Updated: Feb 9
Globally, over one-third of businesses are impacted by insider threats every year, with organizations experiencing a 47% increase in insider incidents since 2018.
Regardless of whether these incidents are malicious or accidental, the ease of access to critical information possessed by insiders and difficulty identifying, tracking, and quantifying their damage makes this a critical risk that organizations must address.
Pathfynder is at the forefront of establishing and maturing insider threat programs for global organizations. The following case study covers an insider threat engagement with a Fortune 50 company.
A Fortune 50 company with sensitive intellectual property needed to mature its highly manual insider threat program to effectively mitigate the risk posed by its employees, contractors, and other third-party resources.
Pathfynder’s insider threat solution distills highly manual processes into automated playbooks designed, tested, and implemented by experts with over 20 years of experience. At the start of this engagement, we provided a foundational batch of playbooks which were tailored to operate within this Fortune 50’s environment.
These playbooks combed two critical components to automate threat identification which empowered this Fortune 50’s analysts to operate more effectively:
Insider threat analytics: algorithms that combine traditional threat hunting techniques of file hash detection, known malicious IP addresses, and domains with file accesses, email communications, and logon activity
Threat personas: algorithms that identify potential insiders based on employee characteristics (e.g., employee or contractor departing the organization within a specific time frame)
We eventually focused our playbooks on two primary threat personas: flight risks (employees on the verge of resigning) and terminated employees. Flight risks were identified by monitoring activities associated with job sites or communications with competitors. For terminated employees, Human Resources alerted the insider threat team of an upcoming action, which enabled a review of the subjects’ activity over the past 30 days up until the date of separation.
Converting what once were highly manual processes into automated playbooks tailored to this organization was an iterative and deliberate process between Pathfynder and the security team. This investment had an immediate positive impact on this Fortune 50, significantly maturing their insider threat program and establishing it as a critical component of their defensive strategy.
Increased insider threat investigation cycle output by 400% through automation of manual processes — reducing to minutes what used to take analysts hours or days to complete.
Established an insider threat knowledge base that institutionalizes expertise from countless security team members that can be expanded and refined over time.
PATHFYNDER’S ANSWER TO THE INSIDER THREAT
Our tech-enabled insider threat solution aims to mature this critical program to maximize your investment in it. We work with company leaders to identify the personas most likely to be insider threats (e.g. privileged IT user, contractor, regular employee). Armed with that information, we configure analytics tools with our proprietary algorithms to detect anomalous behavior.
These algorithms alert insider threat investigators to potential malicious activities they can track and mitigate. Program managers and company leadership receive reports with detailed findings, arming executives with critical information to make informed decisions on how best to proceed.
HOW WE GOT THERE: THE POWER OF PLAYBOOKS
Playbooks are designed to identify potential insider threats and support investigations through the collection and analysis of the insider’s behaviors. Playbooks greatly enhanced this Fortune 50’s security analyst capabilities and made their process more efficient as foundational playbooks were refined and additional playbooks added.
Below is a summary of how we advanced this Fortune 50’s insider threat program from a largely manual process to a primarily automated one: