search menu icon-carat-right cmu-wordmark

InTP Series: Data Collection and Analysis (Part 11 of 18)

CERT Insider Threat Center
• Insider Threat Blog
CERT Insider Threat Center

A core capability of any insider threat program (InTP) involves collecting data from multiple sources and analyzing that data to identify indicators of insider anomalous activity or an increase in the probability of future insider activity.

This is Dan Costa, a cybersecurity solutions developer at the CERT Insider Threat Center. This week, in the eleventh installment of the InTP blog series, I'll present strategies for increasing the effectiveness of an InTP's data collection and analysis capabilities.

A rich combination of technical, physical, and behavioral data sources in insider threat data collection and analysis efforts has been shown to increase the effectiveness of InTP detection and prevention capabilities. Fusing data from multiple sources provides the ability to produce a clearer picture of the potential insider threat and provide context to potentially malicious activity. Contextual information helps identify true and false positives, better define categories of anomalous or unauthorized behavior, and differentiate between intentional and unintentional actions.

Maximizing the number of data sources available for analysis also increases the chances of identifying multiple indicators per malicious act, and it is these sequences of indicators that are most effective in accurately identifying events of interest. On their own, individual indicators may not warrant further investigation, but when found alongside other indicators known to be representative of a particular pattern of bad activity, that same indicator becomes much more valuable.

There are, of course, limitations to an organization's ability to collect data from all the data sources it may want. Limited resources; technical, policy, and legal constraints; and difficulty of implementation are some of the challenges organizations may face. To address these challenges, we recommend that organizations adopt a use-case driven strategy to prioritize data sources that provide information that can be used to prevent, detect, and respond to the behaviors that the organization considers as most critical to address.

An example of the types of data sources recommended for collection, aggregation, and analysis is provided in the figure below:


View larger version of image.

Much more information on InTP data collection and analysis can be found in our Insider Threat Program Manager Certificate Program. The training provided as part of the certificate program covers a wide array of tools, techniques, and best practices for collecting and analyzing insider threat data.

If you have questions or comments on this post or the series, please send us your feedback.

About the Author