Difficult to detect and prevent, attacks by people with legitimate access to an organization’s computers and networks represent a growing problem in our digital world. These insider threats frustrate employers who lack the resources to identify them and monitor their behavior.
Insiders are not just employees: today they can include contractors, business partners, auditors... even an alumnus with a valid email address. And not all insider attacks are malicious; the perpetrators may be unknowing pawns of a malevolent colleague or a poorly-tested system, or simply the careless initiator of unintended consequences. But one thing is clear: insider threats are a costly problem, bedeviling organizations that lack the resources to monitor actions, prevent bad outcomes, or avoid harm when data leakages occur.
The underlying complexities of insider threat, including the very definition of an insider, are poorly understood. At the same time, protective and mitigative strategies are difficult to implement without impairing normal business operations. The Institute for Information Infrastructure Protection (I3P) Insider Threat project brings a grounded, multidisciplinary and far-reaching approach to this critical cyber risk. The project will have a significant effect, not only on how employers view insider risk, but on how organizations can effectively respond to potential threats and actual behaviors. The technologies and policies developed by the project team will balance business needs with effective security solutions.
Supported by the I3P, the Insider Threat project brings together more than 20 experts from seven major institutions and numerous fields of study to unravel the myriad complexities posed by insider threat.
The project has two clear objectives:
Insider Threat researchers are actively working with industry and government stakeholders to elicit feedback, amass data and experiences, and test new technologies. This partnership will ensure that solutions are comprehensive and useful, aligning good security with real-world needs.
Focused on deliverables, the team is leveraging its relationships with industry, most notably in the financial sector, to test tool prototypes early in the development cycle. The team also seeks partnerships with vendors to facilitate the marketing and distribution of tested technologies.
Tools that alert companies to possible unwelcome insider actions already exist. They track and monitor patterns of network activity, looking for signs of unusual behavior, such as repeated attempts to access a generally restricted site. But such systems can be burdensome and sometimes produce false positives. They can also overwhelm a large network by slowing traffic and interfering with business operations. And since insiders have legitimate access, security controls can be circumvented by employees with the right constellation of privileges and technical skills.
The Insider Threat project acknowledges that security must complement, not hamper, business needs. To that end, team members are compiling a comprehensive overview of insider behavior, describing the roles of motive, intent and policy in enabling wrongful actions. In addition, researchers are identifying risk factors for each type of insider behavior, plus methods and incentives to discourage inappropriate activities. Moreover, unlike most other technology-based endeavors, the I3P’s Insider Threat project incorporates legal, economic, ethical and technical concerns in its suite of detection, mitigation and prevention solutions.
Specific goals of the Insider Threat project include:
Team Leader: Shari Lawrence Pfleeger firstname.lastname@example.org
Funded by the Department of Homeland Security (DHS)
Last Updated: 4/18/13