For business, the threat of an employee or officer compromising an organization’s security practices can become an economic disaster. For a government agency, an insider threat can expose private information or even become a matter of national security.
Perhaps then, it makes sense to get some advice about protecting against insider threats from someone who’s constantly alert for such attacks at the Defense Information Systems Agency (DISA) — the organization that provides a global infrastructure for information sharing and communication across the Department of Defense, from the President on down.
As in other big businesses, a major challenge for DISA Chief Information Officer Paul DeMennato, is making sure policies cover both classified and unclassified networks.
“Most of our folks use both. And you set the policies on each network. Some are set according to bandwidth or resource limitation. So in DoD we have to make sure we’re mindful of bandwidth considerations, especially for the missions of the war fighters downrange,” DeMennato told Federal Drive with Tom Temin.
“Typically what we’ll do is we’ll have a cyber defense tool that will basically categorize the websites according to whether they are non-profit, social media, news organization, gaming site, etc.,” he said. “Then basically you can determine what categories of websites you are allowing to your networks.”
Even with Word software, software can monitor what types of files people are creating based on the policies one has created in the user activity monitoring software you are using.
“When someone opens up a Word document or Excel spreadsheets or a PowerPoint, you can set your policies so that you can determine if someone is opening up a classified document, and even cutting and pasting information into another document without the classified marking. It kind of shows the intent that they were trying to hide something, or they are trying to move data without the proper labels and classifications on it,” DeMennato said.
“Some of the commercial applications that are out there are good at activity monitoring and will actually set those policies.”
But does that include word processing programs that are hosted locally and also in the Cloud?
“Yes, as long as it’s in the Cloud you have control of that [virtual instance] or that organizational instance that you say ‘I want this monitoring software to be put on it, and I want this reporting software to report to this analyst,’” said DeMennato.
And what sort of security is there for sorting through all the email traffic a large organization receives?
“We have secure mail guards. A lot of them are signature-based because a lot of malware has certain signatures,” he said. “If you have some messages that come through that have not been seen before and have been triggered by a signature you can create a new signature, then you can log that activity and then start blocking.”
And one would presume there’s more latitude in setting higher filtration for classified networks.
“In the past, when we looked at a classified network, everybody had the mindset that since it’s a classified network that it doesn’t touch the internet … we’re kind of safe,” he said. “Now we need to be mindful that we’re paying the same amount of attention to the classified network that we have been paying to the unclassified. With the unclassified network there’s more exposure to threats from a lot of different adversaries.“
But more than software designed to determine anomalies or block outside threats, DeMennato points to the people as the strength of any insider threat program.
As part of the on-boarding at DISA, DeMennato explains new users have to sign a legal form, “probably 10 or 11 pages long,” explaining acceptable uses of their computer equipment.
“We have one of our incident responders go through the user agreement to make sure they understand the do’s and the don’ts. Annually, we have users who are required to go through computer base training on computer cybersecurity practices,” DeMannato said.
“Another area we’ve recently undertaken is every week we have a cyber defender question that pops up on our computer in the morning. It basically reinforces lessons from the newcomers training or the annual CBT they have to take.” DeMannato said, for example, users are taught the proper way to telework and transport laptops, as well as the proper way to use credentials. “It’s continuous education throughout the lifespan of the employee.”
And are the employees aware of the insider threat program?
“Yes, we also have an insider threat training that is annual. We also have insider threat questions that go into a weekly pool of questions that is given to the users. Then we have an in-depth insider threat brief that goes into the counter-intelligence aspects of some past cases, along with some indicators that might show an employee what to be on the lookout for.”
Even though your employees know this kind of monitoring is going on, there are ways you can create an atmosphere that doesn’t seem like surveillance.
“The best way is user education. Giving some real-world examples of why we have a user agreement and why the statements in there are important,” he said. “It sets a tone. Some people say it’s a harsh tone, but it sets the perspective. Basically you want them to know that malicious code or unauthorized software that could be introduced into the system can harm the system and take away from the mission.”
“Insider threats are actually a people problem,” said DeMannato. “And people are my best sensor out there.”
But automation sure helps. When hardening your agency against potential cyber insider threats, a foundational step is understanding each users normal patterns of work — hours, network bandwidth, files and applications used. DeMennato explains the next step is monitoring for deviations.
“Those users have what we call ‘stressers’ in their life that have changed their behavior — whether intentional or unintentional — they’ve had a life incident that has happened and they start to do poor security practices. So you need the software to be able to establish their baseline and their pattern and then show deviations. When deviations get extreme, that’s where you could start to interject.”
You let them know that you see them (the deviations) and you either send them for retraining or you start an investigation, depending on how severe it was.
“Usually the employees don’t start off with bad intentions,” said DeMennato. “Usually it’s a gradual process. You want to interrupt that gradual process by letting them know you are watching and you want to disrupt the insider threat chain and try to rehabilitate and make them more productive employees.”
DeMennato views the problem as one that’s best handled by a strong data management plan with strict procedures.
“I propose you make data a commodity in the organization. You silo it, you harden it, and siphon it off, make it available only internal to the organization, and put some limitations on its portability. You limit down the saving, limit the printing, and if you have to release it to an external organization, you put an expiration date on it and ensure that goes through a formal release process.”