Presentation Title: Insider Threat Visualization
Presentation Details:

Insider Threat has become an increasingly discussed topic in the past months. Information leaks, sabotage, and fraud have been reported all over big organizations. One way to address the insider problem is to analyze log files and find suspicious behavior before it results in direct or indirect financial loss for a company.

Signs of suspicious behavior or users lend themselves very well to visualization techniques. Visualization of data has proven to be the approach generating the best return on investment when it comes to complex data analysis problems. This talk takes a step-by step approach to analyzing signs of insider threat. I will use open source tools to process the information and generate visual representations. Among them is a tool called AfterGlow (afterglow.sourceforge.net) which was written by the submitter. It is a very simple tool to visualize preprocessed information. The analysis I will go through will show how early warning signs of insider activity manifest in log files, making it possible to prevent further damage and assess the impact of the activities. Information leaks and sabotage activity can be visualized in the same ways using mainly line graphs and treemaps.

The goal of the talk is to leave the audience with the knowledge and tools to do visual log analysis on their own data. The main tool used for the talk is AfterGlow, which in his current version supports a diverse set of operations to ease the analysis of log data.

About Raffael

Raffael Marty, GCIA, CISSP manages the solutions team at ArcSight, the global leader in Enterprise Security Management. Raffy’s information security expertise includes log management, intrusion detection, insider threat, regulatory compliance and security data visualization. He is involved in security industry initiatives and standards efforts, such as the open vulnerability and assessment language (OVAL). Raffy has written a number of automation and visualization tools such as Thor (http://thor.cryptojail.net) and AfterGlow (http://afterglow.sourceforge.net) and is the founder of the security visualization portal http://secviz.org. Raffy has served as a contributing author to several security books including the Snort book and also presents on the topic of visualization at various occasions around the world. Before joining ArcSight, Raffy used to work as an IT security consultant for PriceWaterhouse Coopers and previously was a member of the Global Security Analysis Lab at IBM Research, where he participated in various intrusion detection related research projects.