I recently had the opportunity to present a webinar together with Adam Harting from Raytheon, a forward-thinking Perspective client and member of our Perspective Advisory Board. The topic was big data and how it can be used to combat insider threats in an organization. Here’s a summary of what we covered. (A link to the actual recording appears at the end.)
It all starts with our current digital information explosion and the Internet of Things, something I’ve written about a lot lately. The numbers are staggering! From the beginning of time to the year 2003, the world generated two exabytes of data. We’re NOW generating roughly five exabytes of data every single day. Every day, we’re generating two and a half times as much data as we produced for the entire history of the human race up to 2003! This truly is an explosion, and it’s only going to continue as more devices like cars, watches, and security systems become connected to the Internet of Things and begin pumping additional data into the stream.
With more and more talk about big data in all industries and across our culture, a term has been coined to help us get our heads around what it really means. It’s called HV3, and it stands for high volume, high velocity, and high variety data. In other words, there’s a lot of data being generated, a lot of data movement at all times, and a lot of different types of data from different source points. The movement of data looks more like a complex molecule—a web structure like the Internet—than a simple exchange between two points. This is noticeably different from even as recently as five years ago.
For those of us in the security industry, this avalanche of information represents billions of data points that can provide intelligence to help us analyze, recognize, and ultimately, prevent crimes and incidents from occurring. It means that for any given incident or situation, there will be some kind of data that has been generated and that lives somewhere, on some server. And, beyond the data points relating to that specific moment in time—which can help us solve crimes and identify the important points about a specific incident—there will be a great deal of supporting data. And that data can be captured, analyzed, and visualized to help identify patterns, clues that can serve up red flags to future behaviors if we can just recognize and understand them.
When an incident happens, you can also apply associative rule making to find meaningful patterns. Say there is a sudden rash of laptop thefts at your facility. Instead of simply citing that the majority of laptop thefts are happening between 8 p.m. and 8 a.m., your associative rules can tell you that a specific employee was on duty 80% of that time.
Establishing data trends can also provide useful information about things you hadn’t even thought to look for. For example, you might search a database for specific types of incidents that occurred during a certain period and related to theft. Along with that information, your incident management software gives you back an additional piece of intelligence: there has also been a rash of broken windows just outside of that time frame on one particular day of the week. This type of added insight is called ‘slot filling,’ and it’s an incredibly valuable feature to have for forecasting and preventing incidents.
This is particularly true for insider threats. Within an organization, you will have a discrete community of individuals who function within defined parameters. For example, one person’s job will be in a particular area of the campus, with no job-related reason to be in other areas. Another person will have specific times of the day or days of the week when they typically access segments of the server. These normative patterns are the baseline to determine when actions occur outside the norm, providing useful information that can be used to solve—and to predict—criminal acts. This is called ‘outlier detection,’ or looking for a pattern that is an anomaly.
With this kind of analysis, you can use big data to help combat and defeat insider threats. Specifically, you can use behavioral indicators to raise a red flag through associative rule making, outlier detection, slot filling, and other techniques.
The big data being generated by organizations has a tremendous value on the open market. Whether it’s intellectual property relating to new technologies, personal identity information, government intelligence, codes, or other protected information, the temptation to sell that data to the highest bidder can become irresistible. But there tend to be signs that suspicious activity is occurring—personnel come and go at different hours, or begin dressing or acting differently. They may suddenly begin traveling more frequently or change their social activities.
Incident management—defined as an activity or steps that an organization follows to identity, analyze, or collect information on vulnerabilities, threats, and hazards—can aggregate and analyze these signs, habits, and trends. The software can use all this data—from HR, security, ethics, legal, the operations supply chain, and elsewhere—to identify patterns and relationships among and between employees, including some that would be virtually impossible to spot otherwise.
Insider threats will always be a hazard to organizations. But with the right analytical and intelligence tools in place, big data can be used to benefit an organization, helping to identify threats and mitigate risks before they threaten businesses.
Request RecordingThe post Data Analysis to Combat the Insider Threat appeared first on PPM.
Image may be NSFW.Clik here to view.