I've written many posts on insider threats, like How Many Spies and Of Course Insiders Cause Fewer Security Incidents. Recently a former Coca-Cola employee was found guilty of trying to steal Coke's trade secrets, with an intent to sell them to Pepsi. According to this story, detection of the plot was decidedly non-technical:
In May, a letter appeared at Pepsi's New York headquarters offering to sell the trade secret. But that's how the beverage superpowers learned of common corporate priorities: Pepsi officials immediately notified Coke of the breach; in turn, Coke executives contacted the FBI and a sting operation was put into play.
Today I read Insider Tries to Steal $400 Million at DuPont. The story claims a technical detection method:
Computer security played a key role in the case. The chemist, Gary Min, was spotted when he began accessing an unusually high volume of abstracts and full-text PDF documents from DuPont's Electronic Data Library (EDL), a Delaware-based database server which is one of DuPont's primary storage repositories for confidential information.
Between Aug. 2005 and Dec. 12, 2005, Min downloaded some 22,000 abstracts and about 16,700 documents -- 15 times the number of abstracts and reports accessed by the next-highest user of the EDL, according to documents unsealed yesterday by Colm Connolly, U.S. Attorney for the District of Delaware...
Min began downloading the documentation about two months before he received an official job offer from Victrex, a DuPont competitor, in October 2005. The new job was slated to begin in January of 2006, but Min did not tell DuPont he was leaving until December 2005, according to the documents. It was after he announced his departure that DuPont's IT staff detected the high volume of downloads from Min's computer.
That demonstrates DuPont was unaware of the activity (which started in August) until December. That means DuPont only started looking for odd activity once Min announced his departure, so again we have another non-technical detection method. Something similar to the Coke case occurred based on this line from the same story:
Victrex was not accused of conspiring with Min. In fact, the company assisted authorities in collecting evidence against him, according to the documents.
So, in both cases nontechnical means identified and caught insider threats.
This follow-up story, 10 Signs an Employee Is About to Go Bad, lists only two technical means to identify insider threats -- the remaining eight are all decidedly analog or physical. I recommend reading this list. It represents one of the better arguments I've seen for "convergence" between physical and digital security staffs.
Unfortunately, many companies are spending lots of money on products to supposedly combat insider threats, when the best approach is nontechnical. Meanwhile, these same companies are completely 0wn3d by outsiders in .ro, .ru, .cn, etc., but little attention is paid because external threats are not the "hot topic" right now. The only saving grace is that some of the technical methods that might be helpful against insiders may work against outsiders who control company assets.