1 / 13

Insider Threat

Insider Threat. Final Breakout Report. Creation of an Insider Threat Research Community. Initiate a community of insiders for the financial community to define the problem. Organize workshops to accomplish this integration and build the relationships.

tauret
Download Presentation

Insider Threat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Insider Threat Final Breakout Report

  2. Creation of an Insider Threat Research Community • Initiate a community of insiders for the financial community to define the problem. • Organize workshops to accomplish this integration and build the relationships. • Leads to a more detailed RFP, internships, consortia, … • Bring in people from the financial industry to expose them to research methodology (perhaps to become graduate students) • Workshop needs to get buy-in from CxO level officers in the financial industry

  3. RFP Ideas • RFP parameters: • Overlap between insider detection and all other previous IDS work implies that we need a stronger relationship between the real data and systems and the PIs for this research. Sponsoring organizations need to actually promote real data sharing. • Livin’ d’ life == becoming an insider == access to the real places, not a copy of the data. • Graduate students to spend 6 months at a financial institution

  4. RFP Ideas (continued) • Awards will encourage the integration of a researcher and a financial institution to provide access to systems, business processes, and data used in the research. • For a proposal on a specific research project focused on insider threat, the PI will identify how previous research results will be used to advance the capability of a financial institution to prevent, detect, or respond to insider threat. Each proposal will consist of the following 3 phases.

  5. RFP Ideas (continued) • Phase 0: panel of experts that will work with financial institutions to further define the problem and potential solutions • Phase 1 will focus on problem definition and codification of current practice for finding and responding to insider threat. • Within the environment of the Financial Sector

  6. RFP Ideas (continued) • Phase II Create a prototype or fundamental research result that addresses specific problems identified in Phase I • Phase III Publication and integration of these results to one or more financial institutions as a proof of concept

  7. Short-term Actions • Workshop: financial services sector funding for a gathering of academics and industry experts to tightly define the insider threat problem and build relationships. • Encourage the publication of white papers for best practice regarding insider threat. • Socialize these papers with other institutions that will validate the practice throughout the sector.

  8. Workshop Details • 50 person workshop (bank, finance sector representatives, mid-sized regional banks). • Researchers from leading institutions. NSF academic oriented workshop. • Hosted at Department of The Treasury. • IC community perhaps invited • Scope to the insider of an individual company. • Tutorials on • insiders from NSA and other groups. • banking and finance. • On insider threat (case studies?) on how insiders have operated in the past. • Presentations on their information infrastructure

  9. Workshop Details (continued) • Open workshop – attendees submit a position paper (or resume?) for a competitive slot (on the academic side). Financial sector attendees and tutorial presenters will be invited. • Session 1: define the current threat. How do insiders operate in various parts of the sector. What’s accepted practices versus unaccepted practice. (may or may not be criminal behavior) • Precursor to sponsoring an annual symposium on insider threat (developing a community of experts focused on the insider threat problem)

  10. Pilot and Testbed Projects • Focused studies on defining insider activities • New trust models (business trust models) • Is the current information infrastructure trustworthy enough? • Building a simulation environment (to study new technologies and approaches) • Study: How do you discourage people from becoming insiders in the first place

  11. Pilot and Testbed Projects (continued) • Usability • PSYops against your employee • When has an employee been compromised? How can you tell? • Interfaces that encourage or discourage insider behavior (e.g., systems that provide feedback on now the systems are being monitored) • External information on Usability • IEEE Sec and Privacy special issue on Usability (HCISEC) • ACM CHI2003 • International journal of HCI Oct 05 special issue on usability and security

  12. Pilot and Testbed Projects (continued) • Transaction data from a day or two ago is unimportant (not confidential), gather these up for analysis. • Feature extraction and anomaly detection techniques to discover patterns. • Use injection to add insider activity to the data. • Create a transaction data set that could be shared to the research community. • Conforms to standard practice in the industry.

  13. Pilot and Testbed Projects (continued) • Detecting exfiltration of data in preparation for some bad insider activity • Detecting changes under the user’s control in preparation for some bad insider activity • Study to discover the prevalence of masquerading across the sector • Experimental design workshop • Why didn’t past technologies work? (maintainability, expense)

More Related