Insider Threat Solution Requirements Checklist

The technical evaluation process for new security technology can be time-consuming but it’s critically important. All stakeholders must be aligned on what success looks like. This includes the business problems that are to be solved, the technical capabilities needed to solve them, as well as the time, money and effort required to administer a solution.

We’ve helped you get started. Review this checklist to speed up your evaluation process and build stakeholder consensus on the requirements for purchasing an insider threat solution. Add any custom requirements to the empty lines.

Use Case Requirements

The high-level specifications that will enable you to manage insider threats. Use case requirements should be agreed upon by all project stakeholders.

Delivers company-wide visibility into data risk caused by end-users
Delivers visibility into the insider threat activity of individual users
Detects file exfiltration
Detects file infiltration
Detects file deletion and sabotage
Supports insider threat investigation and incident response
Monitors user activity with respect for employee privacy
[Your additional requirement here]

Technical Requirements

The technical specifications required to successfully meet your use cases. Technical requirements should be set and evaluated by security analysts and architects.

Offers an interface that is easy to use and navigate
Works without inhibiting employee productivity
Monitors file activity that takes place on employee computers, regardless of network
Monitors the creation, deletion, modification and movement of files
Detects removable media, cloud/web app, web upload and printing activity
Detects file sharing from a corporate cloud service to untrusted domains
Detects file attachments from a corporate email service to untrusted domains
Detects file deletions and provides recovery of those deleted files
Offers customized monitoring for specific groups of users
Monitors employees during departures and layoffs
Monitors high-risk employees (contractors, privileged access, flight risks, etc)
Prioritizes the file activity that requires investigation
Identifies activity that takes place outside of a user’s typical hours
Provides a historical view of user file activity
Monitors files without requiring them to be tagged or classified
Provides access to file contents for investigation
Enables alerts to be customized and sent to other systems
Logs file metadata, including file name, path, size and MD5/SHA256 hash
Logs event information, including date, time, activity type and description of threat vectors
Logs user information, including username, title, department, manager, and location
Supports organization-wide search by criteria, such as file name or hash
Supports insider threat and intellectual property lawsuits via legal hold and eDiscovery features or integrations
[Your additional requirement here]

Architectural Requirements

The specifications that will support a smooth deployment and integration with your existing IT and security investments. These should be established by security and IT stakeholders.

Solution is cloud-based
Cloud deployment can support federal and compliance requirements, if needed
Open API is available for scripting and custom integrations
Agent works well on all Mac, Windows and Linux operating systems
Agent can be mass deployed and silently installed
Agent testing reveals minimal endpoint impact
Agent does not require VPN
New agent releases can be tested prior to company-wide rollout
Pre-built integrations are available for technologies, including SSO, SIEM and SOAR
[Your additional requirement here]

Vendor Requirements

Your expectations for how a vendor will support you as a customer. These requirements are particularly important to security, procurement and legal stakeholders.