In today's modern world, you can hardly go anywhere without being under video surveillance,
riding public transit, pumping gas into your car or paying a cashier.
And all of these cameras are recording all activity within their scope,
normal activity, no activity, malicious activity and even accidental activity.
You can't capture the footage of the bad actor. If you're not collecting footage all the time,
it's the same with capturing data exfiltration activities.
Your insider threat program must start long before the trigger occurs with Proactiv Data collection
and too many insider threat monitoring solutions are limited to a post trigger scope, and far too often, the actual ex filtration occurs much earlier.
True monitoring technology must be continually running to provide any historical context needed in the detection and investigation phases.
So let's hear what Peter How did Georgia has to say about detection?
Your detection methods must weed out false positives from the data collected.
You're monitoring and detection tools, will record many mundane activities in a sea of normal user activity and should be able to trigger credible alerts for possible insider threat activity.
The security team may already have tools that perform penetration testing network packet sniffing and password audit. Eight.
You may already be scanning for Web attacks and monitoring your network traffic from the outside.
Maybe you already deploy stem or sore tools for detection or threat response.
When creating your program, you need to identify if any tools that are currently used can be utilized for your insider threat program.
In an ideal world, cost wouldn't be a consideration, but you will need to budget for the tools required for a successful insider threat program.
Some kind of return on risk assessment needs to be done toe fully evaluate the tools used for the activity monitoring.
So let's hear from Peter again and what he has to say about response.
Your response to the detection depends on your organization and culture
during the investigation. A good program preserves as much data as possible for potential legal actions of performance, noting a personnel file or educating your employees on proper processes.
While your organization may choose to have a different response for the previous scenario,
your insider threat program should have these types of details in place for the response phase.
Who was involved in how the interview is handled can be put into a process that is well documented and followed to keep litigation to a minimum.
Just like video surveillance is the same for everyone in the cameras field division you're monitoring needs to be constant and consistent for all users.
Your detection methods must weed out the false positives. So not to overburden the security teams with too much data, so they don't have time to react.
This is one reason to plan your insider threat program to be flexible and focus on the likely scenarios you may have to start.
Perhaps most important of all, your insider threat program must start long before a trigger.
In other words, you can't afford to only monitor and employees activity after they've given notice or after rumors of organisational change had begun rippling through the office.
Too many insider threat monitoring solutions are limited to this post trigger scope,
and far too often, the actual ex filtration occurs much earlier.
True monitoring, detection and response technology must be continuously running, providing historical context and complete visibility into all data activity.
This enables your insider threat team to quickly and effectively see the full picture and protect all data at all times.