Insider Threats

Traditional systems for monitoring insider threats frequently rely on predefined rules and statistical techniques that not only have to anticipate all possible kinds of wrongdoings – an unattainable goal – but also are readily circumvented because of their unchanging and therefore predictable nature. In addition, these tools focus on a company’s transaction systems, and are blind to the vast quantities of business communications that occur over many different channels. Cataphora’s insider threat monitoring solutions overcome both of these problems by analyzing the full breadth of electronic data within an organization, and by not relying on preconceptions of what problems might arise, but rather by using a data-driven approach to flag potential problems as indicated by departures from normal behavior patterns.

In 2008, French bank Société Générale revealed that one of its junior traders, Jérôme Kerviel, had racked up unauthorized transactions that cost the bank $7 billion to unwind. He was able to circumvent the bank’s transaction monitoring systems, which relied on fixed, internally published rules. His behavior did not trigger any particularly significant response from the bank’s compliance monitoring systems, despite the fact that he did many things that were quite outside the norm for someone in his position at the bank; while not compliance violations, these activities could have been flagged by Cataphora’s technology as a large collection of anomalies surrounding a given individual, hence indicative of a potential risk.

Whether an employee’s bad actions are intentional, reckless, careless, or plain sociopathic, the consequences for the organization can be equally severe in all cases. These consequences can include direct financial losses through fraud, indirect costs of investigations, fines and restitution, and damage to reputation, to name but a few. In extreme cases they can lead to bankruptcy and long jail terms for culpable parties. And, of course, they cause harm to innocent employees and shareholders.

Traditional transaction monitoring systems which are deployed to counter such threats have been seen to fail repeatedly. The Kerviel case is perhaps the most high profile, but it is far from unique. Overwhelmingly, the basis of these systems is a set of rules about what is and is not permitted, or a preconceived set of statistical “norms” that should not be breached. These approaches require the organization to anticipate the various forms wrong-doing or accidental damage might take. Unfortunately, employees can be almost infinitely inventive in finding ways to exploit loopholes and it is simply impossible to create rules that anticipate every possible action they might take. And, being insiders, these employees are exceptionally well-placed to know the system and to evade the restrictions it attempts to impose.

Furthermore, transaction monitoring systems are just that – they focus on the organization’s core transaction systems. But today, business is commonly conducted across a wide variety of platforms: communications may span not just email, but also instant messaging, personal cell phones, and text messages, among others. Transaction monitoring systems are thus completely blind to a large part of the workings of a modern organization.

Modeling behavior patterns

By contrast, Cataphora’s patented technology starts by automatically creating a model of the normal behavior of the organization. This is derived from the myriad items of electronic information that are recorded in computer systems and networks. The model is invaluable in allowing the system to detect when something abnormal – and possibly problematic – happens. This is a key element in addressing the problem of seeing the forest for the trees: out of all the data that has been recorded, the Cataphora system identifies and focuses on deviations from normality, which is where any bad acts will always be found.

More specifically, the model reveals the true communication and decision-making patterns and workflows – the social networks that make up the real organization; these patterns are often different in important respects from formal organizational charts and process descriptions. This model encompasses every aspect of the organization that is recorded in any electronic format. It comprises not just records of transactions, but also all other electronic records, including emails, documents, calendars, phone logs, and even keycard entry logs and so forth. The model captures the behavior and interactions of individuals and workgroups, including communications, document flows and meetings.

Additionally, otherwise hidden relationships among individuals may be revealed. It may turn out that several people who are widely dispersed across an organization, in fact, know each other very well, perhaps because they are alumni of the same school, for example. Knowledge of such “shadow networks” can be crucial in understanding the motives and loyalties of key individuals, which might override the interests of the organization.

Detecting and flagging anomalies

Once the appropriate norms have been established, the system is in a position to automatically detect and flag behavioral anomalies. Anomalies can be measured against a number of baselines: for example, a change in behavior compared with the past or behavior that markedly differs from that of peers with similar responsibilities. Such anomalies are all but unavoidable as side effects of doing something really bad, or as artifacts relating to a gross change in attitude or personality.

Internal and external events are examined. For example, the analytic shown to the right includes two sequences of events in the context of a price fixing investigation. The gaps between events are shown as circles in order to emphasize changes in frequency: larger circles indicate larger gaps. Although meetings with competitors are not necessarily illegal, since they can be related to mutual membership in professional organizations, for example, an interesting pattern emerges upon closer examination of this analytic. A large gap in discussions about price increases, shown as a large blue-green circle at point A, corresponds to a period in which the number of such meetings increases greatly, as shown by a series of references to them depicted by the small pink circles at point B. As the frequency of such meetings decreases, as evidenced by the series of larger pink circles at point C, discussions of price fixing increase steadily, as indicated by the series of smaller blue-green circles at point D. Do these meetings indicate collusion? Further investigation is certainly warranted. Without Cataphora’s technology, it is very likely that these subtle correlations would be difficult, if not impossible, to decode.

Jérôme Kerviel, who had previously worked in his bank’s compliance department, was able to circumvent its monitoring systems. At the same time his behavior, when compared with that of similar junior traders, contained numerous anomalies:

• Routinely overriding the chain of command, corresponding with his second-level manager to an unusual degree
• Working excessively with just one broker
• Extremely high cell phone use, even though he was in an office where land lines were, presumably, in adequate supply
• Overly consistent language for making confirmations
• Consistent approach to recording fake trades and canceling positions, with all of the fake transactions sharing specific characteristics
• a value date later than the date of the transaction
• the use of internal counterparties within Société Générale or a small external counterparty
• and the cancellation of the trade before its valuation date.
• Specific language in which Kerviel himself expressed concern about his own conduct, such as “You haven’t said anything about our trades? If you have, I’ll smash your face in.”

None of these behaviors are an evident compliance infraction. And it would be hard to predict the need to write compliance rules to monitor each of them. Indeed, no one of these behaviors, taken in isolation, is necessarily a problem. What is significant is the totality of the picture that emerges when they are examined together.

This illustrates an important principle: that it is important to look at more than one factor in order to see the bigger picture. There may always be a legitimate, or at least benign, reason for any single change of behavior, such as a change in communication patterns. It is important for the system not to create a flood of false alarms. Numbers of alarms can rise to a level that makes it difficult, if not impossible, for staff to review every one of them and sort out which ones are important. In addition, if most of the alarms are insignificant, it is natural for people to ignore them, as happened with the legendary boy who cried “Wolf!” By aggregating anomalies to the specific actor and time period, the problem of the fire hose of alerts is greatly contained.

Another important category of abnormality is missing data – data that should be present, based on the system’s model of normal or expected behavior but which, for some reason, is not. With a pattern to guide expectations about what data an individual should possess, it becomes possible to detect when, for example, she may have deleted vital information to cover her tracks, or may have made sure not to commit it to electronic form in the first place. This can be detected in various ways. A regular report may mysteriously be unavailable for some key dates; or there may be a sudden absence of email messages in her archive, even though other evidence, such as a personal calendar, shows that she was otherwise conducting business as usual and was not on vacation, for example.

World-class technology and years of experience

Whether your needs are for monitoring or investigation, Cataphora’s patented technologies – and years of experience in analyzing huge volumes of data for large organizations – provide a uniquely powerful and effective approach to ensuring the safety of your organization from insider threats.