Can organizations identify insider threats or high-risk individuals using network data alone?

Consider that many security software solutions today are optimized to perform network log monitoring and aggregation. They excel at identifying anomalies in a person’s typical routine, such as printing at a different printer, accessing unusual file systems or plugging in a USB drive.

This snapshot of the individual, however, is incomplete. Could this person have been helping out a colleague whose printer was broken, working on a special project for their manager, or planning to catch up on work at home because of a sick family member?

Network data highlights only the atypical behavior of a person. When the corresponding anomaly alert is viewed by a security analyst — who’s always on the lookout for bad actors — it is treated as a negative until proven otherwise. So is every other alert. Since the vast majority turn out to have more pedestrian explanations, organizations are wasting valuable human resources chasing what in effect are false positives. And these can number into many thousands per day at large enterprises.

There is of course a place for network data when identifying insider threats or risky individuals. Visiting a gambling website, conducting multiple logons from different devices or even using a USB drive for the first time can be actionable indicators in and of themselves. But for an enterprise risk management program to be truly effective, it should treat network data as only one piece of the puzzle. It must also look at human resource information, facility access data, ongoing employee investigations, travel and expense reports and information from public records.

By incorporating sources beyond network data an enterprise is able to gain a more comprehensive picture of an individual, and thus the full context of his or her behavior. Among these sources:

• HR data will provide metrics such as whether the employee has won any awards, been reprimanded or had a stellar or poor annual performance review. It will also indicate duration of employment and educational background.
• Investigation data can additionally provide insights into any failures to follow corporate policy, complaints from fellow employees or other misconduct.
• Public record data allows an enterprise to match information in an employee job application to information provided by third parties, arrest records and credit-check data.

At Haystax Technology, we are able to ingest and process data from a wide array of data sources in order to establish a holistic picture of the individual, and generate an accurate and analytically defensible threat score. Our flagship Haystax for Insider Threat product can accept data in CSV format or as a JSON stream. The data is extracted, transformed and loaded into Haystax and augmented as needed using advanced unsupervised machine learning and other artificial intelligence techniques, which can be performed on both categorical and temporal data. For example, the augmentation of network, badge and travel information can identify anomalies in an individual’s regular behavior. Anomalies are then applied to Haystax’s ‘whole person’ insider threat model, a Bayesian inference network with approximately 700 nodes depicting a wide array of human behaviors that collectively provide reliable indicators of trustworthiness.

This pioneering approach reflects our belief that organizations need more — not less — data in order to detect well-concealed insider threats. More data is only a problem when analysts have to investigate every piece, so critically the approach must include a mechanism for automating the process of risk analysis and threat scoring so that analysts can focus attention only on their highest-priority risks while never having to investigate individuals who are manifestly trustworthy.

When Haystax was tasked with finding risky individuals at a leading financial institution, Haystax for Insider Threat used six distinct data sources representing 35,000 separate data-loss prevention, access and other anomalous events. (This is where most conventional detection solutions stop.)

Of those events, approximately 1,000 were identified by Haystax analytics as being specifically related to insider threats. (This is where most user and entity behavior analytics solutions stop.)

Of those 1,000 events, data applied to the Bayesian inference network (the behavioral model) in the product was able to pinpoint nine specific low-trustworthiness individuals. Of those nine, the system recommended three individuals as a high priority for further action.

The key to filtering out the noise and false positives is that we start with an actual model of individual trustworthiness, rather than relying on network data to build its own ‘model.’ In this way Haystax is able to factor in all relevant events that impact an individual — not just his or her network activity —  and to do so on a continuous basis.

In essence we use a whole-person representation of an individual to provide the context necessary to find and score behaviors that are the true indicators of a potential insider threat, often weeks or months before an adverse event actually occurs.

Peter DiBenedetto is a Solutions Architect at Haystax Technology.

#  #  #

NOTE TO READERS: Are you attending next week’s Gartner Security & Risk Management Summit? The Haystax Technology team will be there, too. Please stop by Booth 542 for a chat about how Haystax for Insider Threat can help you solve your organization’s toughest security analytics challenges.