Detecting insider activity using enhanced directory virtualization.
- New Mexico Tech, Socorro, NM
Insider threats often target authentication and access control systems, which are frequently based on directory services. Detecting these threats is challenging, because malicious users with the technical ability to modify these structures often have sufficient knowledge and expertise to conceal unauthorized activity. The use of directory virtualization to monitor various systems across an enterprise can be a valuable tool for detecting insider activity. The addition of a policy engine to directory virtualization services enhances monitoring capabilities by allowing greater flexibility in analyzing changes for malicious intent. The resulting architecture is a system-based approach, where the relationships and dependencies between data sources and directory services are used to detect an insider threat, rather than simply relying on point solutions. This paper presents such an architecture in detail, including a description of implementation results.
- Research Organization:
- Sandia National Laboratories (SNL), Albuquerque, NM, and Livermore, CA (United States)
- Sponsoring Organization:
- USDOE
- DOE Contract Number:
- AC04-94AL85000
- OSTI ID:
- 1021678
- Report Number(s):
- SAND2010-4655C; TRN: US201117%%272
- Resource Relation:
- Conference: Proposed for presentation at the 2010 ACM CCS Workshop on Insider Threats held October 8, 2010 in Chicago, IL.
- Country of Publication:
- United States
- Language:
- English
Similar Records
Towards secure virtual directories : a risk analysis framework.
Exe-Guard Project