Decision Support Procedure in the Insider Threat Domain

Effective mitigation of the Insider Threat in complex organizations is not simply a matter of 'fire-and-forget'. Thorough routines are required to minimize the chances of malicious insiders going undetected. While detecting policy violations and signatures of known-bad behavior are essential to a broader threat mitigation strategy, it is clear that behavior-based measurements, including anomaly detection and social network analysis, will be crucial to detecting technically savvy malicious users with legitimate network and data access. Due to the large number of potentially malicious behaviors users may display, the main thrust of detection falls in the hands of an analyst capable of correlating these behaviors. Based on our BANDIT system, we offer a 10-step analyst program, which offers a common-sense approach to limiting the damage a malicious trusted user can achieve.