What tools do you use for insider threat detection?

3.3k views17 Comments

Senior Director, Technology Solutions and Analytics in Telecommunication, 51 - 200 employees
There are a variety of tools available for insider threat detection. Some common tools include data leak prevention (DLP) tools, user activity monitoring (UAM) tools, and security information and event management (SIEM) tools. DLP tools help to prevent sensitive data from being leaked by identifying and blocking unauthorized attempts to copy or transfer data. UAM tools monitor user activity to identify anomalous behavior that could indicate an insider threat. SIEM tools provide a centralized platform for monitoring and managing security events. By using a combination of these tools, organizations can more effectively detect and respond to insider threats.
1 1 Reply
CISO in Software, 10,001+ employees

I agree with Nathan Hart response on the different tools and techniques he described.

Director, Information Security Engineering and Operations in Manufacturing, 5,001 - 10,000 employees
A combination of tools from Microsoft mostly. 
Director, Strategic Security Initiatives in Software, 10,001+ employees
Director of Information Security in Energy and Utilities, 1,001 - 5,000 employees
We currently us Microsoft Insider Risk Management tool.  Works well enough for us if you are a Microsoft shop.  Otherwise I've heard good things about Code42
Director of Tech and Cyber Strategy in Finance (non-banking), 1,001 - 5,000 employees
SIEM with UEBA as well as DLP as automated tools. We also perform manual audits using the logs from our PAM system.
CISO in Healthcare and Biotech, 2 - 10 employees
I find that there are three useful categories of tools around insider threat. First, UMBA, Followed by CASB and then PAM; Some NBA Tools like Darktrace will allow you to tag someone of interest; but be very clear to get management and HR support first.

Some tools have labeled themselves as insider threat detection, beware. Make sure to differentiate between malicious intent and honest mistakes. The first is a walk out the door while the second is a coaching exercise. Assume positive intent.
Senior Director of IT in Software, 10,001+ employees
MS DLP with custom home made solutions
CISO in Software, 201 - 500 employees
There are 3 aspects to insider threat mitigation - Awareness, prevention and detection. Awareness tools include user education, training videos and rewards for reporting security incidents. Prevention mechanisms include DLP, Privilege Access Management (least privilege) and endpoint controls (endpoint management solutions). Detection mechanisms include SIEM log monitoring, Incident Response Tools and Processes (XDR), and Endpoint protection tools. 
Head, Information Security and Compliance in Finance (non-banking), 1,001 - 5,000 employees
We would prefer to use the tool or a service that includes alerts to draw the attention of technicians. The most effective counter to the Insider Threat is to monitor user behavior in real-time to predict and detect abnormal user behavior associated with potential sabotage, data theft or misuse. We use Splunk SOAR for threat detection.
CISO in Software, 201 - 500 employees
It's a combination of technical and administrative safeguards:
- DLP tools/program which can detect both a malicious insider and an externally caused breach; these include extensive logging of access to APIs and SQL queries in the databases, restrictions on data exports, complete logging & semi-automated alerts on suspicious activity during privileged access etc
- Background checks / screenings prior to the employment and repeated checks (every 3 years) for the most critical roles 
- Code reviews / peer reviews / sign-offs on various tasks and activities 
- Whistleblower protection program built into the Code of Conduct and well communicated to all employees 
- Last but not least: informal oversight on the team level (we have relatively small teams where the engineers are well aware of each other), regular 1:1s between the employee and their line manager, a culture of open and honest communication.

Content you might like

Expecting more innovation39%

Expecting more of the same61%

Not sure yet – time will tell…0%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
44.9k views132 Upvotes322 Comments

Cost structure26%

Lack of in-house skills to migrate / deploy / manage workloads on cloud51%

Security / governance compliance concerns18%

Lack of performance or features that you have on-prem but not the cloud4%


3.1k views1 Comment