Detecting insider threats
TRENDS & TECHNOLOGIES that affect the way government does IT
- By Brad Grimes
- Jul 27, 2006
Austin Wells, vice president of marketing at Reston, Va.-based Digital Harbor Inc.
, was walking GCN through a hypothetical insider threat scenario. While on assignment, two separate, cleared government employees meet the same foreign national in a bar overseas. One employee reports the three having a drink in a standard post-travel debriefing; the other does not. That's not necessarily cause for concern, Wells said, but what if the nonreporter was also going through bankruptcy? Could there be a threat there? It's this needle-in-a-haystack-type stuff that Digital Harbor wants to help sort out with its new Integrated Trust Assurance Management System
'There are different pieces of information that by themselves wouldn't tell you anything unusual is happening,' Wells said, 'but composed together paint the picture of a threat.'
Data-mining tools are good for analyzing large amounts of information to identify potential threats, he said, but 'most of them are false-positives. Data-mining tools compress data and come up with a small subset. For that small subset, you need to expand the information.'
Designed with help from the Defense Department, Digital Harbor's ITAMS is based on the company's composite application technology, which pulls together information from disparate sources without disturbing them. It is not a substitute for things like data mining, business intelligence and enterprise search, Wells was quick to point out. For instance, ITAMS wouldn't crawl electronic debriefing reports and flag the missing contact reference. But it would take that data from another extraction tool, combine it with data from an HR system, for example, and build a bigger picture. It can also draw from the various indexes that search tools and document management programs create, for example.
In ITAMS, a back-end J2EE server application links various data sources together. The system builds what Wells called a 'business ontology' based on correlation and inference that makes it easy to link apps, workflows, etc. without writing code. In the end, though, ITAMS is not meant to be an automated insider threat detector. It's meant to illustrate the links government investigators might not otherwise pursue in rooting out threats. Considering Digital Harbor got its start doing this type of thing for the intelligence community, security departments may want to take a look.