SenSage Insider Threat

Discover the Threat from Within

Insider threats are on the rise and are among the most difficult to detect. A person you know and presumably trust – an employee, a former employee, a contractor or business associate – through accidental or malicious actions can put your organization and digital assets at risk. Most organizations focus their threat detection on perimeter defenses such as firewalls, antivirus and IDS/IPS. Insider threats are immune to these defenses since the threat is already inside the network. To detect these kinds of threats you need to look at historical activity in your environment and identify new, unknown behaviors.

SenSage AP, the platform which SenSage Insider Threat is built on, is uniquely suited to help organizations deal with the growing problem of insider threats. For careful detection, you need to look at patterns of behavior over periods of time. The vast majority of breaches are discoverable in the log data that machines generate. SenSage AP uses advanced analytics modeling of this data and other information to simplify the process of detecting insider threats.

Detecting insider threats is a three-step process.

  • First, it pulls data from four different sources 1) email behavior, 2) internet upload behavior, 3) login behavior and 4) HR information. Each data source comes pre-configured with a best-practice weight based on published research. Tuning of the weights is also possible, for example, your organization may have a very email-centric culture so in your organization email could be weighted higher than outbound Internet traffic.
  • The Insider Threat data model then executes several statistical algorithms incorporating the weighted importance and calculates a risk number for every individual in the organization. Each day’s summary information is stored in a rolling table of metrics for comparison over time.
  • Reports can be run daily or at any frequency you need. The results of the calculations are displayed in an Executive Insider Threat Dashboard. Each individual is listed based on their risk indicator score and how that score deviates from the average. You can quickly see the historical trend of the three highest risk individuals. If your organization discovers an individual who may be a threat you need access to the original log data for investigation and possible legal proceedings.

Although this solution can normalize the data across various sources when querying in order to conduct complex analytics, it also retains all information in its original format so you have proof in a court of law.