A New Approach Dealing with Insider Threat

Insider Threat Detection On Computer Systems and Networks

Perimeter-based security has become less meaningful over time since working remotely has become more common and popular. Therefore, when we design a risk management plan, the security for such as a “perimeter-less” workplace should be considered. In addition to securing the devices and networks, managing the insiders’ interaction with data or information as a priority would be the trend nowadays.

In this new approach, 4 objectives should be emphasized: Awareness, Understanding, Visibility, and Protection.


In terms of awareness, we should know the insider population, and provide them with appropriate training regarding how to protect assets. Moreover, transparency and responsibility are necessary, so that we can identify and mitigate aberrant behaviors according to created workflows.

Insider population means the people having physical access to corporate offices as well as workflows. Thus, the insider population has to be clarified in a virtual access standpoint. In the perimeter-less workplace, unlike the traditional workplace, training should emphasize how to handle information outside of the office properly, how to access corporate information properly, and how to share files properly.


In terms of understanding, we should prioritize identified critical assets based on their impact. So that we can develop processes and procedures of a risk management framework with the asset workflows.

Even though the corporation of devices, networks, and physical locations is “asset holder” in the traditional workplace, the insider is the “asset holder” in the perimeter-less workplace due to the storage on personal devices, USBs, file sharing sites, and home office. Consequently, threats and vulnerabilities may exist outside of the corporate environment. Due to the existence of home offices, the possible “asset holders” now could be personal computers, tablets, phones, removable media, and some IoT devices.


In terms of visibility, we should monitor insiders’ access as well as interactions with corporate assets or identified assets, and then analyze their behaviors and logs in order to figure out the risks.

Other than corporate-owned devices and networks and behaviors inside the corporate facility, visibility should be extended to personal devices and behaviors outside the corporate facility, such as open source data sources. So that we can see where data asset goes outside of corporate networks. In this case, it is necessary to restrict the use of specific devices or enterprise mobility management tools for avoiding being monitored by outsiders.


In terms of protection, we should apply security controls to both digital and physical assets, such as information and personnel, in order to ensure the ability of protecting assets, no matter where they are accessed, used, transmitted, stored, or located.

When the traditional workplace requires the controls on device and human endpoint, the perimeter-less workplace requires persistent, data-centric encryption going beyond the endpoint. In other words, encrypting all digital assets should not be limited by different source application, format or device operation systems. In such a new perimeter-less workplace, 3 primary requirements – Persistent, Top-down policy enforcement, and Data-centric encryption, are the keys for applying protection.

According to Shawn M. Thompson from CSO,

“A perimeter-less workplace requires an adaptation and tailoring of traditional risk management methods.”



Contact LIFARS Today

For Managed Security Services