A Technical History of the SEI
ihQTwP
ihQTwP
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
study. In 2011, <strong>the</strong> DoD began funding development <strong>of</strong> a version <strong>of</strong> <strong>the</strong> database for use by government<br />
researchers and law enforcement. 40 The studies [CSO 2004] 41 and database development<br />
work led to <strong>the</strong> development <strong>of</strong> best practices [Cappelli 2012] 42 and models [Moore 2008], 43 both<br />
funded by CyLab at Carnegie Mellon University. The models, which include behavioral traits and<br />
technical actions, reveal indicators that might alert an organization<br />
to <strong>the</strong> potential for malicious acts by insiders<br />
[Greene 2010]. Model development is ongoing, with<br />
models now available for insider IT sabotage, insider<br />
<strong>the</strong>ft <strong>of</strong> intellectual property, and national security espionage.<br />
In 2011-12, development began on a fraud model<br />
with <strong>the</strong> USSS, Department <strong>of</strong> Treasury, and <strong>the</strong> financial<br />
sector (sponsored by DHS). In 2012, <strong>the</strong> <strong>SEI</strong> expanded<br />
its research and case collection process to include<br />
insider incidents that occur outside <strong>the</strong> United<br />
States as well as those perpetrated by insiders but without<br />
malicious intent. This expansion has allowed international<br />
[Flynn 2013] and unintentional insider threat<br />
studies [CERT IT Team 2013], providing a more complete<br />
picture <strong>of</strong> <strong>the</strong> threat posed by insiders to organization’s<br />
critical assets.<br />
The <strong>SEI</strong> conducts workshops on how to apply <strong>the</strong> practices<br />
and models. To extend its impact, <strong>the</strong> <strong>SEI</strong> published<br />
The CERT Guide to Insider Threats: How to Prevent,<br />
Detect, and Respond to Information Technology<br />
Crimes, which combines 10 years <strong>of</strong> research into one<br />
practical guide [Cappelli 2012]. <strong>SEI</strong> insider threat experts<br />
also worked with <strong>the</strong> Carnegie Mellon Entertainment<br />
Technology Center to create a prototype interactive<br />
virtual simulation tool—essentially a video game—<br />
teaching insider threat mitigation.<br />
The View from O<strong>the</strong>rs<br />
New research from Carnegie<br />
Mellon University’s S<strong>of</strong>tware Engineering<br />
Institute provides fur<strong>the</strong>r<br />
evidence why information security<br />
isn’t just <strong>the</strong> problem <strong>of</strong> an enterprise’s<br />
IT and IT security organization<br />
but <strong>of</strong> its top non-IT leadership<br />
as well.<br />
– Eric Chabrow, in The Public<br />
Eye, a government security<br />
blog [Chabrow 2011]<br />
The Insider Threat Study is an excellent<br />
example <strong>of</strong> collaboration<br />
between <strong>the</strong> federal government<br />
and private sector to safeguard <strong>the</strong><br />
financial payment systems <strong>of</strong> <strong>the</strong><br />
United States.<br />
– Ryan Moore, Assistant to<br />
<strong>the</strong> Special Agent in<br />
Charge, USSS, in a press<br />
release on an award to <strong>SEI</strong><br />
Insider Threat staff<br />
members<br />
[<strong>SEI</strong> 2013]<br />
In response to community need, <strong>the</strong> insider threat team<br />
redirected its research toward solution-oriented activities.<br />
With seed funding from Carnegie Mellon’s CyLab, <strong>the</strong> team developed insider threat assessments<br />
(ITAs), which are based on more than 4,000 indicators (organized into more than 130 categories)<br />
identified in <strong>the</strong> Insider Threat Database. DHS funded development <strong>of</strong> <strong>the</strong> ITA, Version 2,<br />
40 In this version <strong>of</strong> <strong>the</strong> database, identities were made anonymous.<br />
41 The first study [CSO 2004], and subsequent studies and analyses are available on <strong>the</strong> CERT website<br />
(http://www.cert.org/insider_threat).<br />
42 Practices can be found in a set <strong>of</strong> reports available at http://www.cert.org/insider-threat/publications/index.cfm.<br />
One <strong>of</strong> <strong>the</strong> best known is <strong>the</strong> “Common Sense Guide,” now in its fourth edition<br />
[Silowash 2012].<br />
43 The report describes <strong>the</strong> first model developed [Moore 2008]. This model and o<strong>the</strong>rs can be found<br />
at http://www.cert.org/insider-threat/research/Modeling-and-Simulation.cfm.<br />
CMU/<strong>SEI</strong>-2016-SR-027 | SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY 185<br />
Distribution Statement A: Approved for Public Release; Distribution is Unlimited.