Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

The problem is difficult, though, if the systems attempt to take in many variables, says Malek ben Salem, a graduate student and computer-science researcher at Columbia University. She has been trying to model search behavior in order to detect when an attacker is going beyond the normal scope of his job or impersonating someone with legitimate access. Because attackers might not know a file system or other aspects of corporate network as well as a legitimate employee does, they tend to search more extensively. In experiments, Ben Salem says her model has detected 100 percent of masqueraders with a rate of false positives of only 1 percent.

The CINDER project looks for activity in a system that suggests of an attack launched from the inside. For instance, a worm like Stuxnet, which is believed to have damaged Iran’s nuclear program, could be detected by looking for the changes it has made to system files and network disks.

“CINDER will attempt to address some of the flaws in current detection systems by modeling the adversary mission—not by attempting to monitor a person or their particular traits—and by beginning with the assumption that a given system has already been compromised,” Peiter “Mudge” Zatko, the manager in charge of the program at DARPA, said when the project was announced.

Increasingly, companies that sell security products are adding features that may help detect insider attacks. For example, firewalls and other security systems have been fortified with software that scans for encrypted e-mail. Some security companies advocate deploying decoy files that no employee should ever access, and alerting managers when they are accessed. Coupling decoy files with current research into modeling legitimate user behavior could detect a wide variety of attacks, says Columbia’s Ben Salem.

However, insider attacks cannot be thwarted by just creating a better network appliance, says SEI CERT’s Montelibano. Better policies and security measures are important as well, such as allowing only approved applications to be run inside a network and limiting e-mail attachments.

“The big finding of our research is that insider threats are not just a technical problem,” he says. “What we still see is organizations throwing technology at the problem. But our research reveals that by and large, insiders’ technical activity is preceded by observable behavioral activity.”

1 comment. Share your thoughts »

Credit: Technology Review

Tagged: Business, Business Impact, Securing Data

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me