The twelfth practice described in the newly released Common Sense Guide to Mitigating Insider Threats is Practice 12: Deploy solutions for monitoring employee actions and correlating information from multiple data sources. In this post, I discuss this newer practice that involves collecting, managing, and analyzing data from multiple sources that offers insights into insider activity that can lead to cybersecurity incidents.

The CERT Division announced the public release of the fifth edition of the Common Sense Guide to Mitigating Insider Threats in December 2016. The guide describes 20 practices that organizations should implement across the enterprise to mitigate (prevent, detect, and respond to) insider threats, and provides case studies of organizations that failed to do so. The twelfth of the 20 best practices follows.

Practice 12: Deploy solutions for monitoring employee actions and correlating information from multiple data sources.

Effective insider threat programs collect and analyze information from many different sources across their organizations. The volume of data that must be collected, aggregated, correlated, and analyzed drives the need for data management tools. These tools must fuse data from disparate sources into an environment where it can be developed to identify actions that indicate potential insider activity.

One of the most powerful tools an organization can use to perform event correlation is a security information and event management (SIEM) solution. Solutions for monitoring employee actions should be implemented using a risk-based approach and focusing on the organization's critical assets. Critical assets are important because they affect confidentiality, integrity, and/or availability and support business mission and functions.

In the fifth edition of the Common Sense Guide to Mitigating Insider Threats, we broaden the practice to cover a more comprehensive monitoring program, including both network and host-based information sources. We also include a table of protective measures that provides descriptions of data sources that can be useful for analysis.

User activity can be monitored at two levels: (1) at the network and (2) at the host. Insider-threat-related activity identifiable through network analysis can include

• authentication
• access to sensitive files
• unauthorized software installations
• web browsing
• email/chat
• printing

Activity that does not leave traces on the network and must be monitored at the host include actions such as

• copying local files to removable media
• attempting to escalate local privileges

Refer to the complete fifth edition of the Common Sense Guide to Mitigating Insider Threats for a comprehensive understanding of the issues and recommendations mentioned in this post.

Check back next week to read about Practice 13: Monitor and control remote access from all end points, including mobile devices, or subscribe to a feed of the Insider Threat blog to be alerted when a new post is available.

For more information about the CERT Insider Threat Center, see https://www.sei.cmu.edu/research-capabilities/all-work/display.cfm?customel_datapageid_4050=21232, or contact us at mailto:info@sei.cmu.edu.