As trusted members of the organization, employees are given access to information and assets. In many cases, there is a subtle difference between normal behavior and a threat, making detecting malicious behavior very difficult. In fact, it only takes one or two small circumstances to change, leading an employee to become an internal threat to your enterprise. Detecting and responding to such a hard problem requires a different strategy.
By representing common sense knowledge from the cybersecurity community and the knowledge from your enterprise's cybersecurity analysts, tasks and data interpretation can be efficiently and intelligently automated. Because the DarkLight PRO (Programmable Reasoning Object) is created by the security analyst themselves, it thinks and works like a human to find any correlations and patterns between data sets. Analysts can customize or create new PRO's to track whatever activity they deem necessary to keep your enterprise secure.
Examples of Insider Threat PRO Playbooks:
Thought leaders at the CERT Insider Threat Center at Carnegie Mellon's Software Engineering Institute (SEI) have released model concepts to help insider threat programs to implement more effective controls. Based on cases from more than 1000 organizations, the research paper and models have been several years in the making and provides a standardized method of expression for indicators of potential malicious insider activity. They have identified an ontological approach to the problem and have provided the industry with an Insider Threat Indicator Ontology (ITIO). An ontological approach provides a standard common language with which to represent and share knowledge, a factor they have identified as currently lacking within the threat intelligence community.
DarkLight has integrated over 100 modular cyber security ontologies that have been developed by the community over the past couple years to include standards-based knowledge representations of many of the government sponsored cyber security measurement and management architecture standards like STIX, CYBOX, MAEC, CAPEC, CWE, CVE, and SCAP as well as new ontologies like the ITIO. This enables DarkLight to understand the meaning and context of the cyber security data and information coming from those standardized common languages. DarkLight automatically organizes that data into a cyber security knowledge and activity graph where it can then be taught to apply the knowledge as a virtual analyst and make evidence-driven decisions and orchestrate courses of action.
Import the Insider Threat Indicator Ontology to DarkLight and the concepts of the ontology are mapped to real-time data of your organization. As an example, data of the “Actors” are mapped to “People & Organizations” of the company, immediately leveraging the ITIO. Once this mapping has occurred, the hard problem of Insider Threat-- identifying the subtle changes in an employee's behavior--can be identified much more easily.
DarkLight helps you:
This two-page document is ideal for the Security Analyst, Security Operation Center (SOC) Managers and CISO, and will explain the