Insider threat research aims to understand how different types of insider incidents evolve over time, what vulnerabilities exist within organizations that enable insiders to carry out their attacks, and how to most effectively prevent, detect, and respond to insider threats.
The SEI adopts a holistic approach to insider threat research to understand not only the “how” of insider incidents, but also the “why.” In most cases, employees don’t join their organizations with the intent to do harm. Rather, employees can become motivated to carry out attacks against their employers when they experience a series of stressors, when they exhibit concerning behaviors, and when employers address those behaviors in some maladaptive way. When that happens, employees can become easy and willing targets of pressure from criminals and foreign agents, or they might become disgruntled and careless on the job. A major goal of insider threat research, therefore, is to understand root causes of stressors and concerning behaviors to detect them early and offer employees better help before they commit a harmful act.
All insider incidents involve misuse of authorized access to an organization’s critical assets, which presents unique security challenges. Perimeter-based security strategies aren’t effective at identifying stressors and concerning behaviors from insiders. Moreover, insiders know which assets are most critical and how their organization protects them. Static and traditional security models focused on threats from external threat actors, therefore, are ineffective against insider threats.
The insider risk landscape is constantly evolving and expanding. Organizations increasingly rely on expanding their business through technology, which opens more opportunities for threat. To meet the challenges of managing insider risk, organizations need forward-facing techniques that can continuously evaluate those risks, and practical methods for measuring the effectiveness of their insider threat controls. Increasingly, we must find ways of expanding our current understanding of security controls to include a well-balanced approach between positive deterrence and traditional security.
Insider Threat [is] the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.
Daniel Costa SEI Technical Manager, Enterprese Threat and Vulnerability Management
Rethinking Security Strategies
At the SEI, we help organizations use their data and their resources to get a clearer picture of possible threats in their workforce and in the supply chains and contractors they work with. Our goal is to advance the state of insider threat research through the development of capabilities for preventing, detecting, and responding to evolving cyber and physical threats.
We focus on building repeatable, verified, and context-aware processes and preventative controls based on careful research and empirical evidence. We develop techniques that improve detection through tools that quickly detect patterns and anomalies; that automate prediction of risk and prevention controls; and that quickly and accurately identify indicators of various insider attack types.
The SEI is leading this effort thanks to our unique combination of experience and expertise. Since 2001, we have partnered with government agencies—such as the Department of Defense, the Department of Homeland Security, Secret Service, and many federal agencies—as well as with private industry, academia, and the vendor community. We are also leaders in modeling and simulation, software engineering, cybersecurity, and data science, and we engage in collaborative research relationships with a cadre of multidisciplinary experts in the social and behavioral sciences. As a result, we are the only source for a data-driven, risk-based, socio-technical approach to insider threats.
We have a database of over 3,000 insider incidents that we use to characterize the nature of the evolving insider threat problem, develop indicators of insider risk, and prototype and transition technical and administrative controls for insider threat mitigation. In our insider threat lab, we measure the effectiveness of new tools, indicators, and analytic techniques. We’ve developed assessments to help organizations identify their vulnerabilities to insider threats, and several training courses on establishing and operating an insider threat program.
Our solutions have been adopted as best practices by numerous government and industry organizations, many government agencies have adopted our state-of-the-art threat detection strategies. We help organizations protect themselves and we provide evidence that measures what really works.
We can help you benefit from our experience. Our assessments, evaluations, courses, workshops, and certificates help you learn about insider threats, how well your insider threat program is working, and how to establish an effective insider threat program.
What We Offer
The CERT Insider Threat Vulnerability Assessor ITVA Certificate program enables assessors to help organizations gain a better understanding of their insider threat risk and an enhanced ability to identify and manage associated risks.
Insider Threat Vulnerability Assessors help organizations gain a better understanding of their insider threat risk and an enhanced ability to identify and manage associated risks.
This course provides a understanding of the organizational models for an insider threat program, the necessary components to have an effective program, the key stakeholders who need to be involved in the process, and basic education on implementation.
The course presents a process roadmap that can be followed to build the various parts of a robust Insider Threat Program.
Join Us for
Insider Threat symposium 2020
The SEI hosts an annual Insider Threat symposium that aims to bring together practitioners on the front lines of insider threat mitigation to discuss the challenges and successes of maturing their insider threat (risk) programs. The symposium gives you the opportunity to learn from others about how to move beyond the initial operating capacity of your program.
This year we are hosting a virtual event in September in coordination with Insider Threat Awareness Month. More details will follow on scheduling and how to sign up.
The Latest from the SEI Blog
December 17, 2020 • Blog Post
Detecting anomalous network activity is a powerful way to discover insider threat activities. It is time consuming, however, to establish baseline traffic and process traffic data. This blog post explores how a mathematical law, already used in forensic accounting, may help detect insider activity...read
September 29, 2020 • Blog Post
As part of the CERT National Insider Threat Center's ongoing efforts to refine and improve our Incident Corpus, and to provide more data to the community, we have updated our taxonomy for targeted assets in insider threat incidents. In this blog post, I detail this taxonomy and highlight some of...read
Our Vision for the Future of Insider Threat
The future of the SEI’s insider threat research focuses on two key areas:
- Producing evidence that suggests the most effective combinations of data sources, analytic techniques, and response options for measuring different types of insider risk in various organizational contexts.
- Proving the efficacy of using positive incentives to reduce insider risk, and devising strategies and tools that enable organizations to deploy a balanced and dynamic set of controls that use both positive and negative incentives.
To learn more about the future of insider threat research, contact us.