Sophisticated email monitoring can help companies detect insider threats

‘Psycholinguistics’ technology filters text language for abnormal patterns

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Found­ed by cyber­se­cu­ri­ty experts from the FBI and CIA, Stroz Fried­berg may be best known for its cyber sleuthing expertise.

In 15 years, the com­pa­ny has grown into an inter­na­tion­al con­cern with some 500 employ­ees main­ly by help­ing clients retrieve dig­i­tal evi­dence and com­ply with lit­i­ga­tion-relat­ed dis­cov­ery and dis­clo­sure requirements.

Stroz inves­ti­ga­tors also can help com­pa­nies defend against cyber attacks and get to the bot­tom of major net­work breaches.

Relat­ed video: Threat sen­sors can mit­i­gate harm

One unique tech­nique they recent­ly began using involves the use of “psy­cholin­guis­tics” tech­nol­o­gy. The com­pa­ny can help its clients actu­al­ly mon­i­tor fluc­tu­a­tions in employ­ee behav­iors or even their gen­er­al mood on any giv­en day.

This is done by the use of lan­guage fil­ters tuned to map the nor­mal way employ­ees com­mu­ni­cate elec­tron­i­cal­ly dur­ing the course of a rou­tine work­day. It is then pos­si­ble to spot any changes that could sig­nal an employ­ee who is prepar­ing to spy, steal, sab­o­tage or com­mit an act of violence.

Third­Cer­tain­ty sat down with Roc­co Gril­lo, Stroz Friedberg’s exec­u­tive man­ag­ing direc­tor to learn more. The text has been edit­ed for clar­i­ty and length.

Third­Cer­tain­ty: Can you drill down on how you’re using psycholinguistics?

Rocco Grillo, Stroz Friedberg executive managing director
Roc­co Gril­lo, Stroz Fried­berg exec­u­tive man­ag­ing director

Gril­lo: This is tech­nol­o­gy geared toward mod­ern text behav­ior, such as email. It involves look­ing at pat­terns of com­mu­ni­ca­tions from an employ­ee or poten­tial groups, whether it’s an employ­ee who has access to sen­si­tive infor­ma­tion or trade secrets. Or it could be an indi­vid­ual in research and development.

The tech­nol­o­gy mon­i­tors the text com­mu­ni­ca­tions. It doesn’t nec­es­sar­i­ly iden­ti­fy any­thing right out of the gate. But it will zero in if there’s a sus­pi­cious activ­i­ty or things that may war­rant fur­ther attention.

3C: Can you give an example?

Gril­lo: It could be a sit­u­a­tion where you’ve got an indi­vid­ual who may be going through finan­cial con­straints or maybe an indi­vid­ual who may be think­ing of chang­ing posi­tions. The idea is to look at the lev­el of stress that’s involved in a nor­mal busi­ness day. And then iden­ti­fy when some­one has been put into an uncom­fort­able sit­u­a­tion relat­ed to work.

It could be through coer­cion or maybe some­thing as sim­ple as the indi­vid­ual look­ing for anoth­er job or to leave the firm. Sud­den­ly that par­tic­u­lar indi­vid­ual may be lim­it­ing cer­tain types of com­mu­ni­ca­tions or change the way they’ve been communicating.

3C: So this can help detect an insid­er threat in the making?

Gril­lo: It’s direct­ly relat­ed to the insid­er threat. This type of tech­nol­o­gy, through psy­cholin­guis­tics, can assist cor­po­ra­tions, and iden­ti­fy poten­tial issues before they hap­pen. It’s a tech­nol­o­gy that can pre­vent employ­ees from harm­ing them­selves. This tech­nol­o­gy helps the employ­er iden­ti­fy it pri­or to the sit­u­a­tion occurring.

3C: How big an expo­sure do insid­er threats pose?

Gril­lo: With our reliance on inter­con­nec­tiv­i­ty, we’re open­ing up our net­work envi­ron­ments more and more. An insid­er threat doesn’t always have to be a mali­cious employ­ee. It could be an employ­ee that does some­thing unknow­ing­ly, or even a third-par­ty ser­vice provider.

That third par­ty may not be with­in your four walls. But they’re an insid­er risk because, ulti­mate­ly, they’re con­nect­ed to your envi­ron­ment. Fur­ther, attack­ers can get with­in the envi­ron­ment by social engi­neer­ing employ­ees to com­mit an act that can result in risk to the organization.

3C: What best prac­tices do you recommend?

Gril­lo: The Achilles heel to any secu­ri­ty pro­gram is employ­ee aware­ness and the cul­ture of the orga­ni­za­tion. So one, make sure that the cul­ture rec­og­nizes the poten­tial risks. Two, ensure that the employ­ees are aware of the risks. And three, think about the dif­fer­ent avenues of out­sourc­ing. Con­fi­den­tial­i­ty, integri­ty and avail­abil­i­ty should form the foun­da­tion of any secu­ri­ty program.

3C: Is there greater aware­ness of insid­er threats, post Edward Snowden?

Gril­lo: I’d say with­out ques­tion. Snow­den raised everyone’s atten­tion to it. Just because I’m an employ­ee doesn’t mean I should have access to all the crit­i­cal assets. As reliance on con­nec­tiv­i­ty con­tin­ues to expand, we’ve got­ten to a state of exces­sive access. One employ­ee should not have access to all assets of the orga­ni­za­tion. That should extend to the third-par­ty contractors.

3C: At this point in time, where is the nee­dle, as far as orga­ni­za­tions get­ting more proac­tive, rather than being reactive?

Gril­lo: It’s on the rise, and it’s going to con­tin­ue to be on the rise the more that you see these com­pro­mis­es. At the exec­u­tive lev­el and at the board lev­el, we’re at the point of rec­og­niz­ing that breach­es are going to con­tin­ue to hap­pen. Since you can’t pre­vent them 100 per­cent, com­pa­nies are mov­ing to become more proac­tive. If we can put the right con­trols in place, and enhance mon­i­tor­ing efforts to see more of what’s going on, we can do more mature detection.

Instead of tak­ing weeks or months to iden­ti­fy a com­pro­mise, do it in days or even hours. And have an inci­dent response plan in place and be able to exe­cute on that plan in par­al­lel. A lot of com­pa­nies now want to enhance their inci­dent response plans. We’ve helped them test it and, even fur­ther, make sure that all the appro­pri­ate stake­hold­ers are not only involved, but know their roles.

More sto­ries relat­ed to threat detection:
It’s time to get smarter about using threat intelligence
Pre­dic­tive threat intel­li­gence roots out cyber threats before they occur
Inat­ten­tive employ­ees pose major insid­er threat