Throughout history, it has been well-known that the strongest defenses may be rendered impotent by actions of a malicious insider. The malicious insider may be operating within the parameters of his normal activities and with the freedom to efficiently accomplish those activities. However, this may result in the malicious insider being able to easily bypass elaborate security measures designed to protect against outside threats. In the digital age, the threat posed by the malicious insider has greatly increased.
The total cost of cyber espionage worldwide is estimated to be between $150-$300 billion. In addition to the loss of intellectual property due to cyber espionage, other direct costs, such as costs associated with reconfiguring security features after a data breach, costs associated with investigating the data breach, costs associated with damaged customer relationships, costs associated with providing credit monitoring for affected parties, costs for legal reparations to clients whose information has been compromised, and costs associated with additional regulatory processes may also be incurred. Additionally, there may be indirect costs associated with cyber espionage. Such indirect costs may include reputational damage and additional competition due to compromised technology or business plans.
One current system that may be used to prevent or mitigate cyber espionage is Wave. Wave uses data encryption, automated remote backup, and document tagging to ensure that the malicious insider cannot deface, delete, or exfiltrate sensitive organizational information. One drawback of Wave, however, is that the malicious insider is generally operating within the constraints of his normal organization function. Thus, access to sensitive information is not precluded. Another drawback is that document tagging may be simple to defeat. For example, adding a single extra character to the document may defeat tagging.
Another current system is Raytheon's SureView™. SureView™ enables security personnel to exhaustively review actions taken by a limited number of users. However, these users must be determined before their activity may be monitored. Since malicious incident detection generally occurs approximately 32 months after the malicious incident, predetermining which users to monitor may not be effective in preventing malicious incidents.
Yet another system is Lockheed Martin's Palisade™. Palisade™ identifies malicious behavior by examining network behavior based on an analysis of network configurations and logs. The analysis occurs after the logs have been transmitted to a central repository. Thus, Palisade™ may provide evidence of how a malicious attack occurred but cannot stop a malicious attack from being carried out.
Accordingly, there is a need for a real-time system for detecting anomalous activity and for providing alerts for detected anomalous activities.