The SEI helps advance software engineering principles and practices and serves as a national resource in software engineering, computer security, and process improvement. The SEI works closely with defense and government organizations, industry, and academia to continually improve software-intensive systems. Its core purpose is to help organizations improve their software engineering capabilities and develop or acquire the right software, defect free, within budget and on time, every time.
This paper describes the development and proposed application of a Security Information and Event Management (SIEM) signature to detect possible malicious insider activity leading to IT sabotage. In the absence of a uniform, standardized event logging format, this paper presents the signature in two of the most visible public formats, Common Event Framework (CEF) and Common Event Expression (CEE). Because of the limitations of these formats, the SIEM described in this paper employs an operational version of the proposed signature in an ArcSight environment.