Skip to content

Insider Threat Detection: Stop Taking the Con Out of Context

You flick out your cigarette, and say: “Damn, I really need to quit soon.”

Then you remember that it’s ok: that was only a metaphorical cigarette. Because you’re a metaphorical detective for a hypothetical Insider Threat Detection force — and you’ve got some work to do.

You’ve just stopped a car that was traveling at four times the figurative speed limit, and the driver is buzzing her window down. Is that…? Yup, that’s metaphorical blood on her white overalls. You’re getting a serious serial killer vibe — and her grin isn’t helping.

“Evening, Ma’am. What have you been up to?”

“Oh, I’m just on my way home from work.”

“Right. And what’s that next to you?”

“That’s just my collection of massive knives.”

This is it – you’re going to be on the news, you’ll get a promotion, maybe even a medal…


“Yes, um, what is your occupation, miss?”

“I’m a butcher.”

…So close. So, so close.

“On your way, ma’am.”

It turns out investigating crime is a lot like investigating insider threats — in both fields, it all comes down to context. If a blood-stained yoga instructor had been carrying that set of knives, you’d have justified suspicion. You’d be able to retire in metaphorical glory, and maybe even upgrade to metaphorical cigars.

When it comes to Insider Threat Detection, you need in-depth context to sort the regular work from the behavior that matters — because only a fraction of daily activity represents risk, and even less is actually malicious. Many Insider Threat solutions can effectively stop data leakage in its tracks — but they lack the nuance and business context to do so without pulling over every single car.

That means your administrators are likely to receive lots of unnecessary notifications, which flag everyday people doing everyday things. At first, your end-users will be prevented from doing their jobs. But after a while, security staff will stop looking into every red flag, and start letting things go. That’s when data loss happens.

So instead, you need a solution like Incydr: a wise, experienced detective that knows when to take a step back, and take context into account. Incydr employs a series of risk indicators, including job roles and imminent departure dates, to identify data that’s at a higher risk of exposure or exfiltration.

And it’s not just user characteristics that raise red flags. Risk indicators can be based on the characteristics or behavior of a file too. Suspicious zip file movement, resume movement and source code exfiltration would all be noted — as would misleading file names. If you want more information on the file itself, authorized security team members can even view the file contents in an investigation, allowing you to verify the accuracy of anything Incydr flags as a risk.

This ability to detect nuance makes Incydr an invaluable tool in the fight against insider threat. Security staff know they need to sit up and pay attention every time they receive a notification. And users aren’t constantly finding themselves blocked, questioned or accused every time they try to move a file. The murderers are stopped before they can do any damage — while the butchers are free to live their lives. As long as they really are butchers, of course. Come to think of it, you never checked her ID, did you?

For more information on how Code42 can help you manage insider risk, visit Incydr today.

You might also like: