1 / 28

Approaches to Solving the Insider Threat University of Louisville October 5, 2006

Objectives. Provides visibility into how any broadly defined technology can be decomposed such that partial solutions are identifiable using a formal investigative process. Describes the approach taken in support of the DoD's Enterprise-wide Solutions Steering Group's (ESSG's) Insider Threat Technology Advisory Group (TAG)..

tauret
Download Presentation

Approaches to Solving the Insider Threat University of Louisville October 5, 2006

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Approaches to Solving the Insider Threat University of Louisville October 5, 2006 Dr. Bruce Gabrielson BAH Insider Threat TAG Chairman

    2. Objectives Provides visibility into how any broadly defined technology can be decomposed such that partial solutions are identifiable using a formal investigative process. Describes the approach taken in support of the DoD’s Enterprise-wide Solutions Steering Group’s (ESSG’s) Insider Threat Technology Advisory Group (TAG).

    3. Insider Threat TAG The DoD Insider Threat TAG has been charged with generating formal requirements and identifying solutions to create a baseline insider threat mitigation capability. The TAG consists of subject matter expert representatives from at least twenty-two services and agencies. This TAG represents the first DoD-wide effort to identify and deploy an enterprise level insider threat solution.

    4. What is an Insider As a general definition, the “insider” is anyone who is or has been authorized access to an information system. Some definitions address the broader scope of insiders that carry out malicious acts or outsiders that compromise systems and then act as insiders. The definition depends on the perspective of the individual defining the problem.

    5. Historical Issues It has taken a long time to find an insider threat solution because the problem was broadly scoped and no one organizational perspective could influence a baseline solution. Many point solutions have evolved to address individual needs such as law enforcement legal issues, counter intelligence, system administrators, and network incident responders. Law enforcement and network analysts see the world differently then system administrators.

    6. Notional Perspectives

    7. Solution Process Technology Decomposition: Decompose the needed technology into basic definitions and functional capability components. Create “testable” requirements that validate identified capabilities. Solution Mapping: Map the various point solutions against this decomposition. Solution Evaluation: Evaluate potential solutions and overlapping capabilities. Recommend those that offer the “greatest bang for the buck.” Focus Research: Focus research thrusts on selected gap areas. Functional components are functional capability testable requirements Research would also address the need for technology transition Functional components are functional capability testable requirements Research would also address the need for technology transition

    8. Decomposing the Problem There are two insider threat actors The “true insider” has authorization by command and control elements to access network, system, or data. The “pseudo-insider,” is someone gaining access and acting as an insider, but is currently unauthorized.

    9. General Insider Activity Categories The activities of an insider fall into five general categories: Conducts malicious activity against or across the network, system or data. Exceeds given permissions. Provides unapproved access to the network, system or data. Circumvents security controls or exploits security weaknesses. Non-maliciously or unintentionally damages resources.

    10. Users in Terms of Mission Needs

    11. Protection Coverage Levels Light-weight detect capabilities provide the indication and warning of potential misuse that includes all insider activities. Consists of network and host-based sensors, as well as anomalous behavior profiling solutions. In-depth react capabilities enable the reduction of false alarms for distinguishing between misuse or malicious insider behavior. A light-weight trigger event indicating a possible threat enables the use of less computationally intensive monitoring then would be the case with a continuous user profile tool. A light-weight trigger event indicating a possible threat enables the use of less computationally intensive monitoring then would be the case with a continuous user profile tool.

    12. Anomaly Detection The word "anomaly" is used to refer to anything out of the ordinary, normal, or expected in the configuration and operation of a network and the components within or attached to it. The IA community generally uses the word "anomaly" in a restricted technical sense to mean statistical deviation detection in reference to deviant user behavior at the host or network level.

    13. Requirements Development and Coverage A full range of functional requirements with prioritizations have been developed for scoping the insider threat problem. Malicious code insertion System modification Hacking/network vulnerability exploitation Content access and/or manipulation Transitive trust exploitation Spoofing Exfiltration These are a few of the many requirementsThese are a few of the many requirements

    14. Level of Deployed Protection Enclave level tools (host and boundary) are considered most effective for insider threat detection. Some questionable actions could be part of regular user activities. Bad behavior and accidental misuse fall in this category. Detection might only indicate a violation of policy, not an insider threat. Major issue with false alerts.

