I’ve been doing some research lately that has me reading old papers. It’s interesting to see how technology and solutions evolved over time.
I’ve been spending some time looking at Intrusion Detection Systems, in fact. I’m partly interested in how they evolved from a research concept to a practical one, as well as the historical aspects of them.
The original Intrusion Detection Systems were mostly audit analysis, meaning they weren’t looking at network traffic at all. They were looking at the system itself, because back then (we’re talking the 80s), the idea of someone attacking your system over the network was, well, science fiction. As fun as it is to read science fiction, you don’t waste your time or money solving that problem until it exists.
The papers said they were looking for anomalous behavior from any log in. Was it a case of someone having their password hacked (bad passwords are not a new problem) or someone acting as a threat to their organization?
The methods just found anomalous behavior. Unfortunately, we still haven’t figured out a way to determine intent from ones and zeros. Maybe next year.
The point is, that this is not a new problem. Insider Threat has been a known problem for a long time. DTRAP has a new special issue on Insider Threats, we welcome your submissions.
The practitioner view of this is very important to us, we’d like to hear from practitioners on how Insider Threat has affected you and your organizations.