Insider Threat

Insider threat detection is challenging.
Only a PRO can defeat malicious insiders.

Problem

Detecting Insider Threats Requires a New Strategy

Detecting Insider Threats Requires a New Strategy

As trusted members of the organization, employees are given access to information and assets. In many cases, there is a subtle difference between normal behavior and a threat, making detecting malicious behavior very difficult. In fact, it only takes one or two small circumstances to change, leading an employee to become an internal threat to your enterprise. Detecting and responding to such a hard problem requires a different strategy.

Solution

The DarkLight PROs Strategy to Detect Insider Threats

The DarkLight PROs Strategy to Detect Insider Threats

By representing common sense knowledge from the cybersecurity community and the knowledge from your enterprise's cybersecurity analysts, tasks and data interpretation can be efficiently and intelligently automated. Because the DarkLight PRO (Programmable Reasoning Object) is created by the security analyst themselves, it thinks and works like a human to find any correlations and patterns between data sets. Analysts can customize or create new PRO's to track whatever activity they deem necessary to keep your enterprise secure.
Examples of Insider Threat PRO Playbooks:

  • Track group membership over time
  • Detect off-hours system usage
  • Detect uploading to known file-storage locations
  • Detect unusual program execution
  • Detect unusual printing activity
  • Correlate when a member of a group decimated by layoffs uploads to a known location

Ready to use the power of DarkLight's AI for Active Cyber Defense?

Contact an Expert
Software Engineering Institute

Thought Leadership

The Insider Threat Indicator Ontology

Thought leaders at the CERT Insider Threat Center at Carnegie Mellon's Software Engineering Institute (SEI) have released model concepts to help insider threat programs to implement more effective controls. Based on cases from more than 1000 organizations, the research paper and models have been several years in the making and provides a standardized method of expression for indicators of potential malicious insider activity. They have identified an ontological approach to the problem and have provided the industry with an Insider Threat Indicator Ontology (ITIO). An ontological approach provides a standard common language with which to represent and share knowledge, a factor they have identified as currently lacking within the threat intelligence community.

Putting it to Work

Classifying Information Yields Knowledge

DarkLight has integrated over 100 modular cyber security ontologies that have been developed by the community over the past couple years to include standards-based knowledge representations of many of the government sponsored cyber security measurement and management architecture standards like STIX, CYBOX, MAEC, CAPEC, CWE, CVE, and SCAP as well as new ontologies like the ITIO. This enables DarkLight to understand the meaning and context of the cyber security data and information coming from those standardized common languages.  DarkLight automatically organizes that data into a cyber security knowledge and activity graph where it can then be taught to apply the knowledge as a virtual analyst and make evidence-driven decisions and orchestrate courses of action.

Operationalizing the ITIO

Import the Insider Threat Indicator Ontology to DarkLight and the concepts of the ontology are mapped to real-time data of your organization. As an example, data of the “Actors” are mapped to “People & Organizations” of the company, immediately leveraging the ITIO. Once this mapping has occurred, the hard problem of Insider Threat-- identifying the subtle changes in an employee's behavior--can be identified much more easily.

DarkLight helps you:

  • Find the indicators
  • Identify exfiltration
  • Identify I.D. theft and fraud
  • Collect the intelligence needed to allow efficient forensic investigations of affected assets.

Download the DarkLight Business Data Sheet and learn how to improve your security operations.

This two-page document is ideal for the Security Analyst, Security Operation Center (SOC) Managers and CISO, and will explain the

  • Top Benefits
  • Key Value
  • How DarkLight differs from other Security Analytics and Orchestration tools
DarkLight_Datasheet-Business v07_2018-malbec-2

Ready to use the power of DarkLight's AI for Active Cyber Defense?

Contact an Expert