Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Government Targets Insider Threat

Defense, Justice, and HUD developing new strategies for stopping internal security leaks

ARLINGTON, Va. -- Black Hat DC -- Major U.S. government agencies are developing new strategies to detect and respond to insider computer security attacks, officials said at a conference here today.

Security officials working with the U.S. Departments of Defense, Justice, and Housing and Urban Development today gave insights on their directions at a small conference focused on best practices for defending against insider threats.

The Department of Defense, for example, is close to completing an RFP for a new technology that will help detect, monitor, and stop policy-breaking behavior across at least 22 defense-related services and agencies.

"We're close," said Bruce Gabrielson, chairman of the DOD's Enterprise-wide Solutions Steering Group's Insider Threat Technology Advisory Group. The RFP is the culmination of four years of study on the insider threat at many of the major military and intelligence agencies, including the National Security Agency.

The Insider Threat TAG has defined a plan for using technology to collect and analyze risky behavior among employees and other trusted insiders in the major defense-related departments, Gabrielson said. The plan involves the deployment of lightweight agents to all trusted insiders to detect policy-breaking behavior, combined with sophisticated security event management, correlation, and analysis tools that will eventually let the DOD analyze user activity down to the workstation level.

The new system will include simple, off-the-shelf tools to let agencies identify everyday mistakes and violations of system usage policies, but it will also allow them to track data that's being read on classified systems and re-typed on non-classified systems, Gabrielson said. It will combine centralized security analysis applications with end-point agents that are deployed and updated regularly, just as antivirus apps are today.

The new system will ask vendors to fill some functional gaps in currently-available applications for monitoring and analyzing insider behavior, Gabrielson said. "One of the difficult parts for us is that the most plentiful tools are for lowest-risk threats, from our perspective," he said. "The greatest threat for us is passive malicious behavior, the kind of activity that wouldn't show up on most of the security applications out there right now."

For example, the ESSG will ask for vendors to deliver better technology for profiling user behavior and correlating data across end user monitoring applications, Gabrielson said. Current systems also need better methods for reducing the overabundance of security event data and for improving investigations and audits of end-user behavior, he said.

Gabrielson did not give a date for the expected issue of the RFP, but he said that ESSG's members have already agreed to fund the purchase of the insider threat protection system once it has been selected. He did not reveal the group's budget for the purchase.

Meanwhile, other U.S. government agencies are fleshing out their efforts to counter the insider threat. Dennis Heretick, deputy CIO for IT security at the Department of Justice, said the agency is weaving a number of insider-oriented capabilities to its Cyber Security Assessment and Management (CSAM) system, which tracks and monitors security issues across the DOJ and related agencies.

"For us, the insider threat is the least likely to happen, but it's potentially the most damaging if it did happen," Heretick said. The most likely "insider" problems at DOJ are accidental breaches by employees or trusted parties involving simple user commands, he said.

The DOJ has enhanced its CSAM system to include a number of insider-oriented capabilities, such as end user monitoring, data flow analysis, and real-time monitoring of IDS data and remote devices, Heretick said. The agency is also doing "intelligent encryption," adding encryption to a variety of systems while stopping short of encrypting all data inside the organization, he said.

The DOJ has suffered one public incidence of insider attack, in which a user took his administrative ID and password with him after being terminated, Heretick said. "We had to take everybody off of that system and shut it off, and that put a lot of strain on another one of our systems, because it had to do the work of two. The insider threat is very real."

HUD is also moving to protect its systems against the insider threat, adding encryption to some systems while restricting the use of portable devices such as iPods and thumb drives that could be used to carry data out, according to Kelvin Taylor, an information security specialist at the agency.

"Today's biggest threat to computer security is the users," Taylor said. He cited recent numbers from Gartner, which state that 70 percent of unauthorized access to systems is committed by insiders.

HUD is moving toward more substantial safeguards, such as encryption, but it is trying to use common sense, Taylor said. "We had a request to encrypt some 'inside' data, including the number of times the toilets were flushed in the building," he recalled. "Our question was, why? You've got to ask questions like that. We don't encrypt everything."

Several experts at the conference spoke about trends in insider threats, including Arcsight CSO Brian Contos, who presented data from a joint study his company conducted with Ponemon Institute. "Seventy-eight percent of the companies surveyed said they have had an insider incident in the last year that wasn't disclosed publicly," he said. "Eighty-nine percent said insider threats are a top three issue, along with malware and patch management."

Efforts such as the ESSG TAG's insider threat system are a reflection that government agencies, like corporations, are recognizing the gravity of the insider threat, Contos said. "What ESSG is doing shows they are very serious, not just about talking about it, but about really doing something."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address allows attackers in the local network to access multiple quagga VTYs. Attackers can...
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.