Objective: Detect attempts at intellectual property theft as they occur or soon afterwards by behavioral analysis of user activity in Windchill and connected softwares via workgroup managers. Internal and External sources should be considered.
Excerpt: "There are increasing amounts of technology that can detect a pattern of behaviour symptomatic of an inside threat. Intrusion detection systems, coupled with intrusion prevention systems working as a form of smart firewall, can be extremely useful tools."
Enable auditing of events that show information access and download, including CAD workgroup managers.
Maintain a live user by user database of activity, must have configurable rolling data deletion period. I.e. delete records older than 12 months etc.
Establish baseline normals of documents or cad workgroup manager downloads to workspace / time period (day or hour or set # of minutes even perhaps)
Baseline data would likely involve collecting the following assumed positive normal behavior (behaviour [for keyword search results of this item by british spelling])
statistics of average quantities of documents accessed.
time and day windows of normal activity.
Options for considering source context of data if context limiting ACL's could not be implemented for other business reasons.
Look for abnormalities:
Is the rate of documents being accessed greater by some configurable factor than normal baseline?
Is the time and day of document activity outside normal business hours (Note this system should be statutory holiday aware for the user's home office country location - since if just above normal data access is done on a holiday, is that a good or bad thing?)
Is the user suddenly accessing data from a different project to which they are not assigned? (Keeping in mind many customers may be in the situation whereby they cannot limit access to contexts for many other business reasons.)
If abnormalities are identified a range of responses should be possible based on a configuable set of criteria:
If enough things look out of place, then the user could be locked out of the system, and if possible the communicate with a windows service to have the workstation locked down to prevent moving downloaded files to USB memory device etc.
If the severity is less but still out of ordinary, an email could be sent to a configurable email address for human follow up.
I hope this a good starting point. It seems like a good idea for the current nature of things, and may prevent internal and external intellectual property theft attempts.