Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination
• Technical Note
Publisher
Software Engineering Institute
CMU/SEI Report Number
CMU/SEI-2011-TN-024DOI (Digital Object Identifier)
10.1184/R1/6574472.v1Topic or Tag
Abstract
Since 2001, the CERT Insider Threat Center has built an extensive library and comprehensive database containing more than 600 cases of crimes committed against organizations by insiders. A significant class of insider crimes, insider theft of intellectual property, involves highly damaging attacks against organizations that result in significant tangible losses in the form of stolen business plans, customer lists, and other proprietary information. The Insider Threat Center’s behavioral modeling of insiders who steal intellectual property shows that many insiders who stole their organization’s intellectual property stole at least some of it within 30 days of their termination. This technical note presents an example of an insider threat pattern based on this insight. It then presents an example implementation of this pattern on an enterprise-class system using the centralized log storage and indexing engine Splunk to detect malicious insider behavior on a network.
Cite This Technical Note
Hanley, M., & Montelibano, J. (2011, October 1). Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination. (Technical Note CMU/SEI-2011-TN-024). Retrieved October 7, 2024, from https://doi.org/10.1184/R1/6574472.v1.
@techreport{hanley_2011,
author={Hanley, Michael and Montelibano, Joji},
title={Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination},
month={Oct},
year={2011},
number={CMU/SEI-2011-TN-024},
howpublished={Carnegie Mellon University, Software Engineering Institute's Digital Library},
url={https://doi.org/10.1184/R1/6574472.v1},
note={Accessed: 2024-Oct-7}
}
Hanley, Michael, and Joji Montelibano. "Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination." (CMU/SEI-2011-TN-024). Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, October 1, 2011. https://doi.org/10.1184/R1/6574472.v1.
M. Hanley, and J. Montelibano, "Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination," Carnegie Mellon University, Software Engineering Institute's Digital Library. Software Engineering Institute, Technical Note CMU/SEI-2011-TN-024, 1-Oct-2011 [Online]. Available: https://doi.org/10.1184/R1/6574472.v1. [Accessed: 7-Oct-2024].
Hanley, Michael, and Joji Montelibano. "Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination." (Technical Note CMU/SEI-2011-TN-024). Carnegie Mellon University, Software Engineering Institute's Digital Library, Software Engineering Institute, 1 Oct. 2011. https://doi.org/10.1184/R1/6574472.v1. Accessed 7 Oct. 2024.
Hanley, Michael; & Montelibano, Joji. Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination. CMU/SEI-2011-TN-024. Software Engineering Institute. 2011. https://doi.org/10.1184/R1/6574472.v1