Insider Threat Analyst
This 3-day course presents strategies for collecting and analyzing data to prevent, detect, and respond to insider activity. It discusses various techniques and methods for designing, implementing, and measuring the effectiveness of various components of an insider threat data collection and analysis capability.
This training is based upon the research of the CERT Insider Threat Center of the Software Engineering Institute. The CERT Insider Threat Center has been researching this problem since 2001 in partnership with the U.S. Department of Defense (DoD), the Department of Homeland Security, the U.S. Secret Service, other federal agencies, the intelligence community, private industry, academia, and the vendor community. This training course supports organizations implementing and managing insider threat detection and prevention programs based on various government mandates or guidance including: Presidential Executive Order 13587, the National Insider Threat Policy and Minimum Standards, and proposed changes set forth in the National Industrial Security Program Operating Manual (NISPOM).
- Insider Threat Program Team Members
- Insider Threat Program Managers
At the completion of the course, learners will be able to:
- Work with raw data to identify concerning behaviors and activity of potential insiders
- Identify the technical requirements for accessing data for insider threat analysis
- Develop insider threat indicators that fuse data from multiple sources
- Apply advanced analytics for identifying insider anomalies
- Measure the effectiveness of insider threat indicators and anomaly detection methods
- Navigate the insider threat tool landscape
- Describe the policies, practices, and procedures needed for an insider threat analysis process
- Outline the roles and responsibilities of insider threat analysts in an insider threat incident response process
The course covers topics such as:
- Strategies on identifying risks to assets from insiders
- Building a data collection and analysis function for both technical and behavioral data
- Identifying data sources for insider threat analysis
- Prioritizing data sources to include in an analysis function
- Developing insider threat indicators from raw data
- Advanced analytics for insider threat mitigation
- Correlating data from disparate sources
- Resolving multiple accounts to single entities
- Indicator patterns and sequences
- Insider threat anomaly detection methods
- Measuring the effectiveness of insider threat controls
- Features and functionality of tools used in insider threat mitigation
- CERT's methodology for insider threat tool testing
- Developing an insider threat data collection and analysis process
- Continuous improvement
- Developing an insider threat incident response process
Course methods include lecture, group exercises, and scenario completion. Participants will receive a course notebook, case studies and electronic course materials downloadable from the SEI Learning Portal. Students attending in-person offerings in an SEI Training Facility are required to bring a laptop to be used only during course exercises.
Before registering for this course, it is recommended that participants complete the Overview of Insider Threat Concepts and Activities eLearning course.
Training courses provided by the SEI are not academic courses for academic credit toward a degree. Any certificates provided are evidence of the completion of the courses and are not official academic credentials. For more information about SEI training courses, see Registration Terms and Conditions and Confidentiality of Course Records.