The role endpoint monitoring plays in detecting and prosecuting insider threats

Image Credit: Shutterstock (Image credit: Shutterstock)

Two recent high-profile security incidents have made headlines across the United States and APAC regions. One was the arrest of United States Coast Guard Lt. Christopher Hasson. The other was the arrest of Yi Zheng, a Chinese national working as a contractor for Australian financial services firm AMP. Hasson was charged with several crimes and accused of being a white supremist in the middle of planning a terror plot. Zheng was arrested and pleaded guilty to attempting to steal and sell confidential AMP customer data on the dark web. 

Security and risk professionals should be extremely interested in these arrests. They show that when organizations have visibility over endpoint behavioral data and the ability to collect and analyze it, that malicious insider threats can be detected long before they have a chance to inflict significant damage.  

Evidence and behaviors

There was a litany of evidence gathered and behaviors observed on the two men’s endpoints that led prosecutors, AMP and the USCG to conclude that both suspects had drifted across legal boundaries.   

In the case of Hasson, prosecutors presented proof showing that he had extremist views, fantasized about mass murder, was possibly targeting prominent government and media personalities for a terror strike, and making illegal drug purchases. 

In the case of Zheng, AMP’s security team showed that he had stolen customer data, was surfing the dark web for illicit markets in an attempt to sell the information, and that he was planning an escape to China. 

Image Credit: Shutterstock

Image Credit: Shutterstock (Image credit: Shutterstock)

The endpoint

Without the ability to observe both men’s actions via their computers, it could be argued that it would have been much more difficult to understand what they were planning and engaged in, maybe even impossible to do so. 

With technologies deployed that gathered information on endpoints, AMP, the USCG and prosecutors were able to paint a clear picture of what was going on and to stop and prosecute both actors before any real trouble arose.  

Image Credit: Shutterstock

Image Credit: Shutterstock (Image credit: Pexels)

The alert

We don’t know specifically what technologies were responsible for tipping off the USCG that Hasson had become a threat. Nor do we know if human informants were a factor. Based on the court records, it is reasonable to conclude that some kind of technology used to monitor his endpoint contributed to the “alert” that prompted authorities to act.

In the case of Zheng, we are closer to the facts. With the Dtex platform and other security layers engaged, several of his activities were monitored and recorded. This included his use of a TOR browser and other data collected about his activities and intentions.

The analysis

In both cases. It is clear that humans played a distinct role in analyzing the data. We can also presume that the data parsed through was relatively simple to navigate and understand. How else would each organization have been able to detect and neutralize these insider threats before they were able to cause severe harm? 

Image Credit: Shutterstock

Image Credit: Shutterstock (Image credit: Image Credit: Alexskopje / Shutterstock)

More data?

Many organizations may already be convinced that endpoint behavioral monitoring is needed. They may also be hesitant to add it to their arsenals out of fear than an additional data stream will add to their workloads. 

Having to deconstruct additional logs can be burdensome but there are technologies available today that collect only minimal and specific types of data needed to understand when humans are behaving badly. Many of these solutions also scale rapidly and integrate easily into existing security infrastructures, as was the case at AMP.   

Don’t wait 

Regardless of whether or not you are a security and risk professional working in the public or private sector, both incidents are clear justification for the need to have technologies deployed which can detect when insider threat activities are taking place and provide viable legal evidence needed to prove when such actions have occurred. 

Organizations that have monitoring and analysis capabilities will succeed in defending against malicious human behaviors. Those that overlook this vital element of security will be hard pressed to identify and deter such situations. 

Imagine what might have happened had the USCG and AMP not had technologies deployed that detected what Hasson and Zheng were doing on their endpoints.

David Wilcox, VP of Federal at Dtex Systems

David Wilcox
David Wilcox is VP of Federal at Dtex Systems. He has more than 37 years of experience in security, the insider threat and federal markets.
Latest in Software & Services
woman listening to computer
AWS vs Azure: choosing the right platform to maximize your company's investment
Group of people meeting
Zoom vs Google Meet: which is the best video conferencing tool for your business?
Person at laptop
Windows 11 vs Windows 365: which is the best choice for businesses?
A man sitting at his desk in the evening and using a desktop computer
Office 2021 vs Office 2024: is it time to upgrade?
Microsoft 365 Business app logos
Office 2024 LTSC vs Microsoft 365 Business: what are the differences?
Windows 11 Start menu layout choices: Grid view
Windows 11 vs Linux for business: which operating system should you embrace?
Latest in News
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock
Man using iMessage on an iPhone
Apple will finally enable encrypted RCS messages between iOS and Android, and it's about time
Google Messages update
Google Messages could soon follow WhatsApp with an upgrade that makes it much easier to join group chats