The importance of pattern analysis in breach prevention

This is a guest blog post by Jenny Radcliffe.

If you spend any amount of time observing people you will notice that we are very patterned in our behaviour. Patterns are important, sending a multitude of signals to the outside world about who we are, what motivates us, and what we truly care about.

Psychologically, it is comforting to return to familiar places, to follow tried and trusted routines. Patterns show our normality, our state of mind, our intentions, fears, desires and motivations. Patterns reveal what makes us human and unique. They show what we are compelled to do now, what we intend to do in the future, and what rules we have chosen to obey or break. From our transport routes and shopping habits, from the people that we contact, and the way that we sleep, exercise and entertain ourselves. From how we sign our names and write our words, patterns both define and identify us.

 Many years ago I investigated a case of suspected Intellectual Property theft for an industrial client in Asia. The suspicion was that large amounts of proprietary research and development information were being leaked to a competitor.  The leak would have to have been through an individual within the client company with access to specific information on their new product offering.  A process of elimination had confirmed the source as likely to be an individual, or group of individuals, within the quality department of one of their manufacturing sites. 

After a long investigation one thing was clear, whoever the insider leaking the information turned out to be, they had been careful not to leave any obvious trace of their misdeeds.  Technology was less sophisticated then, and in the absence of any obvious digital footprint, the investigative team had resorted to old-fashioned surveillance to try and pinpoint the perpetrator. 

One morning, whilst sitting in the car park of the client site observing the movements of the staff, I noticed one of the engineers walking into the factory much earlier than for the start of his shift. There is a normal “pattern of life” for different job roles and for staff as individuals.  Collectively, these patterns, contribute to the baseline of behaviour for an organization as a whole. Deviations from the pattern can be a red flag, a data point to be investigated. Patterns are important.

At this particular site most of the staff were always, and exactly, on time for their working day.  They were never, ever late, but certainly not too early either. Yet, here was Mr. X coming into work a good 45 minutes before he needed to clock in.

Looking more closely, I noticed he was carrying a large fabric laptop case that, from the way it flapped around in the slipstream of the revolving door, appeared to be empty.  This was also unusual as, at that time, almost no one had anything other than a desktop computer.  Laptops were expensive and not common.  Staff at this site certainly couldn’t afford to buy such an expensive item themselves, and the client had never issued any as far as I was aware, due to security concerns. I decided to sit tight and wait to see if Mr. X reappeared later that day.

After a thirteen hour wait, Mr. X finally emerged from the depths of the building.  It was a full hour after his shift had ended, and long after his colleagues had departed for the day. 

I watched as he punched his card and clocked off, pulling on his jacket and leaving the building.  He battled the revolving door and began the walk across the car park towards the staff exit.   

The briefcase was no longer empty. I could see from my parking spot some distance away that the laptop case was now heavy and stuffed with what seemed to be a lot of paper, visible from the still open zip at the side of the bag.  He strained awkwardly at the weight of it through the doors, but was careful not to drop or loosen his grip on the handle as he exited.  I signaled to the client security team to look into the activities of Mr. X and an internal investigation began.

It emerged that Mr. X had been the lone source of huge amounts of leaked information to the competitor. The details he had passed on had enabled them not only to copy the client’s product, but to design and release a modified version several months in advance of the intended launch date. This action took away their market advantage and cost them millions in lost revenue and customer loyalty.

Mr X had been manually printing documents for months, passing them in paper form, to the competitor, who was paying him generously for his trouble. The printer logs for his department showed multiple documents being printed from his computer both before and after normal working hours.  The contents of that laptop case, coupled with the previous leaked information, would have likely destroyed the client firm entirely, along with almost 5000 jobs and global confidence in the organisation’s integrity and products.

Having a “man on the inside” had rendered the considerable external defenses of the company more or less redundant. Whether bribed, coerced or encouraged from a third party, or acting alone from a malicious perspective, an insider with mal-intent is able to cause untold financial, reputational, cultural and psychological damage to the target organization, and is difficult to detect and prevent by definition. Mr. X had been free to move about the client company as part of his legitimate role.  He had previously raised no suspicion and had been otherwise a “model employee.”

However, patterns are important, and at some point the malicious individual has to take action in order to execute their mission.  If the organisation is observant, this move will stand out from the routine and will likely indicate any malicious purpose behind their actions. When information is stolen or distributed, systems or secure locations are accessed, operational protocols are broken and laptop cases are filled, the signs will be there if we are only ready to observe, and ultimately act, upon them. 

Therefore, knowing what “normal” looks like from both the human and digital perspective is a valuable part of every organisation’s security system.  This knowledge means that when we observe the spike in the graph, the unusual action, the break from routine, we recognize an exception and use it to trigger further investigation, detection and prevention.

Patterns are important, and when they are broken, this is often the most important signal of all.



At One Identity we understand the value of behavioral pattern analysis in preventing privileged identity theft and breach prevention. Read our paper on Understanding Privileged Identity Theft.

About Jenny Radcliffe, the Author: 

A burglar for hire, a professional con-artist, and an expert in non-verbal communications, deception and persuasion techniques, she is an ethical social engineer, a ‘people hacker’ hired to smash security measures, using psychology, con-artistry, subliminal linguistics, cunning and guile.

She has led simulated criminal attacks on businesses of all types and sizes, running crews with varied expertise and experience, in order to help secure client sites and information from malicious attacks.

Related Content