Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination

Abstract

Since 2001, the CERT(registered trademark) Insider Threat Center has built an extensive library and comprehensive database containing more than 600 cases of crimes committed against organizations by insiders. A significant class of insider crimes, insider theft of intellectual property, involves highly damaging attacks against organizations that result in significant tangible losses in the form of stolen business plans, customer lists, and other proprietary information. The Insider Threat Center's behavioral modeling of insiders who steal intellectual property shows that many insiders who stole their organization's intellectual property stole at least some of it within 30 days of their termination. This technical note presents an example of an insider threat pattern based on this insight. It then presents an example implementation of this pattern on an enterprise-class system using the centralized log storage and indexing engine Splunk to detect malicious insider behavior on a network.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Oct 01, 2011
Accession Number
ADA610463

Entities

People

  • Joji Montelibano
  • Michael Hanley

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Computer Network Security
  • Crime
  • Data Exfiltration
  • Engineering
  • Enterprise-Class
  • Homeland Security
  • Human Resources
  • Information Systems
  • Insider Threats
  • Intellectual Property
  • Law
  • National Security
  • Security
  • Software Development
  • Theft
  • Threats
  • United States

Readers

  • Cybersecurity.
  • Organizational Process Management (OPM).