I recently had the chance to explain Tenable’s approach to tracking insiders through authentication logs to a new employee. The conversation went something like this:
Q: If I handed you a pile of logs and told you that “Bob” in accounting was an insider threat, what would you do?
A: I’d look through all the logs for accounts that Bob had access to and attempt to audit which systems he accessed and possibly what he did.