Featuring 6 Papers as of October 9, 2015
Insider Threat Mitigation Guidance
by Balaji Balakrishnan - October 9, 2015
Insider threats are complex and require planning to create multi-year mitigation strategies. Each organization should tailor its approach to meet its unique needs. The goal of this paper is to provide relevant best practices, policies, frameworks and tools available for implementing a comprehensive insider threat mitigation program. Security practitioners can use this paper as a reference and customize their mitigation plans according to their organizations' goals. The first section provides reference frameworks for implementing an insider threat mitigation program with the Intelligence and National Security Alliance (INSA) Insider Threat roadmap, Carnegie Mellon University's Computer Emergency Response Team (CERT) insider threat best practices, CERT insider threat program components, National Institute of Standards and Technology (NIST) Cybersecurity Framework, and other relevant guidance. This section provides an implementation case study of an insider threat mitigation program for an hypothetical organization. The second section of this paper will present example use cases on implementing operational insider threat detection indicators by using a risk scoring methodology and Splunk. A single event might not be considered anomalous, whereas a combination of events assigned a high-risk score by the methodology might be considered anomalous and require further review. A risk scoring method can assign a risk score for each user/identity for each anomalous event. These risk scores are aggregated daily to identify username/identity pairs associated with a high risk score. Further investigation can determine if any insider threat activity was involved. This section explains how to implement a statistical model using standard deviation to find anomalous insider threat events. The goal is to provide implementation examples of different use cases using a risk scoring methodology to implement insider threat monitoring.
Next Generation Firewalls and Employee Privacy in the Global Enterprise
by Ryan Firth - September 30, 2014
An obligation to protect company resources is something nearly every organization tries to instill in their staff.
Securing the K-12 School Network through Effective Internet Access Control, Network Traffic Monitoring, and Data Analysis.
by Barry Young - September 17, 2008
Internet access control, network traffic monitoring, and related data analysis, are powerful tools available to the K-12 Network Security Analyst
Echelon: The Danger of Communication in the 21ST Century
by Chad Yancey - February 1, 2002
How governments are using Echelon to gain and collect information on not only political or military interests, but that they are suspected of using this system on common citizens
Information Assurance at the PC Level
by Carlton Bowen - December 10, 2001
This paper contemplates a bottom up approach to information security, where attention is given to information assurance at the PC level initially, rather than as an after thought.
First Step Data Capture - Key Stroke Loggers
by Nigel Lewis - August 15, 2001
An examination of software and hardware keystroke logging, with mention of malicious keystroke logging, and keylogger detection options.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.