    15. Parts of the Solution Part 1 - Host based anomaly detection targets activities of trusted authorized users performing unauthorized actions. Part 2 – Net based insider anomaly detectors focus on behavior profiling and malicious activities characteristic of an insider. Part 3 – A correlator takes data from the previous two pieces as well as log files and other feeds for indications of misuse. Part 4 - The false positive reduction piece gathers additional activity data about the specific user for determination of type of misuse. Each part of the solution has a specific focus area. Parts 1-3 address the protect and detect requirements of insider threat, while Part 4 addresses the react needs. The expected sequence of events is that through authorized network monitoring and detection, it is determined that a particular user’s behavior meets criteria for further targeted collection and analysis. Basically, the light-weight sensor and correlator will find a suspicious activity and alert the “more robust” correlator to install a more robust sensor and began following closely user activities. Each part of the solution has a specific focus area. Parts 1-3 address the protect and detect requirements of insider threat, while Part 4 addresses the react needs. The expected sequence of events is that through authorized network monitoring and detection, it is determined that a particular user’s behavior meets criteria for further targeted collection and analysis. Basically, the light-weight sensor and correlator will find a suspicious activity and alert the “more robust” correlator to install a more robust sensor and began following closely user activities.

    16. Protection Solution Architecture

    17. There are also Part 1-3 collection issues related to where the data is stored. Concept of Dr. Gabrielson’s InT tools data flow as they apply to a global network.There are also Part 1-3 collection issues related to where the data is stored. Concept of Dr. Gabrielson’s InT tools data flow as they apply to a global network.

    18. Available Solution Sets & Gaps Highlighted

    19. Existing Solution Approaches Two available approaches emerged from solution set mappings. Host-based and network-based activity alarms generated by individual user misuse. Network user profiling specifically addresses insider behavior Activities based on network or host based intrusion detection alarms alone is insufficient to detect a true insider. Agent-based host monitors help reduce false alarms. The existing solution set can support a baseline capability. Includes the Host Based Security System (HBSS) HBSS is a host agent based system that enables remote deployment of a number of host agents for various control funcitonsHBSS is a host agent based system that enables remote deployment of a number of host agents for various control funcitons

    20. HBSS HBSS is a technology enablerHBSS is a technology enabler

    21. Research & Tech Transition

    22. Gaps - Exfiltration Often used in the context of the unauthorized or inappropriate removal of information/data by network connections or through policy violations.  True insider activities fall under both host policy violations and network exfiltrations. Pseudo-insider activities involve network exfiltrations to an outside hacker who has compromised a host on the inside. Data tags may solve this problem.

    23. Gaps - Alarm Generation Alarm generation Lack of real-time network awareness hampers the effectiveness of IDS. The integration of all related sensing and warning generation capabilities from many sensors to feed a single insider threat focused command and control workstation does not currently exist. There is a serious need for alert/alarm capabilities to differentiate between accidental misuse and actual insider activity.

    24. Gaps – Data Reduction Data reduction and investigative tools The ability to quickly identify the potential insider with malicious intent without the insider knowing they are being observed has not been refined to include all behavior profiling attributes. Audit logs Lack of standards that would allow vendors and developers to support a flexible structured audit mechanism.

    25. Gaps – Behavior Profilers User activity monitoring gaps are present in some available products and not in others. Must find a balance between attributes collected and the information needed for identification. Monitoring and analysis of system administrators. Application-based monitoring and analysis. Correlation across multiple monitoring mechanisms. Differential and adaptive monitoring.

    26. Gaps - Forensics The cyber-observable preservation needs include: Tools for analyzing and correlating monitoring data and audit records. Forensic tools on machines and storage devices. Evidence collection and preservation. Dynamic determination of the need for, and implementation of, restricting access, initiating additional data collection or monitoring

    27. Other Countermeasure Gaps Multiple and coordinated forms of authentication across security domains or organizations. Watermarking, fingerprinting, and other forms of marking data for detection of unauthorized actions (disclosure, modification). Differential access controls depending on roles, rights, privileges, access context, and history.

    28. Technology Update Formal functional requirements for all components of insider threat were completed this year. Recent RFI submission reviews indicate many COTS partial solutions are available. Planning for the first enterprise-wide acquisition and deployment of a baseline insider threat capability is currently underway.

    29. Questions?

More Related