The CERT National Insider Threat Center (NITC) has recently developed an Insider Threat Analyst Training course. This three-day, instructor-led, classroom-based course presents strategies for collecting and analyzing data to prevent, detect, and respond to insider activity. Students learn various techniques and methods for designing, implementing, and measuring the effectiveness of various components of an insider threat data collection and analysis capability. The course includes instructor lectures and group discussions, as well as hands-on exercises with data to identify potential insider activity.

People with authorized access to organizational resources pose significant, often-overlooked risks to an organization's critical assets. According to the U.S. State of Cybercrime Survey, insiders were the largest source of compromise of customer, employee, and other confidential records, as well as exposure of sensitive information.

Organizations have responded: about 50% of recently surveyed organizations have an insider threat program, and an additional 36% are building one. Within these programs, one of the most critical roles is the insider threat analyst, who patrols the front lines of an organization's insider threat landscape.

That landscape can be dizzying: indicators of insider threat can hide in information streams from across the enterprise, and acting on them requires coordination of personnel and policy from different organizational units.

The NITC's new Insider Threat Analyst Training course prepares these personnel to understand the nature and structure of data that can be used to prevent, detect, and respond to insider threats. The course shows how to work with data from multiple sources to develop indicators of potential insider activity. It also teaches strategies for developing and implementing an insider threat analysis and response workflow that incorporates expertise and capabilities from across an organization.

The Insider Threat Analyst Training is based on research by the SEI's CERT Division on more than 1,300 actual incidents. The Software Engineering Institute partners on this work with the Department of Defense, the Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community.

Participants who complete the course will be able to

• work with raw data to identify concerning behaviors and activity of potential insiders
• identify the technical requirements for accessing data for insider threat analysis
• develop insider threat indicators that fuse data from multiple sources
• apply advanced analytics for identifying insider anomalies
• measure the effectiveness of insider threat indicators and anomaly detection methods
• understand how other parts of the organization may use the results of insider threat analysis
• navigate the insider threat tool landscape
• describe the policies, practices, and procedures needed for an insider threat analysis process
• outline the roles and responsibilities of insider threat analysts in an insider threat incident response process

The course is designed for current or potential insider threat analysts, insider threat program managers, and other insider threat program team members. Others can also benefit: those who interact and support an insider threat program team (for example, IT, information security, human resources, physical security, legal, software engineering, and data owners), as well as anyone who wants to learn more about developing technical solutions for insider threat mitigation.

The Insider Threat Analyst Training joins other NITC insider threat training and certificate programs:

• Insider Threat Awareness Training (ITAT): one-hour course for all employees on the basics of insider threats and role responsibilities
• Insider Threat Program Manager (ITPM) Certificate: training for team members and program managers developing formal insider threat programs
• Insider Threat Vulnerability Assessor (ITVA) Certificate: training for insider threat program managers and for those interested in licensing the CERT methodology and tools to perform insider threat vulnerability assessments

For more information on upcoming course dates, and to register for an upcoming course, please visit https://www.sei.cmu.edu/education-outreach/credentials/index.cfm.