Scroll Top

How Dominion Energy Built a Successful Insider Threat Program

Gurucul recently hosted a webinar featuring a case study from Dominion Energy on how the company built a program to protect itself from insider threats. R. Allen Davidson, the Insider Threat Manager for Dominion Energy, shared his company’s process for developing and implementing the enterprise-wide program. There’s so much good information in his presentation that we’d like to summarize it here. If you’d like to watch the full webinar, click on the button below:

Watch Now

The executive leadership at Dominion Energy had the foresight to acknowledge what security experts have been saying for years: that every organization, regardless of size or industry, is vulnerable to insider threats. And so, a few years ago, the company got serious about building a robust Insider Threat Program designed to fully protect the company while also serving as a model program for the industry. The company’s Chief Security Officer, Adam Lee, pitched a vision for the program to the company’s executive leadership and got their complete support.

“The vision of our security organization at Dominion Energy is to mitigate today’s threats, manage our company’s vulnerabilities, and close intelligence gaps – while also meeting tomorrow’s challenges.  We work to ensure our cyber systems are resilient and properly defended and we remain trusted stewards of stakeholder data.  A critical piece of our overall converged security framework is effective mitigation of the insider threat.  I believe that in order to build America and secure American critical infrastructure, you have to buy American; our partnership with Gurucul has enabled us to do both while building a best-in-class program.”
– Adam Lee, VP & Chief Security Officer, Dominion Energy


Lee hired Davidson to develop and manage the program. Prior to joining Dominion three years ago, Davidson had a 30-year career in law enforcement. For five of those years, he had experience in developing public/private partnerships and using data sharing models through a group called the Global Shield Network to deter crime. This experience served him well as he took the reins of Dominion’s program. It turns out that partnerships and data sharing are keys to the program’s success.

Starting From Zero

Davidson says he started with “zero technology, zero relationships” when he came in the door. His 4-member team started by developing policies clearly stating where and how the Insider Threat Program would work within the enterprise. The policies were created from best practices from expert sources. They wanted to establish a neutral organization that held no biases toward any particular group and which would work across the enterprise.

They also determined this would be a holistic program that covers the total risk landscape, from the physical world to the cyber world. Many companies today tend to focus on cyber threats, but non-cyber threats can be just as damaging. “We wanted to follow the traditional ‘deter, detect, and mitigate’ Insider Threat Programs, identifying potential indicators of insider activities through not only the traditional physical security attributes as well as the cybersecurity attributes, but also bringing in the non-security indicators that can add context to what we’re looking at as a potential threat,” says Davidson.

Laying The Foundation

In the early days of forming the program, Davidson and his colleagues took the opportunity to start conditioning and training and educating the workforce into what was coming with the Insider Threat Program. “We’ve seen programs that came in too hot and they basically ended up turning off all their key stakeholders,” says Davidson. “They were not getting the cooperation they needed to make the program successful.” They knew that it would be critical to have supporting Education and Awareness programs to get people engaged, and to let employees know that the purpose of the program was not to watch what everyone is doing, but rather to protect the company and the workforce from becoming victims of an insider attack. Also, workers were asked to sign non-disclosure agreements to acknowledge their responsibility in protecting the organization.

Privacy is typically a big concern in an Insider Threat Program. Davidson’s team does not share information outside of the group. “We only share with those key ‘need to know’ people and our attorneys respect this approach,” says Davidson. “We know that datasets within our human resources group are protected and they are critical because, oftentimes, they are the secrets of our workforce. They need to be held very close.”

The team reached out to the business units’ leadership to make sure they understand what the program is trying to achieve, especially around alerts into risky situations. Davidson’s group identified critical positions across the enterprise, as people in these positions are often the targets of spear phishing campaigns. They identified critical assets – the crown jewels – that need to be protected. Of course, these assets can be in digital format, i.e., critical data, or physical materials or equipment.

They also identified who the potential perpetrators could be, which helps to think in terms of their motivation and how they gain access. Obviously, anyone who works directly for the company as an employee or a contractor is an insider. Some workers, like system administrators and executives, have heightened access to systems and important information. Third-party workers and supply chain partners may also have access to facilities and systems. These are the classes of people with legitimate authorized access that could easily be abused.

Then there are the true outsiders who somehow gain access to internal assets. These are likely to be hackers who purchased or stole a legitimate user’s credentials to gain access to computer systems and applications.

Establishing Strong Relationships

Davidson’s team built relationships with important groups both inside and outside the company. These partners can help to contextually identify risk that may be targeting the company. Key groups inside the organization include the business units, information security, human resources, employee development, corporate risk and compliance, legal, physical security, corporate investigation services, and the privacy program.

External relationships are important too as they bring a different perspective and experiences. Prior to joining Dominion Energy, Davidson was affiliated with a group called the Global Shield Network, which integrates open source data sharing models that would have public partnerships with private entities. He believes this is an excellent organization to begin with. Other key groups include law enforcement, federal agencies like the Cyber Security and Infrastructure Agency, providers of threat intelligence, vendors of both physical and cybersecurity technologies, and industry peer groups.

As you can see, it takes a village to bring Dominion Energy’s Insider Threat Program to life. Whether internal or external, all these relationships bring essential contributions to the program, including legal advice, employee training, policy guidelines, indicators of compromise, systems and user activity data, contextual information, threat and risk analysis, investigative services, and more.

Implementing the Right Technology

A key piece of the Insider Threat Program is identifying those technologies that can help surface threat indicators and integrating those technologies into the enterprise security platform. Davidson recommends learning what systems you already have in place and what you can use for the Insider Threat Program without investing a single dollar. Then identify those datasets that can be ingested into some sort of risk analytics platform. The more data, and more varied the sources, the better.

“It’s very important to know where your assets are, where you direct your attention and understand what you need to be watching for the company,” says Davidson. Dominion Energy uses the Gurucul Risk Analytics Platform to correlate and analyze data and to evaluate potential threats for the risk they pose to the company. “Gurucul Risk Analytics is a wonderful tool to direct you towards risky behaviors, but it is a one piece of the puzzle. As you’re putting together your cyber security attributes, your physical security attributes, and your non-security attributes, you have to run those in a manner that they’re running over your machine learning models. You have to understand that this is a holistic picture that is not just aligned with a UEBA hit. Gurucul, I tell you, has done a great job with this.”

Davidson recommends that once the risk analysts have used the tools at their disposal to collect data and do the analytics and risk scoring, they turn the actual threat investigation over to a professional investigative body. This could be HR, the Ethics and Compliance group, a Corporate Investigation Services team, or the like.

Creating A Favorable Benchmark

Having had the program in place for some time, Davidson did some benchmarking against peer organizations worldwide. He learned that Dominion Energy aligned with others as far as the data sources ingested into their Gurucul User and Entity Behavior Analytics (UEBA) tool and that the program itself was structured similar to other companies in private industry. However, he believes their program is a bit more mature than others. He invites others who are running their own Insider Threat Program to reach out to him to share best practices and to benchmark their programs. After all, it helps to know how Dominion Energy built a successful Insider Threat Program from the ground up!

Share this page: