Performing Insider Threat Investigation

When to Use

• DLP (Data Loss Prevention) alerts on large data transfers to personal cloud storage or USB devices
• User behavior analytics (UBA) detects anomalous access patterns for a user account
• HR reports a departing employee suspected of taking proprietary information
• A privileged user is observed accessing systems outside their job function
• Whistleblower or coworker report alleges policy violations or data theft

Do not use for external attacker investigations where compromised credentials are used without insider collusion; use standard incident response procedures instead.

Prerequisites

• Legal counsel approval before initiating any monitoring or investigation of an employee
• HR partnership with defined investigation procedures and employee privacy guidelines
• DLP platform with content inspection and policy enforcement (Symantec DLP, Microsoft Purview, Digital Guardian)
• User behavior analytics platform (Microsoft Sentinel UEBA, Exabeam, Securonix)
• Forensic imaging capability for endpoint examination