The Office of the Director of National Intelligence's National Insider Threat Task Force is working closely with the Department of Defense to figure out how 43 of its components can build solid insider threat programs.
NITTF is tasked with helping federal agencies set up programs to prevent, deter and detect compromises of classified information by insiders.
An insider is any person with authorized access to any U.S. government resource, including personnel, facilities, information networks, or systems. An insider can pose a threat if he or she uses authorized access, wittingly or unwittingly, to harm the security of the U.S. through intellectual property theft, network sabotage, security incidents, intent to harm themselves or others, data exfiltration, espionage or reputational harm.
Not all agencies have the same level of risks, but all must meet a minimum set of standards because so much information is now shared across federal agencies.
"We are working with the [Defense] Department to determine which of the minimum standards can be applied and in what way to each individual component," said NITTF Co-director Patricia Larsen during a C4ISR & Networks webcast.
NITTF is working with the DoD to draw on capabilities that can be applied across the DoD enterprise. For instance, there is a lot of DoD personnel data at the Defense Manpower Data Center. "How can you make use of that [information] rather than have each individual component trying to draw together their own information about their people?"
Or how can DoD organizations use the Identity Matching Engine for Security and Analysis (IMESA) to flag potential insiders who could pose threats to a facility? IMESA — fast-tracked by the Pentagon after a gunman fatally shot 12 people and injured three others at the Navy Yard in Washington, D.C. in September 2013— runs the name of anyone visiting a DoD facility through a comprehensive check of data sources that would indicate past criminal behavior, outstanding warrants and other similar information.
Larsen noted that successful insider threat programs have senior leadership buy-in and trained insider threat professionals. These professionals need access to data that provides a holistic view of what's going on within the organization. User activity must be monitored to keep track of what personnel are doing online or if someone is doing massive downloads of documents. Then all of this information needs to be brought together for centralized analysis with other data sources so information can be put into context. "No one flag is going to help identify if you have an issue, it has to be a holistic perspective," Larsen said.
Security tools alone are not going to offer silver bullets. Employee awareness is key, Larsen noted. "They know what is normal. They are going to be your eyes and ear. So if you see something, say something," she said.
Three content security tools
Steve Gottwals, technical director of security solutions with Adobe Systems Federal, described three content security solutions that agencies could deploy to prevent, detect and respond to malicious insider threats.
- Attribute-based access control (ABAC) matches people with content in the early stages of a document lifecycle. It allows users to tag information assets that come into a content management system with security attributes and enforce granular access and workflow rules.
- Digital rights management is all about encryption, allowing a person "to encrypt an actual file itself no matter where it goes, no matter how it is stored or transferred," he said. A manager can then dynamically control access, printing, copying, and modification of content as well as automatically audit interaction with documents, both valid and invalid access.
- Continuous monitoring lets managers take all audited events inside the ABAC system and audit events happening on documents as they leave the repository and then run analytics on them looking for anomalies. Managers can add a response mechanism. For instance, if the document is encrypted then they can basically throw away the key, Gottwals said.
