Insider Threat Controls
The mission of the CERT Insider Threat Lab, sponsored by the Department of Homeland Security Federal Network Security Branch, is to create new technical controls and standards based on our research, as well as to determine lessons learned from our hands-on work doing assessments, workshops, and working with technical security practitioners.
We are pleased to announce two releases by the CERT Insider Threat lab:
1. "Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination"
Software Engineering Institute - Technical Note CMU/SEI-2011-TN-024
Our database reveals that many insiders who stole confidential or sensitive (unclassified) information exfiltrated data from their organization using email. Most of these insiders stole the information within 30 days of their departure date from the organization. This control tracks outgoing email by volume and destination from employees who have accounts set to expire on a certain date, as well as queries that retrieve the prior 30 days worth of email traffic for an insider whose account is disabled.
2. The first video in the insider threat demonstration series: "Insider Threat Monitoring, Detection, and Response"
Please check back often as we intend to publish new technical controls. In addition, we are would like our readers to help us to create an Insider Threat Community of Interest by sending us feedback on these controls. How did they work for you? How did you fine tune them to meet your specific needs? What did you do to reduce the number of false positives ("good guys") detected by these controls?
We are all in this together, and we need to work together to effectively mitigate insider threats! Please send your feedback using the feedback link. All input is strictly confidential, although we are happy to recognize our sources if you give your consent.