The insider threat : data breach within an organisation

Abstract

The Insider Threat issue has been identified as a serious security problem, so much so that considerable research, primarily by the CERT Insider Threat Centre, has been carried out. Threats originating from within an organisation's security perimeter, are a substantial problem, mainly because distinguishing between a malicious activity from a benign activity is rather challenging. Whilst there is no perfect solution capable in detecting different types of attacks posed by an insider, this work explores the research carried out on this subject and analyses the various approaches taken by different authors in order to mitigate this problem. This study focuses on identifying internal activities that might indicate violation to the integrity and confidentiality of a company's information security. Research shows that through monitoring and logging of users' activities, early detection of possible threats is probable. A system has been designed to use the historical logs to actively assess potential threats caused by insider/s, by applying the concept of Fuzzy Logic to certain aspects of the system. A set of Fuzzy Rules were used to differentiate between normal and abnormal behaviour. Research shows that this is an effective method to drastically reduce the number of false positives generated by the classic Intrusion Detection Systems. Furthermore, Damerau-Levenshtein Distance algorithm was implemented in order to further improve the ability to detect the leakage of confidential information via email. Positive results were achieved on all tests carried out and anomalies detected were successfully escalated to the system administrator in a timely manner. A survey was conducted to further analyse and evaluate the Insider Threat issue amongst local organisations. Emerging results, showed an increase in the companies' awareness and their intent to re-evaluate their business strategy in order to adopt more proactive measures to counteract this problem.