A Soft(ware) Approach to Threats from Within: Mitigating the Insider Threat with Threat-Detection Software

By: Sonny James Santistevan

Photo Credit: New York Times

Growing concerns about the prevalence and increasing regularity of insider threat breaches within the United States Government and private businesses are mounting as many security professionals now consider the insider threat as one of the greatest dangers to US national security. An unfortunate reality concerning insider threat remains that key pieces of legislation and responses to breaches often occur after the fact. This delayed response, coupled with an expanding cybersphere, is creating an insider threat landscape that is outpacing our abilities to defend against it. The reaction-based tactic to insider threat security has sparked a much-needed movement in the cyber domain to develop a systematic and technical response to insider threat. However, some question how this response differs from traditional methodologies to insider threat mitigation (ITM) as well as how the United States Government will adapt to use such approaches.

Several traditional best practices for ITM center on monitoring employees and increasing their training on insider threat and access control enforcement.[i] The problem with these traditional mitigation practices is that they infrequently account for the distinctly sporadic human element of insider threat, and, in many cases, cannot provide real-time warning or analysis for government agencies or businesses if a breach from within is occurring. That is not to say that such efforts are entirely futile. In fact, most instances of insider threat are not committed by malicious insiders who aim to deliberately compromise information, but rather unwitting or negligent employees who are unacquainted with cyber best-practices or the security policies and practices of their employer.[ii] In this regard, a firm’s implementation of an insider threat program can help educate employees to avoid becoming the ignorant insider threat. However, such practices are far from optimal in addressing the malicious insider contingent.

To compensate for the ineffective aspects of traditional ITM, private sector companies are creating more comprehensive technical approaches to combat this unique threat actor. More specifically, companies are trying their hand at the software resolution to create insider threat detection (ITD) systems. To name a few, companies such as ObserveIT, CyberArk, and Securonix are taking ITD to the next level by developing software that rapidly targets probable insider threats. Such software programs engage in sophisticated monitoring of employees who, in many cases, already know how to bypass physical and IT controls if they want to. This new approach allows industries to amplify and accelerate their visibility of potential insider threat behavior in real-time by using software to detect unauthorized user attempts, suspicious internet activity, torrent downloads, unauthorized data exfiltration, and even user behavior abnormalities[iii]. But is the United States government required to implement such measures and, if so, is the adoption of software options commonplace?

In the wake of the Chelsea Manning leaks, President Barack Obama issued executive order 13587, which mandated the creation of the National Insider Threat Task Force (NITTF). The NITTF is responsible for developing an executive branch insider threat detection and prevention program to be implemented by all federal departments and agencies.[iv] Since then, federal agencies have considerably increased their focus on insider threat. From 2015 to 2017, the percentage of agencies with a formal prevention program increased from 55 to 86 percent.[v] However, there is an incredible lack of continuity among agencies regarding the type of insider threat prevention programs employed. Moreover, the NITTF standards are base-line standards not on par to match the rate at which insider threats are reported. Despite the lack of consistency, agencies are making a concerted effort by allocating funds to ITM contractors. Leading the way in unclassified ITM is the Department of Homeland Security that spent an approximate $234 million in FY 2016 followed by the Department of Defense that spent approximately $203 million in the same year.[vi]

The integration of the technical components to ITM into government agencies will hopefully lessen the drastic impact insider threats have on an organization and potentially reduce their likelihood. However, neither traditional approaches nor software implementation serves as a magic bullet to deal with insider threat. Despite monumental software advancements and the legislative directives created to improve federal agency’s infrastructure to deal with such dangers, insider threat continues to be a growing concern and problem for federal agencies.

[i] “Insider Threat Workshop Proceedings.” July 2013. https://www.csiac.org/wp-content/uploads/2016/03/CSIAC-Insider-Threat-Report-Proceedings.pdf.

[ii] Dodd, Kryasta. “Cybersecurity Employee Negligence Leading Cause Of Insider Threats.” Homeland Security Today: Employee Negligence Leading Cause of Insider Threats. August 11, 2015. Accessed November 04, 2017. http://www.hstoday.us/focused-topics/cybersecurity/single-article-page/employee-negligence-leading-cause-of-insider-threats.html.

[iii] Dickson, Ben. “How data science fights modern insider threats.” TechCrunch. August 25, 2016. Accessed November 06, 2017. https://techcrunch.com/2016/08/25/how-data-science-fights-modern-insider-threats/.

[iv] “ODNI.” PRESIDENT OBAMA TO APPOINT NEW CHIEF INFORMATION OFFICER OF THE INTELLIGENCE COMMUNITY. Accessed November 06, 2017. https://www.dni.gov/index.php/ic-legal-reference-book/executive-order-13587/248-about/organization/national-counterintelligence-and-security-center/nitff.

[v] “Federal Agencies Increasing Their Focus on Insider Threats.” Security Magazine RSS. July 1, 2017. Accessed November 06, 2017. https://www.securitymagazine.com/articles/88110-federal-agencies-increasing-their-focus-on-insider-threats.

[vi] Cristie, Laura. “Insider threats are billion-dollar opportunity.” Bloomberg Government. March 08, 2017. Accessed November 06, 2017. https://about.bgov.com/blog/insider-threats-billion-dollar-opportunity/.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.