Security Information and Event Management Tools and Insider Threat Detection

Malicious insider activities on military networks can pose a threat to military operations. Early identification of malicious insiders assists in preventing significant damage and reduces the overall insider threat to military networks. Security Information and Event Management (SIEM) tools can be used to identify potential malicious insider activities. SIEM tools provide the ability to normalize and correlate log data from multiple sources on networks. Personnel background investigations and administrative action information can provide data sources for SIEM tools in order to assist in early identification of the insider threat by correlating this information with the individual s online activities. This thesis provides background information on the components and functionality of SIEM tools, summarizes historic insider threat cases to determine common motivations, provides an overview of military security investigations and administrative actions in order to determine candidate sources for SIEM correlation, and provides an overview of common methods of data exfiltration by malicious insiders. This information is then used to develop an example SIEM architecture that highlights how the military can use a SIEM to identify and prevent potential internal insider threats by correlating an individual s network activities with background investigation and administrative action information.