search menu icon-carat-right cmu-wordmark

Principles of Survivability and Information Assurance

April 2011 White Paper

In this paper, the authors describe a Security Information and Event Management signature for detecting possible malicious insider activity.

Abstract

This paper describes the development and proposed application of a Security Information and Event Management (SIEM) signature to detect possible malicious insider activity leading to IT sabotage. In the absence of a uniform, standardized event logging format, this paper presents the signature in two of the most visible public formats, Common Event Framework (CEF) and Common Event Expression (CEE). Because of the limitations of these formats, the SIEM described in this paper employs an operational version of the proposed signature in an ArcSight environment.