Thursday, February 28th, 2008 at 1:36pm by Charles Ross
Leave it to the Air Force Institute of Technology to develop technology that detects patterns in email/web usage that could offer leading indicators of insider security threats.
The technology is called Probabilistic Latent Semantic Indexing (try saying that a couple times fast). It sifts through email and web traffic logs to identify trends in human behaviors that could ultimately lead to malfeasance. For example, an employee who becomes distant with colleagues over email and increases communications with outsiders could be a sign of dissidence. If you’re keeping tabs on this topic, this is an extension of the research MIT is doing around “Reality Mining”.
Researchers will argue they are not concerned with the content of data, but rather data about data (i.e. deltas in creation time, volume, etc.) to draw conclusions. However, this seems a bit flawed with this security guy.
I’m all for finding new ways to find the bad guys especially if good data exists to prove a wrong doing. But, making security predictions based on historical trends of human behavior seems a bit like guess work at best. In my opinion, there is too much inherent variability in human behavior for even the savviest computer and slick algorithms to predict what comes next. If people were truly rational, security would be a heck of a lot easier.
When it comes to preventing insider threats, I believe a basic understanding of human psychology is far more effective than directing machine learning at the problem. People with access to do bad things, combined with a motivating factor and the right opportunity pose a threat to organizations. No arguments there.
While it is difficult to control motives, we certainly can address the access and opportunity sides of the problem. Limiting access, managing data and monitoring usage are critical components to any successful security program, but sadly these are often areas of most neglect. We can’t solve humans, but we can institute pragmatic process and technology to limit them.
No comments:
Post a Comment