Best Practices for Mitigating and Investigating Insider Threats

mitigating insider threats

Eliminating the possibility of an insider threat  is nearly impossible. However, some strategies, widely considered insider threat best practices by the cybersecurity community, help minimize the chances of insider threats materializing through mitigation and investigation. Mitigating insider threats focuses on putting systems into place that thwart malicious and unintentional insider threats to data. While insider threat investigations deal with identifying possible risks, then digging into the user behaviors behind those risks and assessing whether or not it’s a vulnerability indicative of potential data loss. The goal of this two-pronged approach is to prevent insider threats altogether and create processes that close the security loopholes that allow insider threats to materialize. 

Sometimes, ironically, an identified and controlled threat is the catalyst for better cybersecurity!

Best Practices for Mitigating Insider Threats

These types of proactive practices can help companies to get the ball rolling when they’re encountering an emerging threat inside of their network.

Use the CISA Framework

CISA uses a framework involving these elements: detect – identify – assess  – manage.

The full phase set is also referred to as “Identify – Protect – Detect – Respond – Recover” but regardless of the semantics, the same core concepts apply.

The agency itself contends that this framework helps to provide “a common language” for cybersecurity risk, and a way for companies to circle the wagons against black hat attackers.

Using goals like assessing programs and “communicating cybersecurity posture,” companies can take advantage of the CISA framework, which works off of NIST guidelines and established standards, to help keep things secure and under lock and key.

Coordinate Cybersecurity and HR Departments

The idea of coordinating cybersecurity with HR goes along with the grim realization that in IT systems, people are often the weakest link.

Some of this work involves identifying skills gaps and addressing them. Comprehensive training will often be more effective if cybersecurity teams and HR people work together.

Isolate Threats with Segmentation

As cybersecurity experts saw hackers break into wide-open networks served by perimeter tools like firewalls, they came up with the notion of network segmentation, which puts up more gates for network traffic of various kinds.

Think of the segmented network area as a vestibule with better isolation and gatekeeping. Browser isolation is one component of this – not having the core of the network systems hooked up directly to the Internet with nothing in between. Other segmentation makes sense when confronting the difference between various workflows and data assets.

Put Together a Task Force

Another common idea that serves companies well is to create a department or team that focuses solely on cybersecurity and insider threat prevention.

These key job roles will be the stewards of cybersecurity practice information and planning systems. They will be the go-to provider for C-level inquiries or any other questions about what the company is doing, and why.

Institute Risk-Reducing Controls

The institution of risk reducing controls can be done in many ways. It effectively involves looking more critically at network trajectories and managing them or micromanaging them in a more hands-on way.

“Leaders must identify and focus on the elements of cyberrisk (sic) to target,” writes a security team at McKinsey and Company. “More specifically, the many components of cyberrisk must be understood and prioritized for enterprise cybersecurity efforts. While this approach to cybersecurity is complex, best practices for achieving it are emerging.”

Plan For the Frequency of Reviews or Controls

Cybersecurity teams can take both the control process and the review process and make them structured periodic practices that will help show more about company progress over a given timeline. This might involve taking a look at patches and version upgrades and everything else that enhances network security and keeps things closer to a desired state.

Communicate Policy Well

One of the best people-centered objectives is to make sure the policies are communicated all of the way through a company or institution. This is one area where human resources comes in handy – training should be universal, and onboarding should be consistent. People at all levels should be tested and asked about their cybersecurity awareness in order to create a culture of success.

Respond Quickly

Quick responses to insider threats and cyberattacks reduce the dwell time of some kind of harmful element in a system.

As the insider threat dwells inside the system undetected and uncontrolled, it does its damage. So by that token, being able to quickly shut down the threat will decrease its impact on company systems.

Understand Users

This is sort of a two-part cybersecurity practice. The first component of this deals with identity and access management (IAM) systems. That means giving people only the access they need, setting up tiers of user status, and micromanaging each identity account, as well as decommissioning them when people leave. The second involves specific types of analytics, mentioned below.

Entity Behavior Analytics

This type of analysis is critically important in observing and stopping insider threats.

The idea behind UEBA is that through establishing a baseline and checking against that normal baseline, cybersecurity experts can spot suspicious behaviors that could constitute emerging insider threats. Having the deep-level behavioral analytics in hand provides those insights that professionals need to stay on top of cybersecurity risk.

Best Practices For Investigating Insider Threats

Investigation is important, too. By looking into threats, companies get smarter on how to guard systems. Here are some of the ways that companies can learn more about what’s threatening their networks.

Use Web Browser Forensics and Other Data Forensics Methods

One of the best ways to understand emerging insider threats (and those that have already happened) is to refine how security pros collect data about network activity.

For example, new types of video screen recordings of user sessions are bringing a powerful analysis to cybersecurity and insider threat detection and control.

The web browser is a good example, because it’s part of the average user’s desktop experience. Someone’s sitting using a computer for company purposes, and security pros want to know what they’re doing, and what’s happening on their desktop.

But real-time user session recording goes far beyond the browser into anything else that’s part of the visual operating system on a computer device.

As an excellent companion to robust mobile device management, the video screen recordings show observers exactly what’s happening in real time. So when, for example, someone has their desktop hijacked remotely, it will be easy to see exactly how this happened, to aid with data forensics as people do investigation and mitigation.

Identify the Attackers

This strategy essentially ‘unmasks’ the perpetrators by pinpointing which users and related parties were behind the network activity that caused or assisted the insider threat.

If cybersecurity pros at the company or on consulting teams can see that a certain user’s desktop was used to generate the attack, and how that person communicated with outside agents, that can be part of solutions for either a malicious insider attack, or a recruitment or negligence attack.

Was it vendors, employees, or someone else? Knowing who the culprit is helps to put the whole narrative together, and reveals a lot about how the whole thing happened in the first place.

Conduct Autopsies of Systems

With the above approaches to data forensics and user identification, companies can do a post-mortem on an insider threat that gives them absolute transparency and visibility.

In fact, a corresponding technology called optical character recognition (OCR) goes a step further than even the robust video screen recordings mentioned above.

Imagine security teams looking through these video user sessions, and being able to search for text on the desktop as it emerges. This is really a several steps ahead in the security game! OCR means that human investigators can search for insider threat clues by keyword, giving them unprecedented insight into digital activity that would otherwise happen ‘in the dark.’

Assess Groups of Users

Another way to fine-tune cybersecurity is to always be assessing different groups of users, and looking for ways to harden systems against attack by limiting permissions and user capabilities.

Vendors like Google and Amazon have these types of systems in place. They allow clients to work with elements like ‘access groups’ and ‘roles’ to determine whether a particular set of users is problematic or may cause a problem.

Don’t Neglect Proper Reporting

There are also reporting standards for insider threats. Federal agents have their own insider programs to report to. Experts suggest that people not connected to government systems should notify their local law enforcement, or the FBI.

The reporting does more than just put others on notice – it’s a way to provide more visibility for what’s happening and may end up helping security chief teams chase down new leads and techniques.

Rely on Pre-Existing Cybersecurity Structure for Investigations

This best practice has to do with what companies should have in place before an insider threat emerges.

In the mitigation section, we talked about setting up a task force – key people who are knowledgeable and hold the responsibility for securing data assets. When these teams are in place, another way to investigate insider threats efficiently is to lean on these people and these teams for support. When the task force is already using NIST standards and CISA recommendations – the firm is another step ahead.

Count and Identify Data Assets

You have a better idea of how things went wrong when you know what’s being protected. Sometimes a chief data officer will be responsible for this type of security. There may be a data catalog that includes metadata about each kind of business data set, and helps to assess its vulnerabilities. In general, these people who are involved in enumerating the data sets could be called ‘stewards’ or data governance professionals.


In addition to their investigative potential, some of the above analytics and behavior monitoring tools have value for investigators. When you can mine information through videos of user sessions and pinpoint terminology and topic content through OCR keywords, doing the detective work becomes a lot simpler in many cases.

Using UEBA: Insider Threats

The initial user behavior analytics have their own value, but companies offering comprehensive security services take it a step further to cover both users and endpoints. Teramind’s site resources show how this type of refined data, captured by proprietary tools, drives deep insight.

Get Buy-In for Advanced Analysis and Investigation Resources

One of the biggest challenges for robust investigation of insider threats and cyberattacks is the process of getting buy-in from top stakeholders, in order to put all of this neat new security technology in place.

This article from Proofpoint shows how security is often seen as a “cost center” for business, and encourages responsible people to be able to demonstrate why leadership should adopt different kinds of cyberthreat investigation methods that come with a cost.


Preventing insider threats is no easy task. These methods, however, provide a strong foundation for organizations to create a strategy that focuses on preventing insider threats. Organizations can save themselves enormous sums of money that would have been lost to repeated vulnerabilities associated with IT challenges.

Request a Teramind Demo

Get a personalized demo of Teramind to learn how we help improve insider threat detection, employee monitoring, data loss prevention, and more to protect your organization.

Table of Contents
Stay up to date
with Teramind Blog.

No spam – ever. Cancel anytime.