Corporate Insider Threat Detection: Cyber Security Inside and Out
BACKGROUND
It is widely recognised that the threat to enterprises from insider activities is increasing, and that significant costs are being incurred. Since insider threat and compromising actions can take a multitude of forms, there is a diverse experience and understanding of what insider threats are, and how to detect or prevent them. The purpose of this research is to investigate the potential for near real-time detection of insider threat activities within a large enterprise environment using monitoring tools centred around the information infrastructure. As insider threat activities are not confined solely to cyber-based threats, the research will explore the potential for harnessing a variety of threat indicators buried in a different enterprise operations connected to or interfacing with the information infrastructure, enabling human analysts to make informed decisions efficiently and effectively.
PROJECT OVERVIEW
Our research incorporates both theoretical and applied research projected to deliver a significantly enhanced capability in insider threat detection. We are also developing education and dissemination materials and strategies designed to maximise uptake of the insight generated by the research. Our approach is to combine cyber security, psychology, criminology, visual analytics, enterprise operations management and executive education expertise to:
-
Develop a model for insider threat which is flexible enough to underpin detection systems based on both detecting deviations from normal behaviour, and the identification of specific events of interest which might indicate the presence of an attack involving an insider. The model will support the distinguishing of attack events relating to activities in the physical space and cyber space, based on data sources accessible via the information infrastructure.
-
Understand the potential for psychological indicators of an insider becoming a threat, including how we might detect such indicators based on cyber behaviours.
-
Identify the most effective pattern extraction algorithms for facilitating correlation and detection across heterogeneous operational contexts.
-
Understand the enterprise culture and common practices that such novel detection systems would need to work within, and design processes appropriate to enabling operation.
-
Provide a visual analytical interface to assist human analysts in more complex reasoning and decision-making processes by enabling them to fuse their knowledge and experience with the information and threat indicators discovered by the system, hence empowering the analysts to play an active role within the detection system in addition to being consumers of its outputs.
-
Develop an understanding of both the various organisational roles that will be impacted by such an insider threat detection system and have responsibilities towards successful outcomes, and the various awareness raising and educational methods which are likely to have the greatest impact in enabling stakeholders to benefit from the research and to learn from the knowledge developed.
We are working closely with Financial Fraud Action UK, SOCA, CISCO, CIFAS - the UK's Fraud Prevention Service - and others. The project hosted a UK Workshop on Cyber-Insider Threat Risk Mitigation, in April 2014, bringing together over 80 attendees from industry, government and academia. Based on the success of this event, we intend to host a follow-up workshop at the end of the project, in 2015. Please contact our project manager if you would like to be on the mailing list.
Selected Publications
-
Reflecting on the Ability of Enterprise Security Policy to Address Accidental Insider Threat
Oliver Buckley‚ Jason R. C. Nurse‚ Philip A. Legg‚ Michael Goldsmith and Sadie Creese
In Workshop on Socio−Technical Aspects in Security and Trust (STAST) associated with 27th IEEE Computer Security Foundations Symposium (CSF). IEEE. 2014.
Details about Reflecting on the Ability of Enterprise Security Policy to Address Accidental Insider Threat | BibTeX data for Reflecting on the Ability of Enterprise Security Policy to Address Accidental Insider Threat | Download (pdf) of Reflecting on the Ability of Enterprise Security Policy to Address Accidental Insider Threat | DOI (10.1109/STAST.2014.10)
-
Understanding Insider Threat: A Framework for Characterising Attacks
Jason R.C. Nurse‚ Oliver Buckley‚ Philip A. Legg‚ Michael Goldsmith‚ Sadie Creese‚ Gordon R.T. Wright and Monica Whitty
In Workshop on Research for Insider Threat (WRIT) held as part of the IEEE Computer Society Security and Privacy Workshops (SPW14)‚ in conjunction with the IEEE Symposium on Security and Privacy (SP).. IEEE. 2014.
Details about Understanding Insider Threat: A Framework for Characterising Attacks | BibTeX data for Understanding Insider Threat: A Framework for Characterising Attacks | Download of Understanding Insider Threat: A Framework for Characterising Attacks | DOI (10.1109/SPW.2014.38) | Link to Understanding Insider Threat: A Framework for Characterising Attacks
-
A critical reflection on the threat from human insiders − its nature‚ industry perceptions‚ and detection approaches
Jason R.C. Nurse‚ Philip A. Legg‚ Oliver Buckley‚ Ioannis Agrafiotis‚ Gordon Wright‚ Monica Whitty‚ David Upton‚ Michael Goldsmith and Sadie Creese
In International Conference on Human Aspects of Information Security‚ Privacy and Trust at the 16th International Conference on Human−Computer Interaction (HCI). Springer. 2014.
Details about A critical reflection on the threat from human insiders − its nature‚ industry perceptions‚ and detection approaches | BibTeX data for A critical reflection on the threat from human insiders − its nature‚ industry perceptions‚ and detection approaches | Download (pdf) of A critical reflection on the threat from human insiders − its nature‚ industry perceptions‚ and detection approaches | DOI (10.1007/978-3-319-07620-1_24)