20 years ago, I was working the graveyard shift as a policeman on the south side of Chicago. Part of the area I patrolled included one of the largest railroad freight yards in the U.S.  Occasionally, we would get calls to assist the railroad police.  On this particular day we received a call to assist with a “theft in progress”. Upon arrival at the railyard, we found a freight train with 50+ rail cars stopped waiting to be unloaded.  After inspection, we found a single car with the locks broken, doors open, and a single crate pried open. There were a couple of boxes missing from the crate.

No big deal?  Unfortunately, it was a big deal — the boxes contained hand guns, and hundreds had been stolen.  During our investigation, we learned that it was common for street gangs to have an “insider” on their payroll.  The insider would be paid to steal and provide shipment information on the guns, including departure and arrival time of the train, rail car number, and track information.  What seemed to be a random burglary of a train car, turned into a case of a “rogue insider”.

I did not think much more about the burglary until a couple of months later, when another officer and I responded to a disturbance call at a house in our patrol area.  Upon entering the house, my partner and I realized we had interrupted a large party. We arrested over 60 people for disorderly conduct and recovered multiple hand guns. Each handgun had serial numbers filed off, and were the same make and model of the guns stolen from the train yard.  Since the serial numbers were filed off, there was no way to confirm they were part of the burglary of the train car. In hindsight, it’s easy to connect the dots: the railroad insider enabled a seemingly small theft that turned out to have a much larger impact. Stopping a small theft further upstream would have prevented larger harm later.

I have spent the last 12 years selling cyber security solutions to help organizations stop and contain malicious threats from outsiders.  Many of the largest breaches we’ve read about were caused by these outsiders.

However, the rogue insider poses a different, but equally large problem. The insider’s theft may seem small and it might be harder to catch, but the impacts can be huge. A USB thumbdrive might seem insignificant, but if it has the designs for a firm’s future product, the impact to that firm can be massive later on.

Every day I speak with prospects and customers who are well-versed in security controls, anomalies, algorithms, and data science. Despite their investment and efforts, these firms find that they can’t execute the fundamental principles of an investigation:

  • Determine if a breach has been committed
  • Take appropriate steps to stop the breach if in progress
  • Identify the offender
  • Protect and preserve the breach scene evidence
  • Locate/identify any witnesses

I joined Exabeam because our product was purpose-built to help detect these types of incidents early, and to help investigator’s do their jobs more effectively.

More like this

If you’d like to see more content like this, subscribe to the Exabeam Blog


Exabeam provides security intelligence and management solutions to help organizations of any size protect their most valuable information.