Insider Threat Protection done right

Insider threats are actually a much broader category than many people realize. And while it may sound obvious, the first step in effectively detecting and mitigating these types of threats is to fully understand them. How does your Organization protect from i) the naive employee downloading vast amounts of data to their personal computer, ii) the careless employee letting an outside infiltrator get access to your highly sensitive data or iii) a malicious employee quietly downloading data over a personal mobile hotspot to take to a competitor? In this article we discuss the five keystones for an efficient Insider Threat Protection Software and how (previously Blockbird Data) addresses them:


In order to find and mitigate insider threats, security teams need to have the ability to quickly see potential red flags as they arise and because all users are equally capable of putting a business at risk, the same level of visibility can and should be consistently applied – regardless of role, location, or designation of privilege. Furthermore, real-time visibility is no longer optional anymore.

“We believe the best way to satisfy these visibility requirements is if your Insider Threat Protection Software integrates directly with your everyday business Applications instead of trying to monitor your entire network directly from the endpoint.” allows you to effectively address the following questions:

  • What type of data is each Application collecting? Is it personal or sensitive data?
  • Which individual users are accessing this data and how often?
  • Has any user accessed data in an abnormal way? Can I flag any pattern-breaking data access behavior?
  • How much data is downloaded or deleted daily? Can I notice a sudden peak in download or delete activity?
  • How is a certain user behaving compared to his peer-group?
  • Is a user accessing types of data not adequate to his role? For example, is a doctor accessing financial data? Or is an administrative employee accessing medical data?

Answering these questions is only possible if your Insider Threat Protection Software is monitoring data directly from your everyday Applications. For such, our SDK is used within your application’s code to send information about these accesses to our API so you can view and analyze your own individual users behaviour.

(See our technical documentation here:

Additionally, this way we can provide visibility both on and off the corporate network, once nearly every modern workplace has some degree of remote workforce, which means that your visibility can’t just stop once a company laptop leaves your headquarters.


“Intelligence” can be a vague and overused term in the cybersecurity world, but it has a very specific and important meaning: the powerful combination of context, knowledge, and flexibility. Here’s the key characteristics of

  • Analytics is an analytics-based solution. Insider threats are, by definition, human – and human behavior is too intricate to be boiled down to a series of written rules or policies. Analytics are necessary to understand and detect anomalies in events and behaviors. We also focus on the sensitive data only, which means that our analytics are not overwhelmed by background noise.

  • Machine Learning

In order to be most effective, an Insider Threat Protection Software needs to be smart enough to truly learn what’s normal or abnormal, and adapt as needed. While the first version of our product intelligence is built around statistical methods of identifying abnormalities, we’re already working on a machine learning model capable of detecting an insider threat better than our hard-coded rules.

  • Context

Context is critical, both when it comes to triaging alerts and when it comes to forensic investigations. offers human-readable, easily accessible context that answers the important questions: “who,” “what,” “where,” “when,” and “how.”

  • Alerts

Analysts aren’t able to fight threats if they’re buried beneath noise. Because integrates directly with your Business Applications we are able to narrow down the provided information to the very essential data access history. Our Alerts act as answers, not as a continuous loop of false positives, cutting down the noise and enabling swift action.


Organizations tend to think an effective Insider Threat Protection Software must be scalable enough to be deployed enterprise-wide and fully function across the company’s environment. However, such tools significantly impact network performance, or hinder user productivity in such a way that it is constantly being disabled or worked around, then the tool isn’t really protecting the user or the organization anymore. direct integration with Business Applications guarantees that we strictly capture data relevant to a potential data breach. We connect to your primary database* to tag tables and columns which contain personal or sensitive data. From here, the user selects the tables that they would like to monitor for access and we do not generate data related to any other user activity.

This ensures we have a low impact on network, system and user performance. Be wary of Insider Threat Protection Softwares that generate excessive amounts of data, as the heavy footprint associated with that kind of data collection is likely to hinder scalability and usability.

(*please note that we only access the database schema, not the underlying data).

Furthermore, we’ve built so that it doesn’t require excessive man hours to manage alerts or tuning and we have created a user experience tailored to any non-technical staff responsible for privacy matters at your Organization, meaning you won’t need to hire additional team members.


Modern threats move quickly, so organizations need to be able to pivot just as quickly if they hope to keep up. This also means that security measures – and Insider Threat Protection Softwares – need to be agile enough to adapt to changing priorities and conditions if they hope to be effective. was built so that tuning and customization is fast and smooth instead of having you and your Organization stuck in an endless configuration loop that isn’t providing enough value or delivering return on investment.

Our direct integration with Business Applications means you only have to configure our integration if your Application starts collecting additional personal/sensitive data – and in case that happens, the configuration process is extremely fast and simple.

Additionally, transactions on data are sent in ‘near real-time’ and if a potential breach is detected we immediately send you a notification and upload the most recent data onto our Software.


Employee privacy has become a topic of increased interest and scrutiny for both governments and enterprises – and should be given strong consideration when building an insider threat software. Furthermore, creating a culture of intense surveillance and treating every employee as a subject of distrust is likely to seriously hurt employee morale. And it can backfire in very tangible ways that go beyond moral Responsibility. keeps a user’s identity hidden and behavioral data protected until suspicious activity is detected. These capabilities not only help alleviate employee privacy concerns, but also provide a layer of protection at a time when behavioral data is increasingly considered sensitive, personally identifiable information. is also deployable in a GDPR (or any other Privacy Regulation) compliant manner without entailing any special changes to its functionality or deployment. Our Software has been constructed with a core focus on the principles of ‘Privacy by Design’, meaning we never read or capture any customer or employee personal data. Our software simply accesses the database schema, not the database that stores real data directly.

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

More from blockbird

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top