All Categories
Search
Joshua Beaman
Control Architecture
Entra ID Roles For Insider Threat Investigators
This article aims to educate insider threat investigation teams on Entra ID Privileged Identity Management (PIM), just-in-time privileged access, and Entra ID roles that enable access to key resources or actions required for common insider threat/event investigations.The information in this article is subject to change by Microsoft at any time. Efforts will be made to maintain the accuracy.Just-in-time (JIT) privileged access is a Privileged Identity Management (PIM) concept that minimizes the risk of unauthorized access and reduces the attack surface by granting elevated access only when needed and for the duration required. PIM is highly relevant for insider threat programs,...
James Weston
Policy & Governance
The Role of Acceptable Use Policies in Insider Risk Management
Insider threats rarely emerge spontaneously or reveal themselves through immediate acts of serious harm. More often, they unfold gradually through subtle shifts in behavior, intent, or adherence to expected norms. As explored in our Behavioral Drift paper, this quiet erosion of boundaries can precede significant security incidents, often without triggering traditional alerts. This raises a critical question: what defines “expected” behavior in the first place?For most organizations, that expectation is captured, imperfectly or otherwise, in the Acceptable Use Policy (AUP). Too often relegated to onboarding paperwork or compliance checklists, the AUP should instead be recognized as a foundational operational control....
James Weston
Detection & Forensics
Identifying Torrented Media via File Metadata and Naming Patterns
The presence of pirated or torrented media on organization-owned endpoints poses more than a compliance issue; it may signal broader behavioral drift, technical misuse, or active infringement. This article outlines how insider threat teams can detect potentially unlawfully obtained media through common naming patterns, file extensions, and forensic markers observed in endpoint telemetry and file activity logs.While possession alone may not prove intent to distribute or exfiltrate data, recurring indicators of pirated content can contribute to subject profiling, support investigations, and inform monthly Monthly Volume Infringement Review (MVIR).Downloaded media files originating from public torrent sources (especially when unapproved tools or...
James Weston
Insider Risk Theory
Perimeter to Population: A New Vocabulary for Insider Threat
In 1969, the United States Department of Defense launched ARPANET, one of the earliest packet-switched networks, linking research institutions and government agencies to share scarce computing resources. ARPANET became the proving ground for many of the technical principles that underpin today’s Internet.The intellectual foundations of this network trace back to Paul Baran’s work at RAND in 1962, where he proposed distributed, packet-based communications as a means of ensuring nuclear command-and-control could survive a Soviet attack. While ARPANET itself was not designed for nuclear operations, its architecture reflected Baran’s principles of resilience, redundancy, and survivability under attack – concepts rooted in...
James Weston
Insider Risk Theory
Behavioral Drift as a Predictive Signal for Insider Threat Escalation
In the practice of insider risk management, there is often a tendency to focus exclusively on acute acts of harm; data exfiltration, sabotage, and unauthorized disclosure. But these outcomes are seldom sudden. More often, they represent the final step in a longer behavioral trajectory that begins with relatively minor, individually tolerable infringements.At Forscie, we refer to this phenomenon as Behavioral Drift: the progressive departure from expected conduct within a trusted environment. It typically begins not with malicious intent, but with subtle, low-level violations of an organization's Acceptable Use Policy (AUP); an unapproved tool installed, a file moved to personal storage,...
Joshua Beaman
Detection & Forensics
Snipping Tool Artifacts of Visual Data Exfiltration
In insider threat cases involving data loss, a common assumption is that exfiltration occurs through conventional means: email, cloud uploads, removable media. However, some subjects bypass technical controls altogether by capturing data visually. The native Windows utility Snipping Tool provides one such method: enabling users to screenshot sensitive content directly from screen to file, often without triggering conventional DLP controls.Whether detected proactively or uncovered during post-incident triage, artifacts from Snipping Tool can serve as evidence of preparation or the act of exfiltration itself, particularly in cases where intellectual property, personal data, or restricted documents are exposed visually.Despite its minimal interface,...