Addressing the Insider Threat

In their guest editors' introduction to the special issue on Insider Threat, Shari Lawrence Pfleeger and Salvatore Stolfo describe a taxonomy of insiders and their unwelcome actions, as well as the need for credible data to document the size and nature of the insider threat. They suggest that the three articles in the special issue shed light not only on how to generate data for further study but also on how to use the data in models that can help evaluate the likely effects of various responses. The introduction ends with a matrix showing the variety of sensible and effective responses that must be sensitive to the organizations, systems, environments, and individuals involved with inappropriate insider behavior

Detecting insider threat within institutions using CERT dataset and different ML techniques

The reason of countries development in industrial and commercial enterprises fields in those countries. The security of a particular country depends on its security institutions, the confidentiality of its employees, their information, the target's information, and information about the forensic evidence for those targets. One of the most important and critical problems in such institutions is the problem of discovering an insider threat that causes loss, damage, or theft the information to hostile or competing parties. This threat is represented by a person who represents one of the employees of the institution, the goal of that person is to steal information or destroy it for the benefit of another institution's desires. The difficulty in detecting this type of threat is due to the difficulty of analyzing the behavior of people within the organization according to their physiological characteristics. In this research, CERT dataset that produced by the University of Carnegie Mellon University has been used in this investigation to detect insider threat. The dataset has been preprocessed. Five effective features were selected to apply three ML techniques Random Forest, Naïve Bayes, and 1 Nearest Neighbor. The results obtained and listed sequentially as 89.75917519%, 91.96650826%, and 94.68205476% with an error rate of 10.24082481%, 8.03349174%, and 5.317945236%

"Comply or die" is dead: Long live security-aware principal agents

Information security has adapted to the modern collaborative organisational nature, and abandoned "command-and-control" approaches of the past. But when it comes to managing employee's information security behaviour, many organisations still use policies proscribing behaviour and sanctioning non-compliance. Whilst many organisations are aware that this "comply or die" approach does not work for modern enterprises where employees collaborate, share, and show initiative, they do not have an alternative approach to fostering secure behaviour. We present an interview analysis of 126 employees' reasons for not complying with organisational policies, identifying the perceived conflict of security with productive activities as the key driver for non-compliance and confirm the results using a survey of 1256 employees. We conclude that effective problem detection and security measure adaptation needs to be de-centralised - employees are the principal agents who must decide how to implement security in specific contexts. But this requires a higher level of security awareness and skills than most employees currently have. Any campaign aimed at security behaviour needs to transform employee's perception of their role in security, transforming them to security-aware principal agents

Novel Alert Visualization: The Development of a Visual Analytics Prototype for Mitigation of Malicious Insider Cyber Threats

Cyber insider threat is one of the most difficult risks to mitigate in organizations. However, innovative validated visualizations for cyber analysts to better decipher and react to detected anomalies has not been reported in literature or in industry. Attacks caused by malicious insiders can cause millions of dollars in losses to an organization. Though there have been advances in Intrusion Detection Systems (IDSs) over the last three decades, traditional IDSs do not specialize in anomaly identification caused by insiders. There is also a profuse amount of data being presented to cyber analysts when deciphering big data and reacting to data breach incidents using complex information systems. Information visualization is pertinent to the identification and mitigation of malicious cyber insider threats. The main goal of this study was to develop and validate, using Subject Matter Experts (SME), an executive insider threat dashboard visualization prototype. Using the developed prototype, an experimental study was conducted, which aimed to assess the perceived effectiveness in enhancing the analysts’ interface when complex data correlations are presented to mitigate malicious insiders cyber threats. Dashboard-based visualization techniques could be used to give full visibility of network progress and problems in real-time, especially within complex and stressful environments. For instance, in an Emergency Room (ER), there are four main vital signs used for urgent patient triage. Cybersecurity vital signs can give cyber analysts clear focal points during high severity issues. Pilots must expeditiously reference the Heads Up Display (HUD), which presents only key indicators to make critical decisions during unwarranted deviations or an immediate threat. Current dashboard-based visualization techniques have yet to be fully validated within the field of cybersecurity. This study developed a visualization prototype based on SME input utilizing the Delphi method. SMEs validated the perceived effectiveness of several different types of the developed visualization dashboard. Quantitative analysis of SME’s perceived effectiveness via self-reported value and satisfaction data as well as qualitative analysis of feedback provided during the experiments using the prototype developed were performed. This study identified critical cyber visualization variables and identified visualization techniques. The identifications were then used to develop QUICK.v™ a prototype to be used when mitigating potentially malicious cyber insider threats. The perceived effectiveness of QUICK.v™ was then validated. Insights from this study can aid organizations in enhancing cybersecurity dashboard visualizations by depicting only critical cybersecurity vital signs

