Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Government Targets Insider Threat

Defense, Justice, and HUD developing new strategies for stopping internal security leaks

ARLINGTON, Va. -- Black Hat DC -- Major U.S. government agencies are developing new strategies to detect and respond to insider computer security attacks, officials said at a conference here today.

Security officials working with the U.S. Departments of Defense, Justice, and Housing and Urban Development today gave insights on their directions at a small conference focused on best practices for defending against insider threats.

The Department of Defense, for example, is close to completing an RFP for a new technology that will help detect, monitor, and stop policy-breaking behavior across at least 22 defense-related services and agencies.

"We're close," said Bruce Gabrielson, chairman of the DOD's Enterprise-wide Solutions Steering Group's Insider Threat Technology Advisory Group. The RFP is the culmination of four years of study on the insider threat at many of the major military and intelligence agencies, including the National Security Agency.

The Insider Threat TAG has defined a plan for using technology to collect and analyze risky behavior among employees and other trusted insiders in the major defense-related departments, Gabrielson said. The plan involves the deployment of lightweight agents to all trusted insiders to detect policy-breaking behavior, combined with sophisticated security event management, correlation, and analysis tools that will eventually let the DOD analyze user activity down to the workstation level.

The new system will include simple, off-the-shelf tools to let agencies identify everyday mistakes and violations of system usage policies, but it will also allow them to track data that's being read on classified systems and re-typed on non-classified systems, Gabrielson said. It will combine centralized security analysis applications with end-point agents that are deployed and updated regularly, just as antivirus apps are today.

The new system will ask vendors to fill some functional gaps in currently-available applications for monitoring and analyzing insider behavior, Gabrielson said. "One of the difficult parts for us is that the most plentiful tools are for lowest-risk threats, from our perspective," he said. "The greatest threat for us is passive malicious behavior, the kind of activity that wouldn't show up on most of the security applications out there right now."

For example, the ESSG will ask for vendors to deliver better technology for profiling user behavior and correlating data across end user monitoring applications, Gabrielson said. Current systems also need better methods for reducing the overabundance of security event data and for improving investigations and audits of end-user behavior, he said.

Gabrielson did not give a date for the expected issue of the RFP, but he said that ESSG's members have already agreed to fund the purchase of the insider threat protection system once it has been selected. He did not reveal the group's budget for the purchase.

Meanwhile, other U.S. government agencies are fleshing out their efforts to counter the insider threat. Dennis Heretick, deputy CIO for IT security at the Department of Justice, said the agency is weaving a number of insider-oriented capabilities to its Cyber Security Assessment and Management (CSAM) system, which tracks and monitors security issues across the DOJ and related agencies.

"For us, the insider threat is the least likely to happen, but it's potentially the most damaging if it did happen," Heretick said. The most likely "insider" problems at DOJ are accidental breaches by employees or trusted parties involving simple user commands, he said.

The DOJ has enhanced its CSAM system to include a number of insider-oriented capabilities, such as end user monitoring, data flow analysis, and real-time monitoring of IDS data and remote devices, Heretick said. The agency is also doing "intelligent encryption," adding encryption to a variety of systems while stopping short of encrypting all data inside the organization, he said.

The DOJ has suffered one public incidence of insider attack, in which a user took his administrative ID and password with him after being terminated, Heretick said. "We had to take everybody off of that system and shut it off, and that put a lot of strain on another one of our systems, because it had to do the work of two. The insider threat is very real."

HUD is also moving to protect its systems against the insider threat, adding encryption to some systems while restricting the use of portable devices such as iPods and thumb drives that could be used to carry data out, according to Kelvin Taylor, an information security specialist at the agency.

"Today's biggest threat to computer security is the users," Taylor said. He cited recent numbers from Gartner, which state that 70 percent of unauthorized access to systems is committed by insiders.

HUD is moving toward more substantial safeguards, such as encryption, but it is trying to use common sense, Taylor said. "We had a request to encrypt some 'inside' data, including the number of times the toilets were flushed in the building," he recalled. "Our question was, why? You've got to ask questions like that. We don't encrypt everything."

Several experts at the conference spoke about trends in insider threats, including Arcsight CSO Brian Contos, who presented data from a joint study his company conducted with Ponemon Institute. "Seventy-eight percent of the companies surveyed said they have had an insider incident in the last year that wasn't disclosed publicly," he said. "Eighty-nine percent said insider threats are a top three issue, along with malware and patch management."

Efforts such as the ESSG TAG's insider threat system are a reflection that government agencies, like corporations, are recognizing the gravity of the insider threat, Contos said. "What ESSG is doing shows they are very serious, not just about talking about it, but about really doing something."

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.