Sophisticated email monitoring can help companies detect insider threats
‘Psycholinguistics’ technology filters text language for abnormal patterns
By Byron Acohido, ThirdCertainty
Founded by cybersecurity experts from the FBI and CIA, Stroz Friedberg may be best known for its cyber sleuthing expertise.
In 15 years, the company has grown into an international concern with some 500 employees mainly by helping clients retrieve digital evidence and comply with litigation-related discovery and disclosure requirements.
Stroz investigators also can help companies defend against cyber attacks and get to the bottom of major network breaches.
Related video: Threat sensors can mitigate harm
One unique technique they recently began using involves the use of “psycholinguistics” technology. The company can help its clients actually monitor fluctuations in employee behaviors or even their general mood on any given day.
This is done by the use of language filters tuned to map the normal way employees communicate electronically during the course of a routine workday. It is then possible to spot any changes that could signal an employee who is preparing to spy, steal, sabotage or commit an act of violence.
ThirdCertainty sat down with Rocco Grillo, Stroz Friedberg’s executive managing director to learn more. The text has been edited for clarity and length.
ThirdCertainty: Can you drill down on how you’re using psycholinguistics?
Grillo: This is technology geared toward modern text behavior, such as email. It involves looking at patterns of communications from an employee or potential groups, whether it’s an employee who has access to sensitive information or trade secrets. Or it could be an individual in research and development.
The technology monitors the text communications. It doesn’t necessarily identify anything right out of the gate. But it will zero in if there’s a suspicious activity or things that may warrant further attention.
3C: Can you give an example?
Grillo: It could be a situation where you’ve got an individual who may be going through financial constraints or maybe an individual who may be thinking of changing positions. The idea is to look at the level of stress that’s involved in a normal business day. And then identify when someone has been put into an uncomfortable situation related to work.
It could be through coercion or maybe something as simple as the individual looking for another job or to leave the firm. Suddenly that particular individual may be limiting certain types of communications or change the way they’ve been communicating.
3C: So this can help detect an insider threat in the making?
Grillo: It’s directly related to the insider threat. This type of technology, through psycholinguistics, can assist corporations, and identify potential issues before they happen. It’s a technology that can prevent employees from harming themselves. This technology helps the employer identify it prior to the situation occurring.
3C: How big an exposure do insider threats pose?
Grillo: With our reliance on interconnectivity, we’re opening up our network environments more and more. An insider threat doesn’t always have to be a malicious employee. It could be an employee that does something unknowingly, or even a third-party service provider.
That third party may not be within your four walls. But they’re an insider risk because, ultimately, they’re connected to your environment. Further, attackers can get within the environment by social engineering employees to commit an act that can result in risk to the organization.
3C: What best practices do you recommend?
Grillo: The Achilles heel to any security program is employee awareness and the culture of the organization. So one, make sure that the culture recognizes the potential risks. Two, ensure that the employees are aware of the risks. And three, think about the different avenues of outsourcing. Confidentiality, integrity and availability should form the foundation of any security program.
3C: Is there greater awareness of insider threats, post Edward Snowden?
Grillo: I’d say without question. Snowden raised everyone’s attention to it. Just because I’m an employee doesn’t mean I should have access to all the critical assets. As reliance on connectivity continues to expand, we’ve gotten to a state of excessive access. One employee should not have access to all assets of the organization. That should extend to the third-party contractors.
3C: At this point in time, where is the needle, as far as organizations getting more proactive, rather than being reactive?
Grillo: It’s on the rise, and it’s going to continue to be on the rise the more that you see these compromises. At the executive level and at the board level, we’re at the point of recognizing that breaches are going to continue to happen. Since you can’t prevent them 100 percent, companies are moving to become more proactive. If we can put the right controls in place, and enhance monitoring efforts to see more of what’s going on, we can do more mature detection.
Instead of taking weeks or months to identify a compromise, do it in days or even hours. And have an incident response plan in place and be able to execute on that plan in parallel. A lot of companies now want to enhance their incident response plans. We’ve helped them test it and, even further, make sure that all the appropriate stakeholders are not only involved, but know their roles.
More stories related to threat detection:
It’s time to get smarter about using threat intelligence
Predictive threat intelligence roots out cyber threats before they occur
Inattentive employees pose major insider threat