Insider Threat: 2016 Gartner Security & Risk Management Summit

Share and earn Cybytes
Facebook Twitter LinkedIn Email


The Gartner Security and Risk Management Summit 2016 in National Harbor, Maryland addressed the latest in cybersecurity threats, flexible new security architectures, governance strategies, the CISO role, and more. One of the most popular sessions was entitled, “To the Point: Detecting Insider Threats and Abuse” by Avivah Litan, with guest speaker Rich Malewicz. This session included strategies to mitigate insider threats (unintentional and intentional), particularly as they relate to gaining access an employee doesn’t have, or abusing access they already have, in order to cause damage, defraud, or steal from an enterprise. View the session on Gartner’s Website.

Insider Threats were categorized in 3 ways:

  • Pawns – people who end up victims of spearfishing, ransomware and malware accidentally.
  • Collaborators – those who are actively collaborating to defraud or steal data for financial or personal gain
  • Lone Wolf – someone who is working on their own to defraud or steal data for financial or personal gain


One of the challenges considered in this session was the arduous process of finding and identifying insider attacks. With the dark web being used a recruitment tool, businesses have to use detection and analysis tools to track these threats, including monitoring structured and unstructured data, email, and chats on the Dark Web. The presentation even included screenshots of communications between hackers bragging about recruiting a banking insider on the dark web.

On the flip side we learned that about 80% of insider threats can be caught by creating simple rules and story-lines, making sure employees are not bypassing security policies. This can be done with insider threat management tools such as ObserveIT. The other 20% can be uncovered using anomaly detection.

Beyond the data, there’s a human element to insider threat, so continual insider screening, especially for trusted insiders with high privileges, is strongly encouraged to add to your Insider Threat Program.

An Insider Threat Case Study:

During the conference, a case study was presented by Rich Malewicz in regards to Insider Threats he found in Livingston County, MI. He used ObserveIT to monitor the employees involved – and ultimately used the video playback from his investigation as evidence to terminate 4 employees.

Malewicz, CIO and CISO of Livingston County, detected some unusual indicators of insider threat in July 2014. Indicators included suspicious PC access, unexplained absence of employees during work hours, and poor feedback from customers. Rich had two people saying, “It seems someone used my PC last night” and the logging system confirmed those activities by unknown and unauthorized personnel. Those two PCs were Payroll PC and Treasury PC.

Rich got his security team to investigate those suspicious activities. The team included himself, the IT manager and the IT security admin, however beyond the “human sensor” Rich did not have the tools to figure out exactly what was going on.

The Lone Wolf:
Rich installed and launched ObserveIT Insider Threat Management software on August 4th, 2014. ObserveIT is specifically designed to analyze employees’ behavioral patterns. The software observes any kind of unusual or suspicious activities and then records high risk activity.

On the same day ObserveIT was installed, alerts were triggered along with video forensic recordings of a specific worker performing out-of-policy activities on his computer during working hours. On day one, the investigation team started getting alerts and realized they had a lone wolf on their hands. “I should’ve installed ObserveIT earlier,” said Rich. An IT employee was performing “password harvesting”. He was invading the privacy of a co-worker by remotely connecting to his PC and searching for password files. He was clearly abusing his privileges to get access to passwords as well as other private data.


It Wasn’t Only Me!

On August 11th, just one week after installing ObserveIT, the investigation team found another indicator of insider threat; copyright infringement. Initially, they thought it was a lone wolf, but in time they discovered a team of collaborators:

An employee was using government property and network to download music files and movies illegally. He wasn’t only downloading music and movies, but unintentionally he was also downloading malicious code and malware which infected the environment.

The investigation team went through the email logging system and found other employees who were involved in using government property for these illegal activities.


Rich was amazed that his own investigation team, including the IT manager and IT security admin, were involved in these activities. He immediately removed both of them from the investigation team.

After removing the IT security admin from the investigation team, that person attempted to cover his tracks by deleting logs from the servers. However, his attempts were not successful as ObserveIT recorded the entire act and provided irrefutable evidence.

In the end, he did not admit his involvement until he was confronted with the video evidence from ObserveIT (a program he had helped install). Not only did he have no choice but to admit his involvement, he brought down the rest of his collaborators with him.


We learned from the session that whether an insider is being recruited from the dark web or pirating movies, or an employee is unintentionally responsible for a malware or ransomware download, nearly all security incidents stem from people. Tools that prevent unauthorized activity and enforce security policy can eliminate risk at its source, but also, don’t forget to apply insider intelligence that evaluates both internal and external information.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About ObserveIT
ObserveIT is a user monitoring and investigation solution that identifies and eliminates insider threats. It continuously monitors user behavior and alerts IT and Security teams about activities that put their organizations at risk. ObserveIT provides comprehensive visibility into what all users are doing, while meeting compliance standards and reducing investigation time from days or hours to minutes.
Promoted Content
[report] 2018 Cost of Insider Threats: Global Organizations
According to The Ponemon Institute’s report, “2018 Cost of Insider Threats: Global Organizations,” the average cost of an insider threat annually is $8.76 million. It’s critical for organizations to understand the main causes of insider threats, because detecting insiders in a timely manner could save millions of dollars. Depending on the industry and size of company, the cost of an insider threat varies dramatically. Check out the full report to see The Ponemon Institute’s findings, and understand how to detect and prevent insider threats in the future.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?