Research and Development Initiatives Focused on Preventing, Detecting, and Responding to Insider Mis

1

• Research and Development InitiativesFocused
  onPreventing, Detecting, and Responding to
  Insider Misuse ofCritical Defense Information
  Systems
• Results of a Three-Day WorkshopAugust 16-19, 1999

2
Background

• Three-day workshop held at RAND Santa Monica,
  August 16-18, 1999 35 invited participants
• Sponsored by Army Research Lab, DARPA, NSA
• Purpose to recommend technical RD initiatives
  addressing the insider threat to DoD info systems
• ASD/C3I report DoD Insider Threat Mitigation Plan
  (June 1999) concentrated on near-term steps to be
  taken -
• This workshop focused on longer-term technical
  RD required
• Workshop is expected to be first in a series

3
Policy and Precursors to RD

• Technical initiatives must have a supportive
  environment. Required are
• Guidance from legal and law enforcement
  communities re. attribution,collection,
  maintenance, processing and storage of data
• Clear definitions re. what are critical assets
  on a system
• Clarity regarding who is an insider
• Cost/benefit analysis of recommended measures
• Plans for technology transfer
• Support for multiple, diverse, concurrent
  approaches

4
Characterizing an Info System Security
Incident(modified from JTF-CND document)
5
Workshop Developed Recommendationsin 4 Categories

• 20 specific recommendations
• Threat (4)
• Prevention (5)
• Detection (6)
• Response (5)

6
RD Recommendations Focused on Insider Threat -
Overview

• T1 Develop reactive configuration controls, in
  which an unauthorized result is mapped back to a
  specific type of threat
• T2 Develop an insider trust model
• T3 Develop means to map users to unauthorized
  results
• T4 Identify signatures of unauthorized results

7
RD Recommendations Focused on Insider Prevention
- Overview

• P1 Develop authentication components
• P2 Develop access control components
• P3 Develop system integrity components
• P4 Develop a bidirectional trusted path to the
  security system
• P5 Develop attribution components

8
RD Recommendations Focused on Insider Detection
- Overview

• D1 Develop profiling as a technique
• D2 Detect misuse of applications
• D3 Provide traceability for system-object usage
• D4 Identify critical information automatically
• D5 Design systems for detectability
• D6 Determine unauthorized changes due to
  physical access

9
RD Recommendations Focused on Insider Response -
Overview

• R1 Develop a capability for monitoring
  privacy-enhanced systems, such as those using
  encryption
• R2 Incorporate practical autonomic system
  response into production systems
• R3 Develop data correlation tools, including
  data reduction for forensics, and visualization
  tools focused on internal misuse
• R4 Develop a capability for surveillance of
  non-networked components
• R5 Consider deception technologies specifically
  applicable to the insider threat

10
Source U.S. Department of Defense
11
Workshop Attendees
Adams, RobertAir Force Information Warfare
Center250 Hall Rd 139San Antonio, TX
78243 Alvarez, JorgeSpace and Naval Warfare
Systems Center53560 Hull StreetSan Diego, CA
92152 Anderson, RobertRAND CorporationP.O. Box
2138Santa Monica, CA 90407 Anderson, KarlNSA
R29800 Savage RoadFt. Meade, MD 20755 Arnold,
RichardGTE GSC1000 Wilson Blvd. Ste
810Arlington, VA 22209 Barnes, AnthonyArmy
Research LabC41 Systems Branch, AMSRL-SL-EIFt.
Monmouth, NJ 07703-5602 Bencivenga, AngeloArmy
Research Lab2800 Powder Mill RoadAdelphi, MD
20783 Bozek, ThomasOffice of the Secretary of
Defense / C3I6000 Defense, Rm 3E194Pentagon Brac
kney, RichardNSA R2, RE Bldg9800 Savage
RoadFt. Meade, MD 20755
Christy, JamesASDC3I/DIAPSte. 1101, 1215
Jefferson Davis Highway,Arlington, Va
22202 Cowan, CrispinOregon Graduate
InstituteP.O. Box 91000Portland, OR 97291 Dunn,
TimothyArmy Research Lab2800 Powder Mill
RoadAdelphi, MD 20783 Dunphy, BrianDefense
Information Systems Agency701 S.Courthouse Rd
D333Arlington VA Ghosh, Anup K.Reliable
Software Technologies21351 Ridgetop Circle, Ste
400Dulles, VA 20166 Gligor, VirgilUniversity of
MarylandElectrical/Computer Engineering, AVW
1333,College Park, MD 20742 Gilliom,
LauraSandia National LabsP. O. Box
5800-0455Albuquerque NM Goldring, TomNSA
R239800 Savage RoadFt. Meade, MD 20755 Hotes,
ScottNSA R225 RE Bldg9800 Savage RoadFt.
Meade, MD 20755
Hunker, JeffreyNational Security CouncilWhite
House 303Washington DC 20504 Jaeger, JimLucent
TechnologiesBox 186, Columbia, MD
21045 Longstaff, ThomasCERT/CC4500 Fifth
AvenuePittsburgh, PA 15213 Lunt, TeresaXerox
PARC3333 Coyote Hill RoadPalo Alto, CA
94304 Matzner, SaraU. Texas at Austin Applied
Research LabsInformation Systems Laboratory,
P.O. Box 8029,Austin Texas 78713 Maxion,
RoyCarnegie Mellon University5000 Forbes
AvenuePittsburgh, PA 15213 McGovern,
OwenDISALetterkenny Army DepotChambersburg, PA
17201-4122 Merritt, Larry D.NSA9800 Savage
RoadFt. George G. Meade, MD 20755 Neumann, Peter
GSRI International333 Ravenswood Ave.Menlo
Park, CA 94025
Skolochenko, StevenOffice of Information Systems
Security1500 Penn. Ave. NW, Annex, Rm.
3090,Washington, DC 20220 Skroch,
MichaelDARPA/ISO3701 N. Fairfax Dr.Arlington,
VA 22203 Solo, DavidCitibank666 Fifth Ave., 3rd
Floor/Zone 6New York, NY 10103 Teslich,
RobyneLawrence Livermore National LaboratoryPO
Box 808, Room L-52Livermore CA 94550 Tung,
BrianUSC Information Sciences Institute4676
Admiralty Way Ste. 1001,Marina del Rey, CA
90292 van Wyk, KennethPara-Protect5600 General
Washington Drive ste. B-212Alexandria, VA
22312 Walczak, PaulArmy Research Laboratory2800
Powder Mill RoadAdelphi, MD 20783 Zissman,
MarcMit Lincoln Laboratory244 Wood
StreetLexington, MA 20420