Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Technical Note

Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination

  • October 2011
  • By Michael Hanley, Joji Montelibano
  • In this report, the authors present an insider threat pattern on how organizations can combat insider theft of intellectual property.
  • Insider Threat
  • Publisher: Software Engineering Institute
    CMU/SEI Report Number: CMU/SEI-2011-TN-024
  • Abstract

    Since 2001, the CERT Insider Threat Center has built an extensive library and comprehensive database containing more than 600 cases of crimes committed against organizations by insiders. A significant class of insider crimes, insider theft of intellectual property, involves highly damaging attacks against organizations that result in significant tangible losses in the form of stolen business plans, customer lists, and other proprietary information. The Insider Threat Center’s behavioral modeling of insiders who steal intellectual property shows that many insiders who stole their organization’s intellectual property stole at least some of it within 30 days of their termination. This technical note presents an example of an insider threat pattern based on this insight. It then presents an example implementation of this pattern on an enterprise-class system using the centralized log storage and indexing engine Splunk to detect malicious insider behavior on a network.

  • Download

Cite This Report

SEI

Hanley, Michael; & Montelibano, Joji. Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination. CMU/SEI-2011-TN-024. Software Engineering Institute, Carnegie Mellon University. 2011. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9875

IEEE

Hanley. Michael, and Montelibano. Joji, "Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Note CMU/SEI-2011-TN-024, 2011. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9875

APA

Hanley, Michael., & Montelibano, Joji. (2011). Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination (CMU/SEI-2011-TN-024). Retrieved June 27, 2017, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9875

CHI

Michael Hanley, & Joji Montelibano. Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination (CMU/SEI-2011-TN-024). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2011. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9875

MLA

Hanley, Michael., & Montelibano, Joji. 2011. Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination (Technical Report CMU/SEI-2011-TN-024). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9875

BibTex

@techreport{HanleyInsiderThreat2011,
title={Insider Threat Control: Using Centralized Logging to Detect Data Exfiltration Near Insider Termination},
author={Michael Hanley and Joji Montelibano},
year={2011},
number={CMU/SEI-2011-TN-024},
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9875} }