The phrase “insider threat” often evokes not only headaches, but the mental image of a disgruntled coworker scheming on how best to bring an organization to a grinding halt. While this is absolutely an example of an insider threat, there is way more to an insider threat program than looking for web searches on “how to steal money from my employer like they did in Office Space and/or Superman 3.”

In this session, engineers from Splunk reviewed the categories of insider threat, for example: negligent, accidental, intentional insider threats, and more. Additionally, the session covered strategies for moving beyond monitoring for outright malicious “bad behavior”, to finding malicious instances of “good behavior." No conversation about an insider threat program would be complete without the discussion of anomaly detection, but part of that discussion needs to be about the fact that anomaly detection is not right for every organization. The Splunk team talked about when anomaly detection delivers and when there are other places to focus on first. The session contained both concepts and practical advice for all, whether Splunk users or not. However, attendees got to see examples illustrated in the Splunk product suite from Splunk Enterprise, and the freely available Security Essentials, to Enterprise Security, and User Behavior Analytics.

• The benefits from early and timely detection of advanced and insider threats

• Detecting malicious activity within and across the cyber kill chain

• Detecting anomalous activity with advanced statistical analysis and machine learning

• Gaining additional context to investigations by leveraging machine learning

• Optimizing investigations, respond to threats, and increase operational efficiency

• Leveraging 3rd party tools for threat management