Hi, this is George J. Silowash, Cybersecurity Threat and Incident Analyst for the CERT Division. Organizations may be searching for products that address insider threats but have no real way of knowing if a product will meet their needs. In the recently released report, Insider Threat Attributes and Mitigation Strategies, I explore the top seven attributes that insider threat cases have according to our database of over 700 insider incidents. These attributes can be used to develop characteristics that insider threat products should possess.

The top seven characteristics that insider threat products should have based on cases from our database include the ability to execute these activities:

1. monitor phone activity logs to detect suspicious behaviors
2. monitor and control privileged accounts
3. monitor and control external access and data downloads
4. protect critical files from modification, deletion, and unauthorized disclosure
5. disable accounts and/or connections upon employee termination
6. prevent unauthorized removable storage mediums
7. identify all access paths into organizational information systems

Case studies are presented for each attribute along with the characteristics that products should possess to help detect and prevent insider threats. A reference to the Common Sense Guide to Mitigating Insider Threats, 4th Edition is also included.

This report may also be helpful to organizations looking for new ideas for detecting and preventing insider threats using existing hardware and software. For example, to understand all access paths into organizational information systems, products should (to name a few):

• detect changes to network devices
• regularly scan networks
• scan for unauthorized wireless access points
• restrict access to unauthorized software

Organizations may already have tools in their organization, such as network device configuration management software and network scanners, that can be used to address some of the characteristics identified above. For more details about the above characteristics and many more, I urge you to download the report.

We want to hear your feedback on this report. If you have questions or want to share experiences you've had with insider threats, send email to insider-threat-feedback@cert.org.