Resumen
The methodology of organization of search in Big Data, performed in the mode of limited time, of signs of malicious insider activities is discussed. The methodology is tested in a large industrial organization, the operating infrastructure of which covers several thousand servers, hundreds of information resources. As part of their operational functions, several tens of thousands of employees are constantly using these information resources. Critical limitations, which must be taken into account when looking for insider activity characteristics, are dynamically replenished operational data on business activity characteristics, monitoring data, information on operational personnel activities, etc. At the same time, a dynamically changing object is also a threat profile, reflecting the current state of knowledge about the "nature" of malicious insider activities.In the proposed methodology, the analysis of data is carried out in the mode of limited time, while ensuring the changing needs of the current situation. The presented technique can be generalized to solve tasks of this type. The operability of the methodology and the software developed for its implementation is demonstrated by the example of the organization of counteracting malicious insider activities in large Russian commercial bank.