Nahid Farhady Ghalaty — CAMLIS 2024

On the OTHER Application of Graph Analytics for Insider Threat Detection

Nahid Farhady Ghalaty, Ana Cruz

Insider threat detection is a growing challenge for organizations. Insider threat is defined as “the potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization.” In this presentation, we propose a method of detection using graph analytics. Graphs have been used for the purpose of insider threat detection in terms of detection and visualization of anomalies, i.e. finding whether an employee behaved in a way that is considered abnormal compared to his/her peers, or group-mates. In this presentation, we are leveraging graphs in order to detect employee behaviors that lead to the act of data exfiltration. Based on our discussions with security analysts, data exfiltration is often not the result of a single action, but there is a chain of events that could cause the final act of breaching critical data outside of the firm. As a result, mechanisms to detect the chain of events will make the rate of false positive lower compared to only finding anomalies.

In this presentation, we create an insider threat graph for the detection of known malicious chains of behavioral events. In the insider threat graph database, we have several types of nodes that represent the behavior and actions of employees. The nodes in the graph database include the employees’ information as well as their digital footprint from all the organization’s assets they interact with. The edges for this graph are the actions that are taken between two nodes. For example, two employee nodes can send emails to each other. Or an employee node can log out of a system node at a specific time. After building the graph, we then identify the patterns that lead to data exfiltration. Using the analysts’ expert knowledge, we have built customized queries that can detect such patterns and create customized alerts.

For this research work, we have created a framework using synthetic data and implemented the graph using AWS Neptune. The queries have been implemented using the Gremlin query language. We present the trade-offs of using traditional relational databases versus graph databases for insider threat detection. Based on our experiments, graph databases provide a single framework for both anomaly detection as well as behavioral chain detection. We also compare the setup complexity, data ingestion time, query and searching capabilities as well as the cost for both solutions.