Archiving and Compliance

Defend a New Front Line: Insider Threat Investigations

Share with your network!

Properly investigating insider threats can put a significant strain on a security team. It’s a resource-intensive process, from conducting manual research around each threat to building evidence. And the challenges that stem from an ad-hoc approach to insider threat investigations are due, perhaps ironically, to how an organization approaches cybersecurity. 

Traditionally, organizations have relied on perimeter-based security strategies as a starting point for most cybersecurity programs. But this approach is limiting. Using a patchwork of disparate tools and manual handiwork still leaves security teams with blind spots when investigating incidents caused by insider threats. 

For this reason, the investigation phase was the fastest-growing cost center within insider threat management (ITM) programs, rising 86% from 2018 to 2020, according to research from Ponemon Institute.

Let’s take a look at the difference between an ad-hoc, manual approach to insider threat investigations compared to a proactive approach that uses an ITM solution.

An ad-hoc insider threat investigation

An ad-hoc insider threat investigation kicks off with an alert that notifies the security team that an incident has happened. Security teams can receive hundreds of alerts every day, so even though the investigation process can help determine if the threat is authentic or a false alarm, it requires a manual determination. 

To investigate an incident, a security team must manually sift through logs to gather enough information to create context around the event. That includes answering questions like:

  • What systems were affected? 
  • When did the potential incident take place? 
  • What other suspicious user activity has occurred within the time frame of this incident?

Perhaps the most challenging aspect of an ad-hoc insider threat investigation is determining the “why” behind a users’ negligent or malicious actions. Without context, security teams can only use the history stored in user activity logs to build their evidence. And most security teams will agree that evidence can be hard to provide when you only have logs to work with. 

Ad-hoc investigations are clearly inefficient, high-risk and not suited for in-depth investigations. However, investing in tools that are purpose-built for ITM can make investigations more detailed, accurate and efficient. That’s the primary differentiator when comparing a proactive insider threat investigation to an ad-hoc insider threat investigation.

A proactive insider threat investigation 

A proactive insider threat investigation fueled by a modern ITM platform that uses a people-centric approach can take the guessing game out of investigations. 


Figure 1. Insider threat investigation

Integrating user behavior analytics and proactive evidence collection provides greater visibility and understanding into the context around an alert. This approach allows organizations to monitor the behavior of their riskiest users more efficiently. They can also more effectively gather intelligence to determine if certain user behavior is validated. 

If user behavior isn’t validated, the security team is equipped to swiftly compile evidence to create a report that provides irrefutable evidence and visual replay. They can then share the report easily with relevant stakeholders to help inform decision-making about the next steps.

Using an ITM platform removes the need for manual work to gather information around insider threat alerts. The result is a more efficient and accurate investigation process. 

Organizations that invest in this proactive approach give themselves a clear advantage to reduce the risk of insider threats by increasing the mean time to detect (MTTD) and the mean time to respond (MTTR) to insider threat incidents. 

The impact of people-centric security on insider threat investigations

people-centric security strategy improves an organization’s ability to gather crucial intelligence without the inefficient, manual reviews of data logs. With less time spent manually reviewing data logs and formalizing evidence, organizations can respond to incidents faster and mitigate the potential damage of an insider threat.

From the alert stage to the response, security teams backed by a proactive, people-centric security solution like Proofpoint ITM are well-equipped to defend against modern insider threats.

Learn more about inside threat investigations

Get a deeper understanding of insider threat investigations by downloading the Proofpoint e-book, The Anatomy of an Insider Threat Investigation. Or download our on-demand webinar, “Defend a New Front Line: Insider Threat Investigations.”