Visualizing the Insider Threat: Challenges and tools for identifying

malicious user activityPhilip A. Legg

University of the West of England, UKphil.legg@uwe.ac.uk

Introduction• What is Insider Threat?

• Identifying Insider Threats

• Visual Analytics for Insider Threat

• Challenges and Limitations

• Conclusion

Insider Threat• Someone with privileged access and knowledge of an organisation, who uses this in such a way that is detrimental to the operation of the organisation.

• E.g., Employees, management, stakeholders, contractors

• Examples threats could include intellectual property theft, data fraud, system sabotage, and reputational damage.

• Typically, a threat would be initiated by a trigger and a motive (e.g., personal financial difficulties result in theft).

Insider Threat• According to the 2015 Insider Threat report by Vormetric:

“93% of U.S. organisations polled responded as being vulnerable to insider threats”.

“59% of U.S. respondents stated that privileged users pose the biggest threat to their organisation”

• How can we mitigate threats without impacting productivity?• Have advances in technology created more opportunity for attack?• Does more activity data equal more success for mitigating threats?

Identifying Insider Threat• Given observations of user activity, how

can we identify insider threats?• Generate user and role profiles for

comparative analysis.

• For each user/role:• What devices do they use?• What activities do they perform?• What are the attributes of the

activity?• What is the time-profile of each

instance?

Identifying Insider ThreatGroupActivity Type

_hourly_usage_

_new_activity_for_device_

_new_attribute_for_device__for_role

_for_user

logon

usb_insert

email

http

file

• Given a profile of user activity, how can we identify insider threats?

• Obtain ‘features’ that characterize potential threats.

• New activities, or attributes• Time of the activity/attribute• Frequency of the activity/attribute

Examples:

logon_new_activity_for_device_for_roleA count of how many times that day the user has logged on to a

device that has not been accessed before by members of that particular job role.

http_hourly_usage_for_userA 24 element count for each hour of activity that involves http usage

for this particular user

Identifying Insider Threat• Given daily ‘features’ for each user, how can we assess and score user

deviation?• One approach – PCA feature decomposition.

• Suppose then that a security analyst just receives a threat score for each user for each day…

• How do they know how the threat score is computed?• How can they trust that this threat score is valid?• What if they want to understand how the threat score may vary, based on

different activity?

• There is a need for Visual Analytics to examine the detection process!

Overview

Zoom and Filter

Overview

Zoom and Filter

Details on Demand

Overview• Charts provide an interactive overview of selected summary statistics (e.g., amount of activity, deviation of activity).

• Support filtering (date range, selection).• Zoomed view of activity by date.• Contextual view of activity by date.• Activity bar chart by job role.• Activity bar chart by individual.

Change stat

Select users

Filter b

y Role

Filter and Zoom• Interactive PCA [Jeong et al.]

• Scatter plot view of user daily activity based on PCA.

• Parallel co-ordinates shows linked view between plot and profile features.

• Can identify groups of outliers, and what features contribute towards the groupings.

Filter and Zoom• Dragging points on scatter plot performs inverse PCA.

• Analyst can examine relationship between the projection space and the original feature space.

• Can be used to identify the contribution or ‘usefulness’ of each feature for refinement of detection model (e.g., apply weighting function to PCA).

Detail View• Activity plot that maps user and role activity to time (supports either polar or Cartesian grid layout).

• Comparison of user activity on a daily basis, and against others in the same job role.

• Could potentially be used in conjunction with other data if available (e.g., HR records, performance reviews).

Blue activity shows USB drive insert and removalLate night usage + new observation for this role = threat!

Challenges and Limitations• Gathering activity log data for Insider Threat research

• Synthetic data versus real-world data?• How well can synthetic data represent normal and malicious activity?• How can real organisations actually share knowledge of insider cases?

• Anomalous activity != Malicious activity• Should we be considering hybrid anomaly-signature techniques?• Make use of both the computational power and the human analyst.

• Insider Threat Prevention• Ideally, organisations would like to prevent attacks rather than detect.• Requires understanding behavioral pre-cursors of the attack.• How can we collect and analyze data that may inform this approach?

Conclusion• We demonstrate the use of a Visual Analytics tool for the purpose of Insider Threat detection and model exploration.

• We couple this with a detection routine based on activity profiling and feature decomposition.

• Future work is to validate approaches for Insider Threat detection based on real-world deployment

• Just how normal are normal users really behaving, and likewise, how malicious are the malicious users?

Thank you for your attention

Philip A. LeggUniversity of the West of England, UK

phil.legg@uwe.ac.uk

Source to be available from:

http://www.plegg.me.uk

http://www.github.com/phillegg