Skip to Main Content
Early detection of employees' improper access to sensitive or valuable data is critical to limiting negative financial impacts to an organization, including regulatory penalties for misuse of customer data that results from these insider attacks. Implementing a system for detecting insider attacks is a technical challenge that also involves business-process changes and decision making that prioritizes the value of enterprise data. This paper focuses primarily on the techniques for detecting insider attacks, but also discusses the processes required to implement a solution. In particular, we describe a behavior-anomaly-based system for detecting insider attacks. The system uses peer-group profiling, composite feature modeling, and real-time statistical data mining. The analytical models are refined and used to update the real-time monitoring process. This continues in a cyclical manner as the system self-tunes. Finally, we describe an implementation of this detection approach in the form of the IBM Identity Risk and Investigation Solution (IRIS).
Note: The Institute of Electrical and Electronics Engineers, Incorporated is distributing this Article with permission of the International Business Machines Corporation (IBM) who is the exclusive owner. The recipient of this Article may not assign, sublicense, lease, rent or otherwise transfer, reproduce, prepare derivative works, publicly display or perform, or distribute the Article.