Since 2001, researchers at the CERT Insider Threat Center have documented malicious insider activity by examining media reports and court transcripts and conducting interviews with the United States Secret Service, victims' organizations, and convicted felons. Among the more than 700 insider threat cases that we've documented, our analysis has identified more than 100 categories of weaknesses in systems, processes, people or technologies that allowed insider threats to occur. One aspect of our research has focused on identifying enterprise architecture patterns that protect organization systems from malicious insider threat.

Enterprise architecture patterns are organization patterns that involve the full scope of enterprise architecture concerns, including people, processes, technology, and facilities. Our goal with this pattern work is to equip organizations with the tools necessary to institute controls that will reduce the incidence of insider compromise. This blog post is the second in a series that describes our research to create and validate an insider threat mitigation pattern languagethat focuses on helping organizations balance the cost of security controls with the risk of insider compromise.

Our Approach

The aim of our pattern work is to develop insider threat mitigation strategies that are scientifically and operationally valid. To create those strategies, we employ mixed-methods research, which combines both qualitative and quantitative approaches. Among the various types of insider crimes--IT sabotage, theft of intellectual property (IP), national security/espionage, and fraud--our work has initially focused on IP theft, which includes theft of an organization's proprietary information.

We have already established a mitigation pattern of IP theft that is based on the types of crime we've observed in our case database. This pattern is oriented around the observation that many IP thieves steal information close to announcing their resignation. This behavior gives organizations a window of opportunity for identifying and responding to insider IP theft activity.

Since it's costly and time-consuming for organizations to monitor departing employees 100 percent of the time, we directed our resources at the timeframe when it is the highest likelihood that IP theft will occur. Our pattern focused on this question:

I am establishing a program that looks for evidence of insider theft of my organization's IP. Review and analysis of employee activities is costly. How can I improve the efficiency of resources I direct at IP theft detection?

To help answer this question, our research team decided to focus on the distribution of durations between the following two dates across our sample of insider threat cases:

• the date of the last confirmed theft of IP event prior to an insider's termination and
• the date of the insider's termination

Past qualitative analyses of our insider threat data have suggested that the approach of a termination day accelerates the insider's decision-making process in a nonlinear manner. Our primary hypothesis is therefore the following:

Primary Hypothesis: The distribution of the times between an insider IP thief's last confirmed theft of IP before termination and the date of the insider's termination follows a nonlinear distribution.

Preliminary Analysis

To determine whether our data on insider theft of IP crimes supports this hypothesis, we collaborated with Dave Zubrow, acting chief scientist with the SEI's Software Engineering Process Management Program and lead of the Software Engineering Measurement & Analysis Initiative. To test the hypothesis, we used Crystal Ball software to evaluate the best fit distribution for our data on 30 IP theft cases from the CERT database. The geometric distribution (with p=0.02) was the best fit to our data when compared with other candidate distributions.

We also ran a Monte Carlo simulation that generated 1,000 resampled data sets from the best fit distribution. From that data set, we graphed the cumulative probability function. We found that about 70 percent of insider IP theft cases can be caught by reviewing for significant theft events by the insider during the last 60 days of employment. Perhaps more importantly, the graphed function provides a tool to help organizations adjust their review window in an informed way, based on their particular risk aversion for IP theft and the cost of insider activity review within the organization.

It is important to emphasize the limitations of our data analysis to date. Our data analysis and results are preliminary in part because of the small number of cases in our data set. While the best-fit distribution was the geometric distribution (as compared to a wide variety of other distributions), the fit was statistically different from the theoretical distribution. While future research will continue to add additional cases to better identify the underlying distribution and refine our analysis, the resampling approach described above allowed us to use the data that we had to greatest effect. Given that the bestfit for the data is the geometric distribution, we contend that this result provides at least prima facie evidence that the subject mitigation pattern will be effective in fighting insider theft of IP. Continuing research will strive to bolster this evidence.

We expect that the patterns and pattern language developed through this research will enable coherent reasoning about how to design enterprise systems to protect against malicious insider activity. Instead of working with vague security requirements and inadequate security technologies, system designers will have a coherent set of patterns that enable them to develop and implement effective strategies against the malicious insider activity more quickly and with greater confidence.

Looking Ahead

In addition to collecting and analyzing new cases of insider theft of IP, our future work in this area will explore another critical question with regard to patterns of IP theft:

How can organizations distinguish between insider theft activity and legitimate employee activity?

An answer to this question will help an organization use the mitigation pattern cost effectively by reducing the chance of false positives during the review process.

Evaluating the effectiveness of individual mitigation patterns is just one aspect of our work to help organizations bolster their defenses against malicious activity by insiders. We view our pattern work as a way of helping organizations integrate what we've learned into their existing enterprise architecture and practices. The first post in this series described our work to protect next-generation DoD enterprise systems against insider threats by capturing, validating, and applying enterprise architectural patterns.

In our upcoming post in this series, fellow researcher David Mundie will describe a pattern language that we've developed to help software architects better understand how to apply patterns in sequence to design a system that provides balanced protection against malicious activity by insiders.

Additional Resources:

To read the SEI technical report, A Pattern for Increased Monitoring for Intellectual Property Theft by Departing Insiders, please visit
www.sei.cmu.edu/reports/12tr008.pdf

To read the SEI technical note, Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination, please visit www.cert.org/archive/pdf/11tn024.pdf.

To read the CERT Insider Threat blog, please visit
https://www.sei.cmu.edu/about/divisions/cert/index.cfm.