The Insider Threat to Your Computing Infrastructure
Joe Calandrino, Ph.D.
Security & Privacy
June 30, 2015
Arrange an Expert ConsultLast week, FBI Special Agent Carmine Nigro gave a fascinating talk at Elysium on economic espionage and intellectual property theft. Although the presentation covered a broad range of threats and mitigation strategies, one theme was the danger posed by an organization’s own employees. Employers inherently place some degree of trust in their employees, and abuse of that trust may be challenging to recognize and devastating to the organization. This is a topic of particular interest to me: while a graduate student, I conducted research at Oak Ridge National Laboratory on automated identification of insider threats in information systems. I will talk a bit about that work here.
Ideally, an employee would have access to sensitive organization information only when needed for a particular task, and access would end once the task was completed. Unfortunately, finely tailored constraints can be cumbersome in practice. Although a company may strictly block access to sensitive financial documents by non-finance employees without much trouble, the access needs for finance employees might be complex and unpredictable. In the absence of perfect access control rules, my research considered means of automatically highlighting unusual behavior for analysis. Think of this highlighting as analogous to fraud detection on your credit card: something that looks odd given past actions can trigger a fraud alert.
Such a system could infer typical behavior from past activity by an employee or other employees in similar roles, with activity including details like type, timing, and frequency of access to various systems and documents. For example, how many documents would be typical for the employee to open on a workday, and would it be unusual for the employee to access documents over the weekend? Given that knowledge, the system could flag the most anomalous employee behavior, providing details regarding aspects of the behavior that raised concerns (e.g., the employee logged into a rarely accessed system and downloaded an extraordinary number of files). This approach would permit a manager to focus on the most suspicious recent behavior for review, looking for red flags and dismissing well-justified behavior.
Though such a system would not be foolproof, it would provide another measure of protection for organizations facing insider threats. In security, we often build layers of protection into a system, preventing a threat that pierces one layer from fully compromising the system. For certain organizations, automated insider threat detection tools may complement other safeguards like intrusion detection systems.
If your organization is looking to strengthen its computing systems, analyze suspicious activity by an employee (or former employee), or discuss the theft of technical trade secrets, please do not hesitate to contact Elysium.
Thanks again to Special Agent Nigro for the interesting presentation!