Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination

Hanley, Michael R.; Montelibano, Joji

doi:10.21236/ada610463

Cited by 20 publications

(15 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…More specifically, these are approaches can be categorised as rulebased, graph-based, statistical and machine/deep learningbased [2]. As Table 1 shows, previous approaches tended to be rule-based, such as [5], [11], and [12]. These approaches all focused on detecting insiders who undertake data exfiltration activities, leveraging a series of rules to expose unusual access to files and directories [11], access to data without a 'need-to-know' requirement [5], or transfers of large amounts of data to recipients who do not exist in the organisational white-listed name-space [12].…”

Section: Related Workmentioning

confidence: 99%

Insider Threat Identification Using the Simultaneous Neural Learning of Multi-Source Logs

et al. 2019

View full text Add to dashboard Cite

Insider threat detection has drawn increasing attention in recent years. In order to capture a malicious insider's digital footprints that occur scatteredly across a wide range of audit data sources over a long period of time, existing approaches often leverage a scoring mechanism to orchestrate alerts generated from multiple sub-detectors, or require domain knowledge-based feature engineering to conduct a one-off analysis across multiple types of data. These approaches result in a high deployment complexity and incur additional costs for engaging security experts. In this paper, we present a novel approach that works with a variety of security logs. The security logs are transformed into texts in the same format and then arranged as a corpus. Using the model trained by Word2vec with the corpus, we are enabled to approximate the posterior probabilities for insider behaviours. Accordingly, we label the transformed events as suspicious if their behavioural probabilities are smaller than a given threshold, and a user is labelled as malicious if he/she is associated with multiple suspicious events. The experiments are undertaken with the Carnegie Mellon University (CMU) CERT Programs insider threat database v6.2, which not only demonstrate that the proposed approach is effective and scalable in practical applications but also provide a guidance for tuning the parameters and thresholds. INDEX TERMS Cybersecurity, data analytics, insider threats, word embedding.

show abstract

Section: Related Workmentioning

confidence: 99%

Insider Threat Identification Using the Simultaneous Neural Learning of Multi-Source Logs

et al. 2019

View full text Add to dashboard Cite

show abstract

“…The other model, the Ambitious Leader, characterized insiders who recruit others to steal information, either to develop or benefit a competing organization. More recently, the CERT Insider Threat center has focused on detecting intellectual property theft around the time of employee termination, with Hanley and Montelibano publishing a control and Moore et al publishing a pattern on the subject (Hanley and Montelibano 2011;Moore et al 2012). Additionally, Shaw and Stock published a white paper on the psychology of insiders who commit intellectual property theft, noting examples of 'observable workplace risk indicators' and discussing various mitigating strategies, including employee screening and employee reporting programs (2011).…”

Section: Insider Threats and Data Leakagementioning

confidence: 99%

Guest editorial: A brief overview of data leakage and insider threats

et al. 2013

View full text Add to dashboard Cite

“…Additionally, a 2011 SEI report titled Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination presents an example of an insider threat pattern based on the insight that "many insiders who stole their organization's intellectual property stole at least some of it within 30 days of their termination" [1].…”

Section: Mitigating Insider Threat: Tools and Techniquesmentioning

confidence: 99%

Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources

Silowash¹,

King²

2013

View full text Add to dashboard Cite

ix Tables Table 1: Instructions for Creating a New Auditing Policy 6 AbstractRemovable media, such as universal serial bus (USB) flash drives, present unique problems to the enterprise since insiders can use such media to remove proprietary information from company systems. Insiders may do this for legitimate reasons, such as to work on material at home, or they may do so for malicious reasons, such as to steal intellectual property.Organizations must establish and implement effective methods and processes to prevent unauthorized use of removable media while still allowing users with a genuine business need to access and remove such media. In addition, organizations should establish sound methods to track critical electronic assets so that they may better protect them.This report focuses on the theft of intellectual property using removable media, in particular, USB devices. We present methods to control removable media devices in a Microsoft Windows environment using Group Policy within an Active Directory environment. We also explore OpenDLP, an open source tool for identifying where sensitive data resides on organizational systems.

show abstract

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination

Abstract: This material has been approved for public release and unlimited distribution except as restricted below.

Cited by 20 publications

References 0 publications

Insider Threat Identification Using the Simultaneous Neural Learning of Multi-Source Logs

Insider Threat Identification Using the Simultaneous Neural Learning of Multi-Source Logs

Guest editorial: A brief overview of data leakage and insider threats

Insider Threat Control: Understanding Data Loss Prevention (DLP) and Detection by Correlating Events from Multiple Sources

Contact Info

Product

Resources

About