How to identify and Respond to Insider Threats

by Micro Focus Employee in CyberRes

On 6 January the U.S. Department of Justice announced that Xiang Haitao, a Chinese national formerly residing in Chesterfield, Missouri, pleaded guilty to conspiracy to commit economic espionage. According to court documents, Xiang conspired to steal a trade secret from Monsanto, an international company based in St. Louis, for the purpose of benefitting a foreign government, namely the People’s Republic of China. 

Insider threats are real and are occurring all around us. 

What Exactly is an Insider Threat?

How to identify and Respond to Insider ThreatsThe Cybersecurity & Infrastructure Security Agency (CISA) defines an insider threat as “…the potential for an insider to use their authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, or facilities.” This threat can manifest through the following insider behaviors: 

  • Espionage
  • Terrorism
  • Unauthorized disclosure of information
  • Corruption, including participation in transnational organized crime
  • Sabotage
  • Workplace violence
  • Intentional or unintentional loss or degradation of departmental resources or capabilities 

How Urgent is the Insider Threat Problem?

Dealing with insider threats is a constant that’s been with us for a long time that is ignored at an organization’s peril. 

In recent years the issue of insider threats has been a hot topic in the U.S. Federal government after WikiLeaks released thousands of classified documents through the global media and the Internet. Afterward, the 2011 Executive Order established the National Insider Threat Task Force (NITTF) to deter, detect, and mitigate actions by employees who may represent a threat to national security by developing a national insider threat program with supporting policy, standards, guidance, and training.

But what’s the current perception on insider threats and their impact? At the end of last year, an Insider Threat report was released based on a survey conducted of the 300K+ LinkedIn Information Security community. The key findings included: 

  • 74% of organizations feel vulnerable to insider threats — a 7% increase over last year’s survey. However, less than half of all organizations (42%) have the appropriate controls in place to prevent an insider attack.
  • Inadvertent data breaches (71%) top the list of insider threats companies care most about. Negligent data (68%) and malicious data (61%) breaches come in a close second and third.
  • Privileged users, such as managers with access to sensitive information, pose the biggest insider threat to organizations (60%). This is followed by contractors and consultants (57%), and regular employees (51%).
  • 56% of security professionals say insider threats have become more frequent in the last 12 months. 42% of organization expect a budget increase over the next year — a strong gain of 8% points from the previous year.
  • Over 75% of organizations estimate insider breach remediation costs could reach $500K. 25% believe the cost exceeds $500K and can reach in the millions. 

Given the above findings, I think it’s fair to say that insider threats will continue to be a priority. 

How CyberRes Helps

CyberRes can help organizations quickly detect and respond to insider threats. In the NITTF fact sheet, their guidance on how you detect an insider threat is: 

“Detection of potentially malicious behavior involves authorized insider threat personnel gathering information from many sources and analyzing that information for clues or behavior of concern. A single indicator may say little; however, if taken together with other indicators, a pattern of concerning behavior may arise that can add up to someone who could pose a threat. It is important to consider relevant information from multiple sources to determine if an employee’s behavior deserves closer scrutiny…” 

This NITTF description aligns perfectly with ArcSight Intelligence detection capabilities. ArcSight Intelligence leverages hundreds of built-in machine learning models to extract available entities (users, machines, IP Addresses, servers, printers, etc.) from within log files and observe relevant events to determine expected behavior. New events are evaluated against previously observed behavior, as well as the behavior of a user or entity’s peers, to assess potential risk. ArcSight Intelligence enables security teams to detect high risk anomalous behaviors of users. 

Threat hunting is the practice of proactively searching for cyber threats that are lurking undetected in a network that have been missed by other security controls. Threat hunters assume that adversaries are already in the environment, and in the case of insiders, they are! ArcSight Intelligence can greatly assist threat hunting teams. But finding skilled threat hunters can be difficult. Expertise from the ArcSight Threat Hunting services team can boost a SOC’s ability to identify insider threats. 

With the NetIQ Risk Service, we can adapt a user’s entitlements dynamically based on risky behaviors and minimize the potential severity of a potential security incident. Finally, our ArcSight SOAR enables you to predefine playbooks to automatically respond to improve response times to insider threats.  

Learn More


Join our Community | ArcSight User Discussion Forum | ArcSight Idea Exchange | What is Threat Intelligence? | What are Behavioral Analytics?


Security Operations