Investigating insider threats to any great degree results in one rapid conclusion - detecting them is hard. Companies such as Palantir have multi-billion dollar valuations as they develop novel algorithms for detecting suspicious or malicious behaviour.
In reality, the complex threat detection software solutions have a chequered history in identifying such behaviour, let alone preventing it. Instead this app focuses on the longtail problem - Organisations that have neither the funds or skills to deploy and maintain such a complex solution but need something that gives them insight.
How it works
Prevention is better than cure, and ensuring people know they are being monitored is an effective deterrent to casual insider threats such as data harvesting after resignation or emailing confidential data to friends. This submission demonstrates social enforcement of acceptable behaviour (e.g. as defined by a corporate acceptable usage policy) by showing:
- User level information
- Team information
- Corporate information
These 3 views are hugely powerful when part of an organisational security framework.
User's can see at a glance where they have browsed, what emails they have sent and what files they have copied. Reviewing this on a regular basis reveals all of the information they know their Managers can see - a powerful disincentive to:
- Exfiltrate data to themselves or competitors
- Browse for new jobs or spend time on social media
As well as the social disincentive this information provides to casual insider threats, it also enables positive confirmation that user accounts have not been compromised:
- If they do not recognise login times or activities. A malicious user may have compromised their credentials or jumped on an unlocked PC
- If other users have accessed their assigned PCs. A malicious user may have used their own account and accessed confidential files
My team view
All organisations are different, and all job roles are different. Someone in HR may spend every day posting job opportunities to monster.com, while a web security engineer may send a lot of time researching code vulnerabilites from potentially dubious sources. All of these activities may be ok - but without contextual information algorithms have a hard time filtering this.
In contrast line managers and colleagues are implicitly aware of the context and content of an employees day to day role. They know for example if Alice is scheduled to work on Saturday (out of hours login), or that Bob is working on a pan-industry regulatory response (requiring many draft revisions of a document to be sent to competitors). Without this knowledge it is easy to fall in to the classic insider threat detection trap - too many false positives. Enabling a rapid review of team members by those people who know exactly what those people should be doing is demonstrated here.
Showing facts about the data we hold and are scanning is a powerful way to influence user behaviour. Proving that each source of data is held for X years, that we know where data is going and from who demonstrates both capability and transparency.
Challenges I ran into
All of the CERT sample data ends in 2011.
Limited data sets do not cover all exfiltration angles. This has been accepted as a limitation common for all organisations and one that each would have to address using risk based prioritisation.
To enable a team view requires an organisational hierarchy in splunk. This has been simulated by the generation of an employee to line manager CSV file.