ARLINGTON, Va. -- Black Hat DC -- Major U.S. government agencies are developing new strategies to detect and respond to insider computer security attacks, officials said at a conference here today.

Security officials working with the U.S. Departments of Defense, Justice, and Housing and Urban Development today gave insights on their directions at a small conference focused on best practices for defending against insider threats.

The Department of Defense, for example, is close to completing an RFP for a new technology that will help detect, monitor, and stop policy-breaking behavior across at least 22 defense-related services and agencies.

"We're close," said Bruce Gabrielson, chairman of the DOD's Enterprise-wide Solutions Steering Group's Insider Threat Technology Advisory Group. The RFP is the culmination of four years of study on the insider threat at many of the major military and intelligence agencies, including the National Security Agency.

The Insider Threat TAG has defined a plan for using technology to collect and analyze risky behavior among employees and other trusted insiders in the major defense-related departments, Gabrielson said. The plan involves the deployment of lightweight agents to all trusted insiders to detect policy-breaking behavior, combined with sophisticated security event management, correlation, and analysis tools that will eventually let the DOD analyze user activity down to the workstation level.

The new system will include simple, off-the-shelf tools to let agencies identify everyday mistakes and violations of system usage policies, but it will also allow them to track data that's being read on classified systems and re-typed on non-classified systems, Gabrielson said. It will combine centralized security analysis applications with end-point agents that are deployed and updated regularly, just as antivirus apps are today.

The new system will ask vendors to fill some functional gaps in currently-available applications for monitoring and analyzing insider behavior, Gabrielson said. "One of the difficult parts for us is that the most plentiful tools are for lowest-risk threats, from our perspective," he said. "The greatest threat for us is passive malicious behavior, the kind of activity that wouldn't show up on most of the security applications out there right now."

For example, the ESSG will ask for vendors to deliver better technology for profiling user behavior and correlating data across end user monitoring applications, Gabrielson said. Current systems also need better methods for reducing the overabundance of security event data and for improving investigations and audits of end-user behavior, he said.

Gabrielson did not give a date for the expected issue of the RFP, but he said that ESSG's members have already agreed to fund the purchase of the insider threat protection system once it has been selected. He did not reveal the group's budget for the purchase.

Meanwhile, other U.S. government agencies are fleshing out their efforts to counter the insider threat. Dennis Heretick, deputy CIO for IT security at the Department of Justice, said the agency is weaving a number of insider-oriented capabilities to its Cyber Security Assessment and Management (CSAM) system, which tracks and monitors security issues across the DOJ and related agencies.

"For us, the insider threat is the least likely to happen, but it's potentially the most damaging if it did happen," Heretick said. The most likely "insider" problems at DOJ are accidental breaches by employees or trusted parties involving simple user commands, he said.

The DOJ has enhanced its CSAM system to include a number of insider-oriented capabilities, such as end user monitoring, data flow analysis, and real-time monitoring of IDS data and remote devices, Heretick said. The agency is also doing "intelligent encryption," adding encryption to a variety of systems while stopping short of encrypting all data inside the organization, he said.

The DOJ has suffered one public incidence of insider attack, in which a user took his administrative ID and password with him after being terminated, Heretick said. "We had to take everybody off of that system and shut it off, and that put a lot of strain on another one of our systems, because it had to do the work of two. The insider threat is very real."

HUD is also moving to protect its systems against the insider threat, adding encryption to some systems while restricting the use of portable devices such as iPods and thumb drives that could be used to carry data out, according to Kelvin Taylor, an information security specialist at the agency.

"Today's biggest threat to computer security is the users," Taylor said. He cited recent numbers from Gartner, which state that 70 percent of unauthorized access to systems is committed by insiders.

HUD is moving toward more substantial safeguards, such as encryption, but it is trying to use common sense, Taylor said. "We had a request to encrypt some 'inside' data, including the number of times the toilets were flushed in the building," he recalled. "Our question was, why? You've got to ask questions like that. We don't encrypt everything."

Several experts at the conference spoke about trends in insider threats, including Arcsight CSO Brian Contos, who presented data from a joint study his company conducted with Ponemon Institute. "Seventy-eight percent of the companies surveyed said they have had an insider incident in the last year that wasn't disclosed publicly," he said. "Eighty-nine percent said insider threats are a top three issue, along with malware and patch management."

Efforts such as the ESSG TAG's insider threat system are a reflection that government agencies, like corporations, are recognizing the gravity of the insider threat, Contos said. "What ESSG is doing shows they are very serious, not just about talking about it, but about really doing something."

— Tim Wilson, Site Editor, Dark Reading