search menu icon-carat-right cmu-wordmark

Common Sense Guide to Mitigating Insider Threats - Best Practice 12 (of 19)

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

Hello, this is Sam Perl, Cybersecurity Analyst for the CERT Program, with the twelfth of 19 blog posts that describe the best practices fully documented in the fourth edition of the Common Sense Guide to Mitigating Insider Threats.

The CERT Program announced the public release of the fourth edition of the Common Sense Guide to Mitigating Insider Threats on December 12, 2012. The guide describes 19 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, as well as case studies of organizations that failed to do so. The twelfth of the 19 best practices follows:

Practice 12: Use a log correlation engine or security information and event management (SIEM) system to log, monitor, and audit employee actions.

Security and logging capabilities have reached the point where data overload is as challenging a problem as data collection. So simply logging all online events is not sufficient to protect an organization's infrastructure from malicious activity. Organizations have reacted by placing new emphasis on the ability to spot important connections across seemingly different but related events.

Our analysis of insider crimes in the CERT Insider Threat Database revealed that correlation of events from the following infrastructure areas would, in many cases, provide useful information to use against insiders:

  • firewall logs
  • authentication attempts (successful and unsuccessful)
  • intrusion detection system (IDS) and intrusion prevention system (IPS) logs
  • web proxy logs
  • antivirus alerts
  • change management logs
  • physical security events (such as badging in/out logs)

Organizations should implement policies and procedures for auditing, logging, and monitoring these infrastructure areas and combine them with knowledge of the organization's assets (see Practice 6, Know your assets) to create an effective collection and analysis capability.

Before an organization begins monitoring, it should first inform employees that their use of organizational assets, including information systems, is restricted by policy and is subject to monitoring. It should also consult with legal counsel to ensure that its procedures meet legal requirements and disclosures and do not violate employee rights.

In the fourth edition of the Common Sense Guide to Mitigating Insider Threats, we include

  • protective measures that organizations can take to implement a correlation capability
  • expected challenges
  • quick wins and high impact solutions
  • a mapping to common standards that also mentions the use of event correlation to improve security

We also describe two specific incidents where insiders made changes to the IT infrastructure that would have been observable had the victims implemented monitoring that included log correlation or security information and event management tools.

Refer to the complete fourth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned.

Check back in a few days to read about best practice 13, Monitor and control remote access from all end points, including mobile devices; or subscribe to a feed of CERT Program blogs to be alerted when a new post is available.

If you have questions or want to share experiences you've had with insider threats, send email to

About the Author