Litcius/Paper detail

Insider-threat detection: Lessons from deploying the CITD tool in three multinational organisations

Arnau Erola, Ioannis Agrafiotis, Michael Goldsmith, Sadie Creese

2022Journal of Information Security and Applications17 citationsDOIOpen Access PDF

Abstract

Insider threat is a persistent concern for organisations and business alike that has attracted the interest of the research community, resulting in numerous behavioural models and tools to tackle it. However, the effectiveness of detection of these tools has scarcely been demonstrated in real environments. In order to fill this gap, we collaborated with three multinational commercial organisations who trialled our anomaly detection system, and worked with us to understand performance constraints for insider threat detection deployment and innate weaknesses in their operational contexts. During a period longer than a year, we were provided access to real data in their premises and interacted with their cybersecurity analysts to understand their systems, validate the results and identify best practices for mitigating insider threat. In this paper, we provide details on the architecture used in our tool, the methodology followed to validate its performance and we elaborate on our experiences in implementing the tool in the three corporate environments. We present the results obtained from deploying the detection system in real network infrastructure over a period of six months, the lessons learned, issues experienced, and potential limitations.

Topics & Concepts

Insider threatSoftware deploymentMultinational corporationInsiderAnomaly detectionComputer securityOrder (exchange)Computer scienceBusinessPolitical scienceFinanceOperating systemLawData miningNetwork Security and Intrusion DetectionInformation and Cyber SecuritySmart Grid Security and Resilience