Insider Threat

Our Insider Threat team is staffed with subject matter experts, well versed in E.O. 13587 and National Insider Threat directives. We are experienced in building out insider threat analytic and response capabilities to manually and electronically gather, integrate, review, analyze and respond to information derived from User Activity Monitoring (UAM) tools, network scanning, network and host based audit logs and IDS, SIEM systems, Counter-Intelligence, Information Assurance, Human Resources, Personnel Security, Law Enforcement, Physical badge records and other sources as necessary and made available.

Team Planning
Policy / Governance:

Secured Cyber has certified experts with knowledge and experience in the US Federal Government Insider Threat regulations and compliance frameworks. This includes the development of Agency-specific policies in accordance with applicable Federal / Agency governance such as:

  • Executive Order 13587 -- Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information
  • The National Insider Threat Policy and The National Insider Threat Task Force (NITTF) published Minimum standards for Executive Branch Insider Threat Programs.
  • DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) conforming change 2, outlines the Insider Threat Program requirements for Industry.
  • Department of Defense Directive (DoDD) 5205.16, DoD Insider Threat Program
  • CNSSI 1015, Enterprise Audit Management Instruction for National Security Systems (NSS)
  • ICS 500-27, Enterprise Audit

Insider Threat

HUB Development & Operations:

Our personnel have hands-on experience with the selection of key information relevant to Insider Threat HUB Operations. This consists of databases and files to include, but not limited to, counterintelligence reports, personnel security information, financial disclosure records, host/network access and audit logs, and human resources records. We will communicate and report Insider Threat Indicators and case related information immediately with the appropriate stakeholders and work with data owners and administrators to normalize the disparate inbound data sources (Extracted Loaded & Transformed (ELT)) to ensure attribution to a personal and/or physical entity in order to efficiently fuse all data sets to include unclassified and classified systems.

User Activity Monitoring Deployment & Operations:

We have advanced training and experience in two of the most well-known User Activity Monitoring (UAM) tools: Raytheon's InnerView/SureView and Digital Guardian. We are well versed in the initial deployment, policy & rule development and advanced tuning. Existing tools will be used, to their furthest legal and technical extent, to support the identification of anomalous and/or inappropriate behavior, whether intentional or unintentional.