Insider Threats is a major cause of concern for various organisations today. With a robust IT Infrastructure, organisations do fairly well to defend against any external intrusions. However, employees who have access to data from within the organisation remains a threat to confidential and critical data to business. With Advanced Analytics & monitoring, it is possible to detect any anomaly and take appropriate measures in time. orgSecure is an Splunk based Analytics Solution to detect Insider Threats and monitor User Activities.
How it works
Key to Insider Threat Detection is Active Monitoring and Machine Intelligence to detect anomal user behaviour. This can be achieved by creating a Baseline envelop which defines the expected band of 'normal behaviour' of the user. This could be based on either historical data of user or the data of his colleagues of his department. Any consecutive deviation needs to be investigated. It may be possible that a user may be excessively using Job portals if he is from HR but if envelop is configured correctly, it will not be detected as a abnormal behaviour since it is 'normal' for him.
In order to achieve this, orgSecure uses complex statistical techniques to create baseline envelops for users which determines their normal usage patterns. Any deviation from the envelops for consecutive periods are reported and should be looked into by System Admins. Also, comprehensive dashboards and visualizations are provided to actively monitor user and asset activities.
- Detect Deviation in User Behaviour based on configurable Baseline Envelop of Historic Data
- Detect Anomalies through User Login/Logoff patterns, Out of Office Hours & Weekend usage.
- Detect Data Breaches through Data Transfer outside organisation through external sources like Wikileaks, File Sharing Sites and emails to public domain
- Detect Disgruntled employees who search for Jobs on Job portals
- Detect Abnormal Asset usage of employees like irregular / suspicious PC access, malicious softwares and abnormal Removable Media usage.
- Monitor User Profile through Hierarchy Analysis and Psychometric Tests
- Monitor User Usage through a unified view of different sources in a single window to get patterns out of the chronological events
- Monitor User Activities of your Team by setting up appropriate access and defining Team hierarchy
- Monitor Critical Assets: PC - Through powerful visualization, understand who uses the PC as well as the activities performed
- Monitor Critical Assets: Files - Through powerful visualization, understand who accesses critical & confidential files, copies or emails them
Challenges I ran into
Getting the correct Data Set to analyse. CERT DARPA dataset was huge as compared to 10 GB limit of the challenge. Hence a subset of the data of 200 users activities were analysed.
Data Sets used: subset of CERT - DARPA Data (of 200 users) - consists of User Information, Psychometric Test Results, Login, Logoff, Email, Web Activity, Files and Removable Media Activity.
Version: r5.2 (since it had the maximum number of Insider Threat Events which could be identified)
Size: 3.59 GB
Baseline Envelop was created using data of: 1-Jan-2010 to 30-Jun-2010 and Analysis was done for subsequent months
orgSecure was able to identify most of the Threats within the Data set
What's next for orgSecure
Build alerts module which can send alerts to administrators. Also, build predictive analytical model to detect insider threats a bit well in advance.