization and should leverage existing expertise and processes.

Hi, this is Robin Ruefle, team lead of the Organizational Solutions group in the CERT Insider Threat Center. In this week's blog post I'm providing a overview of the types of training that should be considered as part of an effective InTP. Even if you don't have a formal program, you may still want to think about implementing some of these training ideas.

The underlying network infrastructure is a critical component of any insider threat program. In this seventh in a series of 18 posts, I will introduce a few concepts of how to use your enterprise infrastructure to prevent, detect, and respond to insider threat events.

My name is Derrick Spooner, a member of the technical staff of the CERT Insider Threat Center in the Software Engineering Institute (SEI) at Carnegie Mellon University. Previous posts have introduced several critical components of a formal insider threat program. Today, I discuss supporting infrastructure controls in the following areas:

Why should anyone care about program compliance and effectiveness? The CERT Division's answer to this question is simple: If you're going to have an Insider Threat Program (InTP), you want it to work well and within the limits of the law. We advocate that InTPs comply with all applicable laws, regulations, policies, and established procedures in a way that effectively deters, detects, and mitigates insider threats. Be sure to regularly work with your organization's general council to ensure your insider threat program is complying with federal, state, and local laws.

Hello, this is Jeremy Strozer, Insider Threat Researcher at the CERT Insider Threat Center. The focus of my work is the nexus of where the threat from outside actors meets the insider. As part of this work, I help organizations establish their InTPs. I'd like to use this post to talk about one aspect of program development: Oversight of Program Compliance and Effectiveness.