Posted on by Insider Threatin
Insider threat programs can better implement controls and detect malicious insiders when they communicate indicators of insider threat consistently and in a commonly accepted language. The Insider Threat Indicator Ontology is intended to serve as a standardized expression of potential indicators of malicious insider activity.
This ontology is also a formalization of much of our team's research on insider threat detection, prevention, and mitigation. It bridges the gap between natural language descriptions of malicious insiders, malicious insider activity, and machine-generated data that analysts and investigators use to detect behavioral and technical observables of insider activity. The ontology is a mechanism that multiple participants can use to share and test indicators of insider threat without compromising organization-sensitive data, thereby enhancing the data fusion and information sharing capabilities of the insider threat detection domain.
As researchers and practitioners implement the ontology, we received feedback that they found it difficult to differentiate between the asset and information concepts. In particular, consistency problems arose when models were implemented when actions were performed on information rather than assets. For example, when an action is performed directly on an information object, it is reasoned to be an asset. However, asset and information are disjoint classes. This post describes our design decisions and clarifies the distinction between these concepts.
An important design consideration for the Insider Threat Indicator Ontology was to model information and the documents, files, or databases that contain it. Given its intended applications, cyber observables to detect potential risk indicators (PRIs) to information assets were a major focus throughout the design of the ontology. From a cyber observable perspective, the PRIs on a database are different from PRIs on a file that is emailed over a network, even if it contains the same information.
This difference led to our team's decision to treat technology assets and information as separate things, allowing technology assets to be containers that hold information through the 'hasInformation' object property. So, actions related to information are always be performed on assets, not directly on the information they contain. The following statement and figure depict an example of a file asset that serves as a container for a specific piece of trade secret information.
"The insider emailed a file containing trade secret information."
There are multiple ways to use the ontology components, and this is an example of a design pattern that leverages the distinction between information and assets. For more examples, please see the Insider Threat Indicator Ontology.
We encourage those using the insider threat indicator ontology to provide feedback to us. Your ideas may identify potential design patterns as well as areas that may require clarification on our intended applications.
Please send questions, comments, or feedback to firstname.lastname@example.org.
Visit the SEI Digital Library for other publications by Michael.