performing-insider-threat-investigation

# Performing Insider Threat Investigation ## When to Use - DLP (Data Loss Prevention) alerts on large data transfers to personal cloud storage or USB devices - User behavior analytics (UBA) detects anomalous access patterns for a user account - HR reports a departing employee suspected of taking proprietary information - A privileged user is observed accessing systems outside their job function - Whistleblower or coworker report alleges policy violations or data theft **Do not use** for external attacker investigations where compromised credentials are used without insider collusion; use standard incident response procedures instead. ## Prerequisites - Legal counsel approval before initiating any monitoring or investigation of an employee - HR partnership with defined investigation procedures and employee privacy guidelines - DLP platform with content inspection and policy enforcement (Symantec DLP, Microsoft Purview, Digital Guardian) - User behavior analytics platform (Microsoft Sentinel UEBA, Exabeam, Securonix) - Forensic imaging capability for endpoint examination - Chain of custody procedures for evidence that may be used in legal proceedings - Clear authority and scope documentation approved by legal and HR ## Workflow ### Step 1: Receive and Validate the Allegation Document the initial report and validate before proceeding: - Record the source of the allegation (DLP alert, UBA detection, HR referral, manager report) - Confirm with legal counsel that the inves...