End User Monitoring Key To Neutralizing An Insider Threat



Governance, Risk Management, and Compliance (GRC) organizations are always concerned with violations of Acceptable Use Policies, the scenario of the workforce using a network, website, or system to perform inappropriate actions. But insider threats can also result from legitimate work activities that are being done for illegitimate purposes.


For example, a customer service rep uses a CRM application to view or upload customer account details dozens of times per day, if not more. How does the GRC team know that information isn’t being stolen? Enterprises need to protect against both external and internal threats to maintain compliance with data privacy regulations.

Monitoring the App or Database Doesn’t Tell You about Individual User Behavior

Many organizations run monthly reports against an application’s master database to confirm its integrity and to track the volume and trends of queries. While this monitoring is useful, it doesn’t provide direct insight into what a single user may be doing. And because it lacks the ability to track an individual’s activities, it doesn’t enable GRC teams to proactively identify and investigate suspicious behavior.

Such was the case for one of my customers, a medium-sized Insurance Claims company with multiple departments using an internally developed CRM application for customer service. This application not only directly ties to revenue generation, but its database holds all client account information.

The security team was confident that the app was extremely secure, well protected from both external and internal malicious code, but the GRC team suspected that employees might be harvesting sensitive customer information from the app just before they resigned from the company. Having this information would give them a competitive edge at their new company.

Identifying Anomalies in User Behavior

Aternity had been used by the insurance company’s IT Operations team as a key part of their monitoring strategy. The IT Ops team leveraged Aternity business activity analytics to monitor several time-sensitive business activities for conformance to expected SLA targets and to proactively identify and resolve problems with application performance before they impacted end users.

The IT Ops team recognized that they could identify anomalies in user behavior, because Aternity monitors both the response time and the volume of business activities performed by customer service agents, and stores the information historically.

To investigate the GRC team’s suspicion, IT used Aternity to monitor the volumes of key business activities performed by every user within the CRM application, such as Save Account, Create Account, Open Opportunity, and Search Account.

As the Activity report below shows, the Search Account activity was performed about 60% more frequently than any other activity.

The Search Account business activity is performed 60% more often than other activities

Validating an Insider Threat

Although the volume of Search Account activities was unusual, further investigation was needed to identify whether or not individual users were responsible, or if it was a general trend throughout the organization.

A drill down report was generated for all of the Search Account queries performed by every user over an entire month. The report below shows the volumes by user, and clearly identifies five users with five times the average volume of searches than the next fifteen most active users.

Five users generated a volume of searches five times greater than their colleagues

With this information in hand, the GRC team questioned the individuals and learned that three of the high volume users were assigned a project by their manager to validate account records. However, the GRC team learned the two other users were not part of the project, and therefore had no legitimate need to run these excessive searches.

Further questioning exposed that both individuals had been offered a position in another firm, and as preparation for their departure they were collecting and storing private client information.

Monitoring Usage Trends Can Detect Risk and Compliance Threats

Monitoring what users are doing with an application is as important to GRC teams as monitoring the performance of an application is to IT Ops teams. Since Aternity captures both the volumes and the performance of all configured activities as part of User Experience monitoring, the data is already there. Looking for it makes all the difference.

See how Aternity can help support your enterprise’s compliance initiatives. Request a free evaluation today!


Comments are closed.