Software Engineering Institute

Host-based monitoring capabilities collect vast amounts of data on information system usage and end-user behavior. This data aids in all phases of incident handling, including detection, response, forensics, mitigation, and prevention. Host data also serves a critical role in establishing activity baselines to understand normal behavior and identify abnormal or unexpected events. Metrics derived from host-based monitoring can inform insider threat risk models and illuminate concerning precursors before an undesirable escalation of events occurs. In this paper, we (1) review and define standard host-based monitoring capabilities, (2) identify related insider threat indicators that can be measured using host-based data sources and describe a vendor-neutral implementation approach, and (3) discuss the state of the art of host-based monitoring for insider risk measurement and associated challenges.