Our inspiration comes from our day-to-day work. We are actively helping to solve the Insider Threat challenges in large government and commercial organizations and are passionate about changing the approach to solving this problem.
How it works
Challenges I ran into
Avoiding the common trap of trying to point to a single user as THE Insider and instead focusing on providing holistic views of users and their suspicious behaviors. It was also difficult to generate appropriate data sets to highlight the full functionality of the Application.
Accomplishments that I'm proud of
The fact that we are arming analysts and investigators with information on particularly high-risk behaviors across several key areas (web traffic, printing, usb, and email activity) while providing relevant user details for context so they can focus their limited Insider Threat Program resources on the highest risk individuals. We feel that the App supports real world use-cases to make analysts more efficient in identifying high-risk behaviors and investigators more efficient in adjudicating high volumes of leads/tips.
What I learned
Splunk is a valuable tool in solving the Insider Threat problem, although we kinda knew that already. We also learned that judges are the coolest people ever.
What's next for Q-TRIP (Qmulos-Threat Reveal and Investigate Platform)
We plan to incorporate a lot of the data from the User Page (for Investigators) into additional correlations on the Detection Pages (for Analysts). For example, using anticipated departure date to identify users to monitor more closely. We also plan to take code we have for detecting suspicious behaviors from Admins and modify it for inclusion in the App. Other future enhancements include adding other data sources, looking at off-hour activity, inclusion of financial disclosure, and integration with a case tool.