icon-carat-right menu search cmu-wordmark
Carnegie Mellon University

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination

Technical Note
By
In this report, the authors present an insider threat pattern on how organizations can combat insider theft of intellectual property.
Publisher

Software Engineering Institute

CMU/SEI Report Number
CMU/SEI-2011-TN-024
DOI (Digital Object Identifier)
10.1184/R1/6574472.v1
Topic or Tag

Abstract

Since 2001, the CERT Insider Threat Center has built an extensive library and comprehensive database containing more than 600 cases of crimes committed against organizations by insiders. A significant class of insider crimes, insider theft of intellectual property, involves highly damaging attacks against organizations that result in significant tangible losses in the form of stolen business plans, customer lists, and other proprietary information. The Insider Threat Center’s behavioral modeling of insiders who steal intellectual property shows that many insiders who stole their organization’s intellectual property stole at least some of it within 30 days of their termination. This technical note presents an example of an insider threat pattern based on this insight. It then presents an example implementation of this pattern on an enterprise-class system using the centralized log storage and indexing engine Splunk to detect malicious insider behavior on a network.

SHARE
Download PDF
Cite This Technical Note

Hanley, M., & Montelibano, J. (2011, October 1). Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination. (Technical Note CMU/SEI-2011-TN-024). Retrieved December 3, 2024, from https://doi.org/10.1184/R1/6574472.v1.

@techreport{hanley_2011,
author={Hanley, Michael and Montelibano, Joji},
title={Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination},
month={{Oct},
year={{2011},
number={{CMU/SEI-2011-TN-024},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6574472.v1},
note={Accessed: 2024-Dec-3}
}

Hanley, Michael, and Joji Montelibano. "Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination." (CMU/SEI-2011-TN-024). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, October 1, 2011. https://doi.org/10.1184/R1/6574472.v1.

M. Hanley, and J. Montelibano, "Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2011-TN-024, 1-Oct-2011 [Online]. Available: https://doi.org/10.1184/R1/6574472.v1. [Accessed: 3-Dec-2024].

Hanley, Michael, and Joji Montelibano. "Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination." (Technical Note CMU/SEI-2011-TN-024). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Oct. 2011. https://doi.org/10.1184/R1/6574472.v1. Accessed 3 Dec. 2024.

Hanley, Michael; & Montelibano, Joji. Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination. CMU/SEI-2011-TN-024. Software Engineering Institute. 2011. https://doi.org/10.1184/R1/6574472.v1

Ask a question about this Technical Note