Lab's behavioral system can catch insider threats

[InfoSec News <alerts () infosecnews org>]

http://gcn.com/articles/2011/11/17/oak-ridge-lab-stop-insider-exfiltration.aspx

By William Jackson
GCN.com
Nov 17, 2011

Researchers at the Energy Department’s Oak Ridge National Laboratory are 
developing a tool to identify malicious insiders and stop them from 
sending sensitive information outside the enterprise.

The system, which is being tested in a lab environment, uses a 
host-based agent to “learn” a user’s behavior and to look for anomalous 
behavior or other signatures, said computer scientist and project leader 
Justin Beaver.

“It turns out there is a lot of data on each host you can leverage if 
you know what to look for,” Beaver said.

He said his team’s work has demonstrated that profiles of normal 
behavior can be built from low-level system data on a user’s computer 
over a relatively short time and that signatures for exfiltrating data 
can be recognized. The system responds to these events by seamlessly 
switching the malicious user to a honeypot environment where he is 
isolated from data but his actions can be studied.

[...]

_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn