As a country, we are relatively skilled at protecting, sending, receiving and storing classified information, which has caused adversaries to shift their focus from hardened classified networks to more commonly accessible controlled unclassified information (CUI). As such, the defense industrial base (DIB) needs to get equally good at handling such information, especially since one or more unclassified documents combined can be just as sensitive as classified material. This will require innovative technologies that monitor user behaviors and errors, both of which can result in the creation of unintentional threats that can spread across all organizations involved in defense programs.
Let’s take a closer look at CUI vulnerabilities and how to mitigate those risks.
This controlled unclassified information is much more vulnerable than classified information. CUI data is directly accessible through the Internet, and organizations within the government, industry and the supply chain are less likely to focus on ways to best protect this data. CUI data is frequently comingled with standard data, making it difficult to identify and lock down. Cyberthreats have also continued to become more sophisticated.
Today, users of CUI are not being monitored on a thorough and consistent basis. This is understandable, since there are approximately four million users in the DoD network, including employees, agents, and contractors, and millions more spread across thousands of companies in industry. It’s difficult to scale security processes to that level, despite the government’s best efforts to establish security task forces. Even though the government has increased the security requirements for protection in the Federal Acquisition Regulations for fiscal 2019, no department or individual currently has complete oversight on the security of CUI users.
To solve this challenge, CIOs and CISOs might be tempted to take a “one size fits all” approach to data protection. Unfortunately, that’s not as effective as data segregation, which is difficult, expensive, and inefficient.
We need a better way.
Human-centric security is the point of contact between humans and data. It uses a step-by-step process that includes individual behavior analysis and risk scoring to ensure the data that is available and valuable is also protected when it is most vulnerable. It is an ideal solution to protect the unclassified information.
Focusing on the individual and their relationship with agency and corporate data through a user’s unique behaviors and risk factors is a targeted security approach that delivers higher efficacy. It’s been effective at protecting data in the commercial sector and can be equally valuable protecting CUI. The DoD should consider expanding its use of user-centric security to non-classified information.
How human-centric monitoring works
The first step is the establishment of a baseline user behavior pattern where employees are individually monitored as they go about their daily work. This monitoring takes place anonymously and automatically assesses general behavior patterns, such as when and what data an employee typically accesses as part of her job, and the sites and applications she accesses for personal use.
The system then looks for anomalies at the individual level, such as being logged in on multiple networks simultaneously or atypical data access. The system can alert the security team to these unusual patterns and, when paired with risk scoring, discover what content to look out for and how and when data is viewed, downloaded, shared, or moved.
For example, consider a user of this unclassified data that has been with the company for three years. This employee is typically logged in between 8:00 am to 5:00 pm Monday through Friday Eastern time. Suddenly, activity is observed from that same user at 3:00 am on a Sunday—and the log in is from another country.
This anomalous behavior should set off an alarm indicating that something extraordinary—and possibly threatening—might be in play. In this case, an automated flag should be raised, and the user should be investigated or automatically locked out of the network, not for being intentionally malicious, but likely for a compromised user account.
This allows for a one-to-one approach to security vs. the traditional group based (many-to-one) view of operations, which could result in a complete shutdown of the network. It’s an unobtrusive way of protecting data without disrupting other employees’ workflow.
The closer to data, the higher the risk
What if an employee has direct access to this data? They could be targeted by hackers who offer money in exchange for network access. That employee should be categorized as a high-risk due to their access.
This can be done through a risk scoring system. Individuals who are “closer” to sensitive data carry higher risk scores.
Start with team members who have access to sensitive CUI data. Focus on the highest risk first then move to the second highest group, and so on. For example, a project manager of a critical system development will more quickly escalate their risk score than someone who does not normally interact with CUI or proprietary information. This scalable approach enables companies to address their most vulnerable employees first and is a great way to focus on risk.
CUI information can include, but is not limited to, employees’ personal information that can be used against them by enterprising hackers. Thus, it’s important to apply similar user behavior and risk scoring policies for Personal Identifiable Information (PII) and other sensitive data.
It is time to use the same behavioral security measures with CUI and other non-classified information. By taking a systematic, thoughtful approach, the DIB can have measures in place to protect all employees and data regardless of where it resides. Cyberspace is the battlefield of the future and by not recognizing the value of our data and its accessibility, we are losing the war.
Eric Trexler is vice president of global governments and critical infrastructure at Forcepoint.