search menu icon-carat-right cmu-wordmark

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination

October 2011 Technical Note
Michael Hanley, Joji Montelibano

In this report, the authors present an insider threat pattern on how organizations can combat insider theft of intellectual property.


Software Engineering Institute

CMU/SEI Report Number


DOI (Digital Object Identifier):


Since 2001, the CERT Insider Threat Center has built an extensive library and comprehensive database containing more than 600 cases of crimes committed against organizations by insiders. A significant class of insider crimes, insider theft of intellectual property, involves highly damaging attacks against organizations that result in significant tangible losses in the form of stolen business plans, customer lists, and other proprietary information. The Insider Threat Center’s behavioral modeling of insiders who steal intellectual property shows that many insiders who stole their organization’s intellectual property stole at least some of it within 30 days of their termination. This technical note presents an example of an insider threat pattern based on this insight. It then presents an example implementation of this pattern on an enterprise-class system using the centralized log storage and indexing engine Splunk to detect malicious insider behavior on a network.