WRIT 2013 - 2nd Workshop on Research for Insider Threat

The threat of malicious insiders to organizational security has historically been one of the most difficult challenges to address. Insiders often attack using authorized access and with behavior very difficult to distinguish from normal activities. Modern insiders are further enabled by immense data storage capabilities, advanced searching algorithms, and the difficulty of comprehensive monitoring of networked systems. Furthermore, several recent high-profile attacks have been enabled by non-malicious, or unintentional, insiders fooled by exploits from external attackers. Technical solutions to this problem are emerging, but studies show little significant progress has been made in reducing the numbers or impacts of insider attacks. There are two main reasons for the relative lack of success in identifying insider threats: 1) The problem is not well understood. In addition to the complex challenges surrounding collection, correlation, and detection of technical indicators, researchers must also understand underlying human motivations and behaviors. This is not a traditional area of study for IT security researchers; configuring technical solutions to monitor for human deception is challenging. 2) Data on insider attacks is difficult to obtain. Ground truth data: Organizations suffering insider attacks are often reluctant to share data about those attacks publicly. Studies show over 70% of attacks are not reported externally, including many of the most common, low-level attacks. This leads to uncertainty that available data accurately represents the true nature of the problem. Baseline data: The rate of insider attacks is relatively unknown; furthermore, the behaviors of non-malicious users are also not available in large data sets. The insider threat problem has been receiving increased attention. Recently, three workshops were held, sponsored by the Institute for Information Infrastructure Protection (I3P), the National Security Agency's Centers of Academic Excellence (CAE) program, and the CERT Insider Threat Center. However, these were not widely accessible by the general community. Additionally, DARPA has two programs (CINDER and ADAMS) aimed at Insider Threat challenges, so there is an active and growing research community in this area. Finally, Executive Order 13587 requires all US Government agencies handling classified information to implement insider threat programs to protect sensitive information, leading to a greatly increased interest among US Government agencies in advances in detection of insider threats.
The proposed workshop will highlight challenges specific to the insider threat problem from multiple viewpoints, such as information technology, behavioral sciences, or criminology, and will review existing promising approaches and experimentation possibilities for evaluation of solution approaches. The workshop will therefore be accessible to both non-experts interested in learning about this area and experts interesting in hearing about approaches being taken by others. A moderated panel discussion will review and comment on the workshop presentations to provide a capstone activity.