Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Government Targets Insider Threat

Defense, Justice, and HUD developing new strategies for stopping internal security leaks

ARLINGTON, Va. -- Black Hat DC -- Major U.S. government agencies are developing new strategies to detect and respond to insider computer security attacks, officials said at a conference here today.

Security officials working with the U.S. Departments of Defense, Justice, and Housing and Urban Development today gave insights on their directions at a small conference focused on best practices for defending against insider threats.

The Department of Defense, for example, is close to completing an RFP for a new technology that will help detect, monitor, and stop policy-breaking behavior across at least 22 defense-related services and agencies.

"We're close," said Bruce Gabrielson, chairman of the DOD's Enterprise-wide Solutions Steering Group's Insider Threat Technology Advisory Group. The RFP is the culmination of four years of study on the insider threat at many of the major military and intelligence agencies, including the National Security Agency.

The Insider Threat TAG has defined a plan for using technology to collect and analyze risky behavior among employees and other trusted insiders in the major defense-related departments, Gabrielson said. The plan involves the deployment of lightweight agents to all trusted insiders to detect policy-breaking behavior, combined with sophisticated security event management, correlation, and analysis tools that will eventually let the DOD analyze user activity down to the workstation level.

The new system will include simple, off-the-shelf tools to let agencies identify everyday mistakes and violations of system usage policies, but it will also allow them to track data that's being read on classified systems and re-typed on non-classified systems, Gabrielson said. It will combine centralized security analysis applications with end-point agents that are deployed and updated regularly, just as antivirus apps are today.

The new system will ask vendors to fill some functional gaps in currently-available applications for monitoring and analyzing insider behavior, Gabrielson said. "One of the difficult parts for us is that the most plentiful tools are for lowest-risk threats, from our perspective," he said. "The greatest threat for us is passive malicious behavior, the kind of activity that wouldn't show up on most of the security applications out there right now."

For example, the ESSG will ask for vendors to deliver better technology for profiling user behavior and correlating data across end user monitoring applications, Gabrielson said. Current systems also need better methods for reducing the overabundance of security event data and for improving investigations and audits of end-user behavior, he said.

Gabrielson did not give a date for the expected issue of the RFP, but he said that ESSG's members have already agreed to fund the purchase of the insider threat protection system once it has been selected. He did not reveal the group's budget for the purchase.

Meanwhile, other U.S. government agencies are fleshing out their efforts to counter the insider threat. Dennis Heretick, deputy CIO for IT security at the Department of Justice, said the agency is weaving a number of insider-oriented capabilities to its Cyber Security Assessment and Management (CSAM) system, which tracks and monitors security issues across the DOJ and related agencies.

"For us, the insider threat is the least likely to happen, but it's potentially the most damaging if it did happen," Heretick said. The most likely "insider" problems at DOJ are accidental breaches by employees or trusted parties involving simple user commands, he said.

The DOJ has enhanced its CSAM system to include a number of insider-oriented capabilities, such as end user monitoring, data flow analysis, and real-time monitoring of IDS data and remote devices, Heretick said. The agency is also doing "intelligent encryption," adding encryption to a variety of systems while stopping short of encrypting all data inside the organization, he said.

The DOJ has suffered one public incidence of insider attack, in which a user took his administrative ID and password with him after being terminated, Heretick said. "We had to take everybody off of that system and shut it off, and that put a lot of strain on another one of our systems, because it had to do the work of two. The insider threat is very real."

HUD is also moving to protect its systems against the insider threat, adding encryption to some systems while restricting the use of portable devices such as iPods and thumb drives that could be used to carry data out, according to Kelvin Taylor, an information security specialist at the agency.

"Today's biggest threat to computer security is the users," Taylor said. He cited recent numbers from Gartner, which state that 70 percent of unauthorized access to systems is committed by insiders.

HUD is moving toward more substantial safeguards, such as encryption, but it is trying to use common sense, Taylor said. "We had a request to encrypt some 'inside' data, including the number of times the toilets were flushed in the building," he recalled. "Our question was, why? You've got to ask questions like that. We don't encrypt everything."

Several experts at the conference spoke about trends in insider threats, including Arcsight CSO Brian Contos, who presented data from a joint study his company conducted with Ponemon Institute. "Seventy-eight percent of the companies surveyed said they have had an insider incident in the last year that wasn't disclosed publicly," he said. "Eighty-nine percent said insider threats are a top three issue, along with malware and patch management."

Efforts such as the ESSG TAG's insider threat system are a reflection that government agencies, like corporations, are recognizing the gravity of the insider threat, Contos said. "What ESSG is doing shows they are very serious, not just about talking about it, but about really doing something."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-15
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why...
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...