Get started Bring yourself up to speed with our introductory content.

Analytics and the insider threat: Privileged users and patterns of deception

Security professionals should analyze metrics to learn baseline behavioral patterns of their employees and identify anomalous behaviors.

Timothy Rogers

Marketing folks have long identified the promise of big data and analytics, looking for competitive advantages and insights into customer behaviors. Internet users help build these metrics by "liking" this or that, or unknowingly indicating preferences through their daily Web activities. Similar metrics surround those of us in the information technology profession: This data can be mined to help protect our companies.

The methodology of using the metaphorical electronic battering ram to break through a company's hard exterior is gone, but not forgotten. Most security teams now understand how to protect against these attacks. Security professionals are even getting more talented in spotting those pesky advanced persistent threats (APTs) that parachute into our companies and open up the unwanted outbound conduit. When APTs execute and communicate back to the command center, those actions take on the same characteristics as insider threats.

Today's security organizations collect logs, use security information and event management (SIEM) correlation engines, participate in crowdsourcing, and purchase security intelligence services. All these sources are effective and even beneficial independently, but they struggle to help identify insiders who have appropriate access and are abusing it.

Timothy Rogers, Group Manager, IT Security, United Technologies Corporation (UTC)

  • Has worked at UTC since 2005, developing task forces to target IT security threats for the company and its customers in the global aerospace and building systems industries.
  • Increased focus on insider threats at UTC and discovered that employees begin to ex-filtrate data that they believe is their property as much as 60 days in advance prior to giving their notice.
  • Credentials and affiliations: EC-Council's Certified Chief Information Officer, ISACA Certified Information Security Manager, High Tech Crime Investigation Association, member of CT Infraguard, Information Systems Security Association

Among the questions we should consider are how and why these individuals became threats. The ‘why' may be as simple as monetary gain, a disgruntled employee or someone who mistakenly feels that the data is his/her property; whereas others encompass complicated scenarios such as social engineering attacks or an infected computer in which the user is unaware they are a threat.

To combat insidious insider threats, security professionals should begin to examine user metrics to learn more about the baseline behavioral patterns of their employees and, more importantly, identify anomalous behaviors. These metrics may not be the ones that traditional SIEM systems gather or even consider.

Organizations often wonder how to collect user metrics and what to do with that information once they have it. Consider the value of certain metrics, such as daily system logon/logoff, average size of email transmissions, number of emails sent (and received), with whom users communicate, the frequency and tone of those communications, Internet usage and data transfers. Network and endpoint data loss prevention systems provide a number of metrics that should not be overlooked. Identity management systems add to the mix and help us compare a person's historical usage patterns and that of his/her peers. Consider adding user financial data (travel expense reports, credit cards, purchase cards and the like) and travel itineraries to help build a profile of each employee.

Outside of work

Apple or Android? Apple. Android scared me.

Plan B:  Great burger bar (I like peanut butter on my hamburger).

Security hero? Wow, tough call. Many historical people for their contributions, but I really like talking now to the fresher minds -- of our time -- that are putting new methods in place. Greg Hoglund is one of them.

Two things people don't know about you:  I enjoy teaching/mentoring. And my passion for the Red Sox is second only to the love I have for my family.

How you unwind: I love to go to the gym, lift weights and prep for Spartan Races or any obstacle course-type race.

What keeps you up at night?  Not knowing. With so many threats and attack vectors, we don't know what we don't know.

Many organizations gather this type of data, but I question if we apply the right type of analysis to it. Using analytics, we can start to compare individual's historical patterns, peer groups, departments and organizations. Such comparisons show usage patterns that will normalize over time and make it much easier to see the needle in a stack of anomalies that squeak by our faithful SIEMs.

Insider threats normally have all the permissions needed to copy, print, move, email and use company data to perform their everyday work. So how do we notice when threats are valid and not just false positives? Humans tend to be creatures of habit. Therefore, when we apply thoughtful analytics to our user metrics, we can see that Bob is printing a lot of documents that he normally doesn't access or Alice just copied the whole network share to a removable drive. These actions alone do not necessarily mean there is a threat to the company, but they certainly provide insights that require follow up.

We all have times when we are not at our best and perform actions that certainly could be a false positive in the analytical world. How many of us today see this with our fellow coworkers or employees? Putting some analysis behind our metrics, comparing users' actions to their norm or the norms of their work environment provide substantial insight into threats below the radar. Data analytics provide security organizations with an intelligent tool that provides deeper and clearer insight to help search out and destroy dangerous insider threats.

This was last published in December 2013

Dig Deeper on Data security technology and strategy