The base-rate problem is a well understood challenge for information security analysis, however its effects are exacerbated when dealing with intelligent adversaries and advanced attacks. In these cases,

security analysts need techniques to mitigate the impact of false positives and focus on the real risks.

 

In this talk, I will present examples of this problem of false positive mitigation by focusing on the problem of insider threat theft and exfiltration.  The detection system itself is a simple threshold based detector, however we have applied a number of different techniques including visualization, a publish-subscribe system, and aggressive analyst controls in order to produce an effective defense. I will discuss how to generalize these approaches and incorporate them into other detection systems.

Michael Collins is the chief scientist for RedJack, LLC, a network security and data analysis company located in the Washington, D.C., area. Prior to his work at RedJack, Dr. Collins was a member of the technical staff at the CERT/Network Situational Awareness group at Carnegie Mellon University. His primary focus is on network instrumentation and traffic analysis, in particular on the analysis of large traffic datasets. Dr. Collins graduated with a PhD in Electrical Engineering from Carnegie Mellon University in 2008. He holds Master’s and Bachelor’s degrees from the same institution.