INSIDER THREAT SECURITY BLOG

I never considered myself a runner. I am your typical IT guy. I like hot wings, beer, and video games. Information security was something that I had an interest in at a young age, but running? No. That could possibly involve sweating. So why I am writing a blog about security and how it relates to running? Because both of them are something I NEED to do. I want to protect myself from the crippling effects of my often sedentary lifestyle. I work for a company that does a masterful job of prote…

Part 3 Part 3 – Local Outlier Factor scores & Conclusion In Part 2, I demonstrated how to compute the local reachability density for each data point. The local reachability density grants us insight as to how “isolated” a data point is. In this third and final blog post, I will compare each point’s local reachability density to its neighbors to compute the local outlier factor score for each point. Based on the computed local outlier factor score, we can make judgements about whether …

PART 2 Part 2 – Reachability-Distance & Local Reachability Density In Part 1, I motivated the need for a density-based approach to outlier detection, and then I talked you through the first step of using the K-Distance as a framework for quantifying how “distant” a data point is from its neighbors. Today, I will walk you through the next two steps that will allow us to compute the local density of each data point. Reachability-Distance Now that we have the K-Distance for each point, we …

User Behavior Analytics Finding Anomalous Users through the Local Outlier Factor Algorithm Part 1 – Motivation and K-Distance How do you identify users who are behaving anomalously? One way to tackle this problem is to define a set of rules that all user activity should conform to. If a user’s behavior breaks one or several of these rules, then we flag that user as behaving anomalously. There are several problems with this approach: 1. You need a good, formal definition of anomal…

RSA gets bigger every year. More vendors, sessions, and people flooded the halls of Moscone Center. The conference came from humble beginnings to the now largest security conference in the world. What was RSA 2016 like you are wondering? It was special. We celebrated the twenty fifth anniversary of the conference and you could feel that emphasis in all aspects of the show. For those of you who haven’t attended an RSA conference before, it can be divided up into three areas. The first area is …

Imagine a large bank. Security cameras continuously and meticulously record every movement in the bank lobby, employees’ offices, entrances and exits, and even in the custodial supplies storage area. Access to these areas is carefully monitored and controlled via restricted badges and other means. But there’s not a single camera in the vault where the safe deposit boxes and cash reserves are housed, and access to the vault is not monitored or restricted in any meaningful way. This scena…

My mom always said it never hurts to ask, and it looks like the Magnolia Healthcare hacker’s mom did so as well. I gotta admit, as a hacker, you work hard for your ill-gotten booty. You meticulously design phishing emails so realistic that victims can’t help but be enticed to click on the poisonous links. You then install credential-stealing software on the unsuspecting victim’s laptops, and establish surreptitious command and control channels through which you can execute your sophisticated…

I read an article the other day about Advanced Persistent Threats vs. Targeted Attacks. It had some insightful information that got me thinking about hackers of today. I think we all can agree that the word hack or hacker has changed since its inception. One of my favorite movies back in the 90’s was called “Hackers”. I wanted to be those guys. Not just because I could possibly date Angelina Jolie, but I wanted to be able to become a lord among nerds. The hacking that the movie highlighted wa…

British Prime Minister Benjamin Disraeli famously said, “There are three kinds of lies: lies, damned lies, and statistics.” In the enterprise software security world, one of those regularly-quoted statistics is that authentication-based attacks factored into about four of every five breaches involving hacking (2012 Verizon Data Breach Report). Indeed, here at STEALTHbits, we use it all the time. The question, of course, is whether the statistic reflects reality, or it’s manufactured for the b…

On the heels of NFL divisional playoff weekend, a football analogy may be in order. We football fans love the 50-yard pass. It’s exciting. It showcases the extraordinary athleticism of both the receivers and the cornerbacks tasked with defending the nearly indefensible. It’s sexy. But the consensus among football coaches is that games are won and lost on the defensive and offensive lines, where, let’s just say, flashy and sexy are not the first adjectives that come to mind. Tying this d…