The role endpoint monitoring plays in detecting and prosecuting insider threats

Image Credit: Shutterstock (Image credit: Shutterstock)

Two recent high-profile security incidents have made headlines across the United States and APAC regions. One was the arrest of United States Coast Guard Lt. Christopher Hasson. The other was the arrest of Yi Zheng, a Chinese national working as a contractor for Australian financial services firm AMP. Hasson was charged with several crimes and accused of being a white supremist in the middle of planning a terror plot. Zheng was arrested and pleaded guilty to attempting to steal and sell confidential AMP customer data on the dark web. 

Security and risk professionals should be extremely interested in these arrests. They show that when organizations have visibility over endpoint behavioral data and the ability to collect and analyze it, that malicious insider threats can be detected long before they have a chance to inflict significant damage.  

Evidence and behaviors

There was a litany of evidence gathered and behaviors observed on the two men’s endpoints that led prosecutors, AMP and the USCG to conclude that both suspects had drifted across legal boundaries.   

In the case of Hasson, prosecutors presented proof showing that he had extremist views, fantasized about mass murder, was possibly targeting prominent government and media personalities for a terror strike, and making illegal drug purchases. 

In the case of Zheng, AMP’s security team showed that he had stolen customer data, was surfing the dark web for illicit markets in an attempt to sell the information, and that he was planning an escape to China. 

Image Credit: Shutterstock

Image Credit: Shutterstock (Image credit: Shutterstock)

The endpoint

Without the ability to observe both men’s actions via their computers, it could be argued that it would have been much more difficult to understand what they were planning and engaged in, maybe even impossible to do so. 

With technologies deployed that gathered information on endpoints, AMP, the USCG and prosecutors were able to paint a clear picture of what was going on and to stop and prosecute both actors before any real trouble arose.  

Image Credit: Shutterstock

Image Credit: Shutterstock (Image credit: Pexels)

The alert

We don’t know specifically what technologies were responsible for tipping off the USCG that Hasson had become a threat. Nor do we know if human informants were a factor. Based on the court records, it is reasonable to conclude that some kind of technology used to monitor his endpoint contributed to the “alert” that prompted authorities to act.

In the case of Zheng, we are closer to the facts. With the Dtex platform and other security layers engaged, several of his activities were monitored and recorded. This included his use of a TOR browser and other data collected about his activities and intentions.

The analysis

In both cases. It is clear that humans played a distinct role in analyzing the data. We can also presume that the data parsed through was relatively simple to navigate and understand. How else would each organization have been able to detect and neutralize these insider threats before they were able to cause severe harm? 

Image Credit: Shutterstock

Image Credit: Shutterstock (Image credit: Image Credit: Alexskopje / Shutterstock)

More data?

Many organizations may already be convinced that endpoint behavioral monitoring is needed. They may also be hesitant to add it to their arsenals out of fear than an additional data stream will add to their workloads. 

Having to deconstruct additional logs can be burdensome but there are technologies available today that collect only minimal and specific types of data needed to understand when humans are behaving badly. Many of these solutions also scale rapidly and integrate easily into existing security infrastructures, as was the case at AMP.   

Don’t wait 

Regardless of whether or not you are a security and risk professional working in the public or private sector, both incidents are clear justification for the need to have technologies deployed which can detect when insider threat activities are taking place and provide viable legal evidence needed to prove when such actions have occurred. 

Organizations that have monitoring and analysis capabilities will succeed in defending against malicious human behaviors. Those that overlook this vital element of security will be hard pressed to identify and deter such situations. 

Imagine what might have happened had the USCG and AMP not had technologies deployed that detected what Hasson and Zheng were doing on their endpoints.

David Wilcox, VP of Federal at Dtex Systems

David Wilcox
David Wilcox is VP of Federal at Dtex Systems. He has more than 37 years of experience in security, the insider threat and federal markets.