Behavioural Monitoring via Network Communications

It is commonly acknowledged that using Internet applications is an integral part of an individual’s everyday life, with more than three billion users now using Internet services across the world; and this number is growing every year. Unfortunately, with this rise in Internet use comes an increasing rise in cyber-related crime. Whilst significant effort has been expended on protecting systems from outside attack, only more recently have researchers sought to develop countermeasures against insider attack. However, for an organisation, the detection of an attack is merely the start of a process that requires them to investigate and attribute the attack to an individual (or group of individuals). The investigation of an attack typically revolves around the analysis of network traffic, in order to better understand the nature of the traffic flows and importantly resolves this to an IP address of the insider. However, with mobile computing and Dynamic Host Control Protocol (DHCP), which results in Internet Protocol (IP) addresses changing frequently, it is particularly challenging to resolve the traffic back to a specific individual. The thesis explores the feasibility of profiling network traffic in a biometric-manner in order to be able to identify users independently of the IP address. In order to maintain privacy and the issue of encryption (which exists on an increasing volume of network traffic), the proposed approach utilises data derived only from the metadata of packets, not the payload. The research proposed a novel feature extraction approach focussed upon extracting user-oriented application-level features from the wider network traffic. An investigation across nine of the most common web applications (Facebook, Twitter, YouTube, Dropbox, Google, Outlook, Skype, BBC and Wikipedia) was undertaken to determine whether such high-level features could be derived from the low-level network signals. The results showed that whilst some user interactions were not possible to extract due to the complexities of the resulting web application, a majority of them were. Having developed a feature extraction process that focussed more upon the user, rather than machine-to-machine traffic, the research sought to use this information to determine whether a behavioural profile could be developed to enable identification of the users. Network traffic of 27 users over 2 months was collected and processed using the aforementioned feature extraction process. Over 140 million packets were collected and processed into 45 user-level interactions across the nine applications. The results from behavioural profiling showed that the system is capable of identifying users, with an average True Positive Identification Rate (TPIR) in the top three applications of 87.4%, 75% and 61.9% respectively. Whilst the initial study provided some encouraging results, the research continued to develop further refinements which could improve the performance. Two techniques were applied, fusion and timeline analysis techniques. The former approach sought to fuse the output of the classification stage to better incorporate and manage the variability of the classification and resulting decision phases of the biometric system. The latter approach sought to capitalise on the fact that whilst the IP address is not reliable over a period of time due to reallocation, over shorter timeframes (e.g. a few minutes) it is likely to reliable and map to the same user. The results for fusion across the top three applications were 93.3%, 82.5% and 68.9%. The overall performance adding in the timeline analysis (with a 240 second time window) on average across all applications was 72.1%. Whilst in terms of biometric identification in the normal sense, 72.1% is not outstanding, its use within this problem of attributing misuse to an individual provides the investigator with an enormous advantage over existing approaches. At best, it will provide him with a user’s specific traffic and at worst allow them to significantly reduce the volume of traffic to be analysed

Fouille multidimensionnelle sur les données textuelles visant à extraire les réseaux sociaux et sémantiques pour leur exploitation via la téléphonie mobile

