Semantics of authorized access
Automated, dynamic revocation of privileges
Profiling patterns of user behavior
Response approaches (automated, recovery, reconstitution)
Application-based intrusion detection
Instrumentation of commercial off-the-shelf (COTS) applications
Software for monitoring the system administrator
Fingerprinting of documents
A Rand workshop in August of 20006 on the insider threat generated the following as the top research areas to which attention should be devoted in the next two to five years:
Survivable architecture frameworks
Differential access controls
Mobile code (protect code from attack as well as systems from malicious code)
It was emphasized repeatedly that the insider threat and cyber-security problem is not merely a technological one. Good policies and policy enforcement are also necessary. Research is needed in how to define, describe, manage, and manipulate security policies. Systems can be abused through both bad policy and bad enforcement. Tools are needed to make setting and enforcing policy easier.
Another issue raised was the question of how to begin focusing security techniques at the application level, both centralized and distributed. Application-level audits to examine usage patterns (presuming that normal use of a particular application is well-defined) could be integrated with other kinds of audits to provide a more robust picture of system usage. In addition, a list of applications that are most often exploited by insiders could be used to provide guidance as to where attention should be focused. On the other hand, this runs the risk of an escalating ‘arms race’ as attackers become aware of the common knowledge and then focus their attentions elsewhere.
A particularly useful area of investigation would be to gain a more complete understanding of what sophisticated and successful system administrators do to protect their systems. Encapsulating that knowledge and codifying it somehow would provide insight into what the best kinds of defense are. Participants also noted that adding to system administrators’ security knowledge and overall resources would strengthen systems security.
Meeting participants emphasized that progress on this issue will be made only when researchers move beyond thinking about how to protect systems against relatively
The proceedings of this workshop are available at http://www.rand.org/publications/CF/CF163/.