Do you have in place methodologies to determine if your personnel are sharing information with third parties?
The guilty pleas from Frese and the fact he conducted classified searches on behalf of two journalists is a prime example of an insider threat realized.
LINK: https://news.clearancejobs.com/2020/02/20/dia-analyst-pleads-guilty-to-sharing-classified-documents-with-cnbc-nbc-reporters/
Other examples:
Director of Security at the SSCI - Wolfe - LINK: https://news.clearancejobs.com/2018/10/15/former-ssci-security-director-james-wolfe-pleads-guilty-to-lying-to-fbi/
FBI S/O Albury and The Intercept - LINK: https://news.clearancejobs.com/2018/04/18/former-fbi-special-agent-albury-pleads-guilty-sharing-secrets-intercept/
I don’t think there are any real-time alert systems but clearly such activity can be tracked afterwards.
One of the things that helped the FBI catch Robert Hanssen was his unauthorized activity on some kind of FBI system; he was trying to see if they were running surveillance ops on him. But that’s a little different from doing ordinary searches on a government system.
Your reference to Hanssen overextending his brief - This analyst went out of his swim lane as well. It should have been caught by the system imo – tho it was caught when a sharp-eyed reader noted the presence of TS/SCI in a print article