Insider Threat Detection
Behavioral analytics, UEBA, monitoring strategies, and insider threat programs.
Overview
Insider threats come from authorized users with malicious intent.
Threat Types
| Type | Description |
|---|---|
| Malicious | Intentional harm |
| Negligent | Unintentional mistakes |
| Compromised | Account takeover |
User Entity Behavior Analytics (UEBA)
# Behavioral baseline
def calculate_baseline(user_id):
behavior = {
"login_times": get_login_patterns(user_id),
"access_patterns": get_access_patterns(user_id),
"data_volume": get_data_usage(user_id),
"network_activity": get_network_patterns(user_id)
}
return behavior
# Anomaly detection
def detect_anomaly(user_id, current_behavior):
baseline = get_baseline(user_id)
anomalies = []
if outside_normal_hours(current_behavior.login_time):
anomalies.append("unusual_login_time")
if excessive_data_download(current_behavior.data_volume):
anomalies.append("excessive_data_access")
return anomalies
Monitoring Strategies
| Area | Indicators |
|---|---|
| Access | Unusual resources, times |
| Data | Large downloads, transfers |
| Network | Unusual destinations |
| Sensitive data sending | |
| Physical | After-hours access |
Risk Indicators
risk_indicators = {
"technical": [
"unusual_login_times",
"excessive_data_access",
"usb_usage",
"cloud_upload"
],
"behavioral": [
"policy_violations",
"access_denials",
"multiple_failed_logins"
],
"contextual": [
"resignation_notice",
"performance_issues",
"financial_problems"
]
}
Insider Threat Program
Architecture Diagram
1. Establish → Program charter
2. Assess → Risk evaluation
3. Monitor → Detection controls
4. Investigate → Response procedures
5. Respond → Mitigation actions
Best Practices
- Behavioral baselines — Know normal activity
- Risk scoring — Prioritize monitoring
- Cross-functional team — HR, Legal, Security
- Employee awareness — Clear policies
- Investigation procedures — Legal compliance
Practice
Implement UEBA monitoring for detecting insider threats.