La concurrence est un concept fondamental de la tradition libérale et des sciences économiques qui oblige les entreprises à pratiquer l'Intelligence Economique (IE) pour bien se positionner sur le marché ou tout simplement pour survivre. Mais souvent, ce n'est pas le plus fort qui survit, ni le plus intelligent, mais celui qui est le plus sensible au changement, facteur dominant dans la société actuelle. Les changements proviennent de l'extérieur ou naissent au sein même de l'entreprise et peuvent l'affecter plus ou moins durablement. Dès lors, les entreprises sont appelées à rester constamment en veille pour guetter le moindre changement en vue d'y apporter la solution adéquate en temps réel. Cependant, pour une veille réussie, on ne doit pas se contenter uniquement de surveiller les opportunités, mais avant tout, d'anticiper les menaces. Malheureusement, cette veille se déroule en oubliant l'indispensable volet sécurité de l'IE à savoir la sécurité des données manipulées et celle des procédés suivis pour atteindre les objectifs de l'IE. Nos travaux de recherche consistent à proposer un Système d'Intelligence Economique (SIE) Généraliste et Mobile. Ce SIE intègre une approche de modélisation du contrôle d'accès aux données et aux traitements pour sécuriser toutes les informations et les flux d'interaction durant son cycle de vie. Le besoin en matière de sécurité dans un SIE provient du fait que les informations manipulées sont d'ordre stratégique ayant une valeur assez importante. Une telle sécurité ne doit pas être considérée comme une option supplémentaire qu'offre un SIE pour se distinguer d'un autre. D'autant plus que la fuite de ces informations n'est pas le fait de faiblesses inhérentes aux systèmes informatiques des entreprises, mais c'est avant tout une question organisationnelle. La mobilité présente un choix stratégique pour notre SIE ''XPlor EveryWhere'', dont le but est de permettre aux utilisateurs de nos solutions de veille de continuer à rechercher, surveiller, valider et rediffuser des informations stratégiques au cours de leurs déplacements. Ils n'ont ainsi plus besoin d'être assis face à leur ordinateur pour accéder à des données utiles dans l'instant (préparation d'une réunion, nouvel ordre du jour, information sur un interlocuteur, une technologie, un marché, demande urgente d'une analyse ou d'un focus spécifique). Il leur suffit simplement d'utiliser discrètement, et en tout sécurité, leur appareil mobile. Grâce à XPlor EveryWhere, ils sont en permanence au cœur de l'information pertinente.Competition is a fundamental concept of the liberal economy tradition that requires companies to resort to Competitive Intelligence (CI) in order to be advantageously positioned on the market, or simply to survive. Nevertheless, it is well known that it is not the strongest of the organizations that survives, nor the most intelligent, but rather, the one most adaptable to change, the dominant factor in society today. Therefore, companies are required to remain constantly on a wakeful state to watch for any change in order to make appropriate solutions in real time. However, for a successful vigil, we should not be satisfied merely to monitor the opportunities, but before all, to anticipate risks. The external risk factors have never been so many: extremely dynamic and unpredictable markets, new entrants, mergers and acquisitions, sharp price reduction, rapid changes in consumption patterns and values, fragility of brands and their reputation. To face all these challenges, our research consists in proposing a Competitive Intelligence System (CIS) designed to provide online services. Through descriptive and statistics exploratory methods of data, Xplor EveryWhere display, in a very short time, new strategic knowledge such as: the profile of the actors, their reputation, their relationships, their sites of action, their mobility, emerging issues and concepts, terminology, promising fields etc. The need for security in XPlor EveryWhere arises out of the strategic nature of information conveyed with quite a substantial value. Such security should not be considered as an additional option that a CIS can provide just in order to be distinguished from one another. Especially as the leak of this information is not the result of inherent weaknesses in corporate computer systems, but above all it is an organizational issue. With Xplor EveryWhere we completed the reporting service, especially the aspect of mobility. Lastly with this system, it's possible to: View updated information as we have access to our strategic database server in real-time, itself fed daily by watchmen. They can enter information at trade shows, customer visits or after meetings

Learning from "shadow security": understanding non-compliant behaviours to improve information security management

This thesis examines employee interaction with information security in large organisations. It starts by revisiting past research in user-centred security and security management, identifying three research questions that examine (1) employee understanding of the need for security, (2) the challenges security introduces to their work, together with their responses to those challenges, and (3) how to use the emerging knowledge to improve existing organisational security implementations. Preliminary examination of an available interview data set, led to the emergence of three additional research questions, aiming to identify (4) employee actions after bypassing organisational security policy, (5) their response to perceived lack of security support from the organisation, and (6) the impact of trust relationships in the organisation on their security behaviours. The research questions were investigated in two case studies inside two large organisations. Different data collection (200 interviews and 2129 surveys) and analysis techniques (thematic analysis and grounded theory) were combined to improve outcome validity and allow for generalisability of the findings. The primary contribution of this thesis is the identification of a new paradigm for understanding employee responses to high-friction security, the shadow security: employees adapt existing mechanisms or processes, or deploy other self-devised solutions, when they consider the productivity impact of centrally-procured security as unacceptable. An additional contribution is the identification of two trust relationships in organisational environments that influence employee security behaviours: organisationemployee trust (willingness of the organisation to remain exposed to the actions of its employees, expecting them to behave securely), and inter-employee trust (willingness of employees to act in a way that renders themselves or the organisation vulnerable to the actions of another member of the organisation). The above contributions led to the creation of a structured process to better align security with organisational productive activity, together with a set of relevant metrics to assess the effectiveness of attempted improvements. The thesis concludes by presenting a case study attempting to apply the above process in an organisation, also presenting the emerging lessons for both academia and industry