Insider-threat detection: Lessons from deploying the CITD tool in three multinational organisations

Insider threat is a persistent concern for organisations and business alike that has attracted the interest of the research community, resulting in numerous behavioural models and tools to tackle it. However, the effectiveness of detection of these tools has scarcely been demonstrated in real environments. In order to fill this gap, we collaborated with three multinational commercial organisations who trialled our anomaly detection system, and worked with us to understand performance constraints for insider threat detection deployment and innate weaknesses in their operational contexts. During a period longer than a year, we were provided access to real data in their premises and interacted with their cybersecurity analysts to understand their systems, validate the results and identify best practices for mitigating insider threat. In this paper, we provide details on the architecture used in our tool, the methodology followed to validate its performance and we elaborate on our experiences in implementing the tool in the three corporate environments. We present the results obtained from deploying the detection system in real network infrastructure over a period of six months, the lessons learned, issues experienced, and potential limitations.