Litan says insiders who compromise security fall into three categories, pawns, collaborators and lone wolves. The first are often unaware they are involved, having fallen prey to spear phishing that compromised their machines. Collaborators work knowingly with outside parties to compromise networks and data and lone wolves act independently, sometimes with just low-level privileges but also with broad privileges, such as NSA leaker Edward Snowden.
To spot low-level insiders who have gone bad security pros should look for keywords they search for and IP addresses and URLs they seek out on the Dark Web. For more advanced rogue insiders, using HR resource sand outside information like bankruptcy filings and monitoring underground chats may be called for.
Catching the most serious threat actors may require machine learning applied to this data in order to make connections between individuals and recruitment attempts, for example, that might not be apparent to less sophisticated tools.
Even as these analysis technologies improve, though, there are some case in which human monitoring and investigation of individuals is the only way to catch them, she says. “Technology will never detect a trusted insider doing normal things,” Litan says. “You need people involved.”
Sign up for Computerworld eNewsletters.