September 11, 2009 - Eric M. Fiterman

While there are many reasons a trusted insider may commit treason or fraud, financial duress has been cited as a root cause of many significant and noteworthy cases of espionage and insider fraud in recent memory. Considering the lackluster economic situation today, it's likely that the economy is creating incentives for employees to take significant risks.

Take, for instance, former FBI Agent Robert Hanssen and French futures trader Jerome Kerviel: two figures who are poster boys for insider threat in the intelligence and financial industries, respectively. In addition to their common financial objectives, these men shared another very important characteristic: they both had a tendency to go 'outside of the lines' in terms of normal computer use.

People are pretty good at noticing things that just don't seem right. ... Often the best detection sensors are your employees.

Often touting himself as a computer security expert, Hanssen's indictment tells the story of an individual who repeatedly crossed the boundaries of permitted and expected computer activity. In fact, his peculiar behavior is believed to have been an important component of the FBI's preliminary inquiry into Hanssen's activities, ultimately leading to his arrest for committing espionage against the United States.

Similarly, Kerviel initiated massive fraudulent and unauthorized transactions that caused billions of dollars in losses, resulting in the second largest banking fraud in history (second only to Bernard Madoff). Kerviel used his authority and knowledge of internal financial controls, reporting timeframes and control thresholds to avoid and evade detection. On several occasions, Kerviel's trading activity raised eyebrows, but he was able to recognize these warning signals and adapted by executing transactions using less visible means.

The insider threat problem is a difficult issue to address. How do you monitor and detect the misappropriation of information by vetted and trusted personnel who are trying to do their jobs? Here are four approaches:

1. Resist the impulse to collect everything in the hopes of finding the needle in the haystack. This approach only compounds the problem by creating an audit data stockpile that is difficult to search, manage and prioritize. Security staff wind up overwhelmed, chasing low priority leads while potentially more damaging activity goes undetected. Failure to properly mine the data also presents a tremendous liability - regulatory bodies, trustees and investors expect that authorities are good stewards of information and are vigilantly auditing data when collected. Failure to review and adjudicate this information in a timely manner will make the collecting organization appear negligent.


2. Avoid "one size fits all" technical implementations and approaches. Insider threat detection requires an intimate knowledge of internal processes and a deliberate and well-planned strategy for detecting anomalies. This is a highly tailored process that fits into your technical architecture and business processes. Consider configuration management, for example. Your solution will need to be tightly coupled to configuration management processes in order to reduce false positives - the types of which will be raised if the IT department changes the system baseline without notifying your team.


3. Integrate human capital into your strategy. People are pretty good at noticing things that just don't seem right. In Kerviel's and Hanssen's cases, their co-workers knew something was amiss. Good employees tend to trust the intentions and motivations of their co-workers, and without the proper training or a clear protocol on how to address their concerns, observations will be dismissed. Often the best detection sensors are your employees.


4. Protect your investment. The internal signatures, configuration and thresholds used to architect your implementation are high-value information to an insider. Kerviel and Hanssen were able to manipulate the internal workings of their organizations because they knew the boundaries, limitations and incident response protocol.

The lesson: formulas and methodologies must be closely guarded information. This is one area where the principle of security by obscurity holds true.

Eric M. Fiterman is a former FBI special agent and founder of Methodvue, a consultancy that provides cybersecurity and computer forensics services to the federal government and private businesses.