IT Monitoring
IT Monitoring

Monitoring, Detecting, and Preventing Insider Fraud and Abuse

by Dan Sullivan


Some of the most significant risks to a business come from within. Insiders can commit fraud, intellectual property theft, sabotage, and privacy breaches using their legitimate access privileges and knowledge of business functions. When insiders collude with others or use their technical knowledge to tamper with security controls, it can be even more difficult to detect and prevent abuse. However, advances in data analysis are providing tools for collecting application activity from mainframes, Web applications, and other platforms; correlating events across multiple systems; and detecting patterns of suspicious activity. In Realtime Publishers' new book Monitoring, Detecting, and Preventing Insider Fraud and Abuse, author and security expert Dan Sullivan discusses catastrophic effects that can occur from insider abuse, and reveals effective techniques for countering them. The book concludes with a must-have overview for evaluating and selecting the correct tools to help you monitor, detect, and prevent insider abuse.


Chapter 1: The Cost of Insider Fraud and Abuse

Advances in information technology have lead to streamlined business operations and innovative products and services. They have also created new methods for defrauding businesses, leaking private and sensitive information, and stealing intellectual property. There is a growing awareness about the need for information security. We only have to glance at a few titles streaming over technology and business news feeds to find stories of massive privacy breaches, Denial of Service (DoS) attacks, and concerted hacking attacks on specific government and business targets. The wide array of threats that businesses face do not, however, always originate from the outside.

Insider threats can be some of the most difficult to prevent and the most costly to recover from. Insiders, such as employees, contractors, consultants, and even trusted business partners, can exploit the privileges and knowledge they have acquired about business operations and practices to commit fraud, violate privacy protections, and steal valuable confidential information. Fortunately, detection and prevention practices and applications are adapting to the threats posed by malicious insiders.

Chapter 2: Technical Barriers to Monitoring, Detecting, and Investigating Insider Fraud

Businesses and other organizations have long used security controls to protect both physical and information assets. Buildings are protected with locked doors, surveillance monitors, and guards. Access to information assets is controlled with authentication and authorization systems, log monitoring, and vulnerability management. These are all well-developed methods for keeping out those who should not be in. They are not as useful when threats originate with those who have been granted access to the physical and information assets of an organization.

Insiders, such as employees, contractors, consultants, and business partners, are typically granted access to applications and data they need to do a particular job. They walk through the front door in the morning without much notice from guards, they move about the building with the wave of a badge before a magnetic card reader, and they work with enterprise applications throughout the day. A combination of trust in employees and other outsiders coupled with verification through monitoring and auditing can mitigate some risk of insider abuse but not all.

This chapter examines the limitations of common security controls when it comes to controlling insider abuse, with special attention to the types of abuse that can occur when insiders have legitimate access to enterprise information systems. We examine the problem of insider abuse by discussing:

  • Special challenges with insider abuse
  • Examples of insider abuse
  • Five key challenges to detecting insider abuse
As we will see, there is a persistent challenge to preventing insider abuse because of insiders' access to applications coupled with detailed knowledge of internal operations.

Chapter 3: Effective Techniques for Preventing Fraud and Proving Compliance

Virtually every business must confront the risk of fraud and abuse. Insiders with detailed knowledge of business processes are in positions to exploit that knowledge to commit fraud. Chapter 1 detailed types of abuse and their costs to the business, including financial fraud, sabotage, and loss of privacy. Chapter 2 examined the technical barriers to monitoring, detecting, and investigating insider abuse. In this chapter, we turn our attention to techniques that can counter the advantages business insiders possess.

The techniques described in this chapter will work even if insiders are able to circumvent the access or logging controls of any single system. That's because their activities will eventually leave traces that can be collected and analyzed. For example, an insider committing financial fraud can avoid triggering database alerts designed to detect and log high‐value transactions by using a program to issue multiple low‐value transactions that together equal the value of a single high‐value transaction. Each of those database transactions by itself is not suspicious, but the entire set of multiple transactions becomes increasingly noticeable as the number of such transactions grows over time. Although existing database monitoring methods may not detect this pattern, application‐level monitoring can.

Chapter 4: Selecting the Right Tools: Evaluating Applications for Monitoring, Preventing, and Investigating Insider Abuse

The threat of insider abuse and the potential costs of that threat are more than enough to motivate businesses to implement fraud controls. We saw in Chapter 2 that technical barriers have historically hindered efforts to block insider fraud. Factors such as the legitimate access to applications and data, insider knowledge, and the ability to tamper with access controls limit the effectiveness of security controls that were designed to protect against outsiders. Although we are not helpless when it comes to insider abuse, we need a different set of controls than those used to protect from outside attack. As discussed in Chapter 3, techniques such as multi‐channel monitoring and application activity analysis provide the foundation for detecting, blocking, and investigating insider abuse. Here in Chapter 4, the final chapter of this book, we will examine how to evaluate and select tools for controlling insider abuse.

This chapter structures the evaluation process around three areas:

  • Functional requirements
  • Non‐functional requirements
  • Support for compliance practices

Functional requirements are made up of key business and technical requirements for support of particular features. Consider the fact that insider fraud can take on different forms in different industries. Fraud in an insurance company will look different from fraud in a commercial bank or manufacturing plant. Clearly, we will need the ability to define industry‐specific rules about legitimate and illegitimate application activity. A common technical requirement is the need to support multiple platforms. Heterogeneous IT environments are the norm, and insider fraud systems will have to operate across these various platforms.

Non‐functional requirements address features of a system that are not isolated to the ability for a user or application administrator to carry out a particular operation within a system. For example, insider fraud prevention tools should be scalable. As the number of inter‐operating applications and the number of users grows, the insider fraud system should be able to keep pace with the growing volume of activity data that must be monitored.