Mitigating Insider Security Threats

By | January 19, 2018
Insider Security Threats Mitigation

Threats from within an organization.

Insider security threats are the most significant threat to today’s information systems. Insiders often have elevated access within an organizations information systems which often gives them a level of authorized access that can cause a lot of damage if misused intentionally, or unintentionally.

In the SANS Reading Room article; Insider Threat Mitigation Guidance, Balakrishnan & Northcutt explain that mitigating insider threats is often a complex procedure that requires meticulous planning.  Organizations should tailor their approach to ensure that mitigation techniques meet the organizations unique needs.

Balakrishnan & Northcutt lay out a 13 step Insider Threat Mitigation Program (ITMP) road map developed by the Intelligence and National Security Alliance (INSA) as a framework for identifying and mitigating insider threats. This framework maps insider threats to mitigation controls published by the Community Emergency Response Team (CERT), and the National Institute of Standards and Technology (NIST) threat programs and best practices. The ITMP framework steps are as follows

Step 1: Initial Planning. CERT Program components include; establish insider threat program and framework, implement planning, and formalize the program. CERT best practices used are a formalized insider threat program, and asset identification and control. NIST best practices are asset management.

Step 2:  Identify stakeholders. CERT practice is to identify all areas of the business affected.

Step 3:  Leadership buy-in.

Step 4:  Risk Management. CERT program components are enterprise risk management integration. Best practices include considering all insider threats enterprise-wide, and identifying a risk management program.

Step 5:  Detailed project planning.

Step 6:  Develop Governance Structure, Policy, and Procedures. Program CERT components are Policies, Procedures, and Practices, and protection of employee civil liberties and rights. Best practices include:

  • Document and consistently enforce policies
  • A hiring process that screens employees for disruptive behavior
  • Anticipate and manage negative issues in the work environment
  • Implement and enforce strict password and management policies
  • Enforce principles of separation of duties and least privilege
  • Explicit Service Level Agreements (SLA)’s for all vendors and cloud services
  • Stringent access controls
  • Institutionalize system changes
  • Comprehensive employee termination procedures
  • Stringently monitoring social media content

Step 7:  Communication training and awareness. Components are training and awareness, and communicating insider threats. Best practices include insider threat and awareness training, and communication response.

Step 8:  Develop detection methods. Components are prevention, detection, and response. Best practices include establish baselines, monitor and close data exfiltration holes, monitor and detect anomaly events.

Step 9:  Data and tool requirements. Components are data collection and analysis. Best practices include Security Information Event Management (SIEM) that encompasses logging and auditing of systems, and protecting access controls and auditing technology.

Step 10:  Data fusion. Component is data collection and analysis.

Step 11:  Analysis and incident management. Components are incident response and reporting. Best practices include response and mitigation analysis.

Step 12:  Management reporting. Components are program compliance and effectiveness oversight.

Step 13:  Feedback and lessons learned. Best practices include recovery planning, improvements, and communications.


Overall it is widely recognized that insider threats are the most prevalent and damaging which is line with what both Johnson (2015), and Balakrishnan &Northcutt (2015), have examined and supported. Organizations spend great amounts of money on technical controls such as firewalls, Intrusion Detection (IDS) systems, and anti-malware, but these controls lose much of there benefit when uneducated or careless users click on a phishing email links or exhibit other risky behaviours. Other technical controls can limit the damage, but an organization can still find itself spending a lot of time repairing damage caused by insider threats.



Balakrishnan, B., & Northcutt, S. (2015, October 06). Insider Threat Mitigation Guidance, GIAC  GLEG Gold Paper. Retrieved August 25, 2017, from

Johnson, R. (2015). Security Policies and Implementation Issues (2nd ed.). Burlington, MA: Jones & Bartlett Learning.

Leave a Reply

Your email address will not be published. Required fields are marked *