Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/29/2011
05:02 PM
50%
50%

Analyzing Data To Pinpoint Rogue Insiders

Companies and universities look for specific algorithms that will help identify malicious insiders and compromised systems that are acting as insiders

The hunt for technology to identify malicious insiders took off in 2011 with the research arm of the Pentagon, the Defense Advanced Research Projects Agency (DARPA), offering up millions of dollars in grants to fund research.

Earlier this month, for example, the Georgia Institute of Technology announced that DARPA had funded a collective effort by the school and four other organizations to create a suite of algorithms that turn disparate data feeds into real-time alerts of anomalous activity. The project, funded to the tune of $9 million over two years, will detect multiple types of insider threats and is funded under DARPA's Anomaly Detection at Multiple Scales (ADAMS) project.

"We are going after the hardest insider threats -- an organization where everyone is trusted and perhaps cleared," says David Bader, a professor at Georgia Tech's College of Computing and co-principal investigator on the project. "We are looking at an area where people might, over years, head down the slippery slope."

The team is led by Science Applications International Corp. (SAIC) and -- in addition to Georgia Tech -- includes researchers from Oregon University, the University of Massachusetts, and Carnegie Mellon University.

DARPA has yet to announce grants for its second project, the Cyber Insider Threat (CINDER) program.

Analyzing big data for business intelligence has become a key tool for companies to compete. Now universities and security firms are modifying the techniques to analyze data from multiple sources and identify anomalous behavior of individuals. SAIC, Georgia Tech, and the rest of its team will use a variety of big-data techniques and machine learning to create a prototype system. The technology will go beyond typical network anomaly detection and include non-network data.

"We need specialized technology to do this, but whether or not we need government deployed software versus COTS is an open question," says Eddie Schwartz, chief security officer for security giant RSA. Among the other groups that won a grant for DARPA's ADAMS project is Raytheon, for a commercial system that is already used. The system, SureView, monitors and captures end-user activity that is anomalous and could be malicious.

Such specialized systems are necessary to detect insider threats, Schwartz says. In the past, counterintelligence techniques called for identifying anomalies in the behavior of individuals in sensitive positions.

"If you think classically, how would you find indicators in people's activities? Large deposits in their bank accounts, changes in the way they drive to work," he says. "Those types of human intelligence observations that we saw classically during the Cold War, we are just extending to the dark side of cyberspace."

A key benefit of anomaly detection is that previously unknown threats can be detected. But a drawback is that the systems typically create a large number of alerts, many of them false, says Malek Bin Salem, a cybersecurity research scientist at Accenture Technology Labs. Columbia University has created a system that seeds directories with decoy documents that appear interesting but will alert the owners if opened or copied. Salem, a former Columbia researcher that worked on the project, found that 20 decoy files can typically catch an intruder on a personal file system containing 100,000 documents.

"The advantage of any honeypot technology [like the Columbia system] is that the signal is going to be stronger -- if you see an alert, it is very likely going to be a real attack," she says.

A startup company, Allure Security Technology, has licensed the technology from Columbia and is also funded under the ADAMS program.

With such systems, however, comes the danger that an employee who changes his behavior for benign reasons or that inadvertently accesses a decoy file could find himself under suspicion. The Pentagon is most interested in detecting malicious insiders before they commit their ultimate rogue act, suggesting the precrime predictions of the movie Minority Report.

Yet Georgia Tech's Bader says the goal is not prediction, but accurate documenting an insider's behavior.

"We are not looking for pre-crime," he says. "We are looking for a chain of evidence. This is a new type of security that we will see in the future."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12346
PUBLISHED: 2019-06-24
In the miniOrange SAML SP Single Sign On plugin before 4.8.73 for WordPress, the SAML Login Endpoint is vulnerable to XSS via a specially crafted SAMLResponse XML post.
CVE-2014-9699
PUBLISHED: 2019-06-24
The MakerBot Replicator 5G printer runs an Apache HTTP Server with directory indexing enabled. Apache logs, system logs, design files (i.e., a history of print files), and more are exposed to unauthenticated attackers through this HTTP server.
CVE-2019-7231
PUBLISHED: 2019-06-24
The ABB IDAL FTP server is vulnerable to a buffer overflow when a long string is sent by an authenticated attacker. This overflow is handled, but terminates the process. An authenticated attacker can send a FTP command string of 472 bytes or more to overflow a buffer, causing an exception that termi...
CVE-2017-17945
PUBLISHED: 2019-06-24
The ASUS HiVivo aspplication before 5.6.27 for ASUS Watch has Missing SSL Certificate Validation.
CVE-2019-10271
PUBLISHED: 2019-06-24
An issue was discovered in the Ultimate Member plugin 2.39 for WordPress. It allows unauthorized profile and cover picture modification. It is possible to modify the profile and cover picture of any user once one is connected. One can also modify the profiles and cover pictures of privileged users. ...