How monitoring user activity on unclassified networks can help protect classified networks and data

Federal organizations like the Defense Department and agencies in the intelligence community manage large volumes of highly sensitive information. To protect that data, they operate classified networks that must meet specific cybersecurity guidelines. In particular, Executive Order 13587, issued in 2011, and DoD Directive 5205.16, which mandated the DoD Insider Threat Program in 2014, require that classified networks be protected by monitoring and auditing of user activity.

But there are no such directives for unclassified...

READ MORE

Federal organizations like the Defense Department and agencies in the intelligence community manage large volumes of highly sensitive information. To protect that data, they operate classified networks that must meet specific cybersecurity guidelines. In particular, Executive Order 13587, issued in 2011, and DoD Directive 5205.16, which mandated the DoD Insider Threat Program in 2014, require that classified networks be protected by monitoring and auditing of user activity.

But there are no such directives for unclassified government networks. Even the May 2021 Executive Order on Improving the Nation’s Cybersecurity, which calls for federal agencies to implement zero trust cybersecurity architectures, doesn’t specifically mandate that organizations implement user activity monitoring (UAM).

Yet UAM remains a highly effective means of layered security for agency networks, data and users. Bear in mind that most federal employees who access government networks — including those who work for the DoD and IC — spend most of their time on unclassified networks. And 82% of data breaches involve human error, misuse, or social engineering, according to Verizon’s 2022 Data Breach Investigations Report.

As the National Counterintelligence and Security Center recently put it, “Most insider threats exhibit risky behavior prior to committing negative workplace events. If identified early, many insider threats can be mitigated before harm occurs.” In fact, deploying UAM on unclassified networks can better protect classified networks where UAM is already in place. Here’s how.

Monitoring activity, analyzing behavior

UAM provides enhanced visibility as users interact with data and systems from the endpoint in near real time. The goal isn’t to keep tabs on how workers are spending their time, but rather to look for risky behavior that could indicate bad cybersecurity hygiene, compromised credentials, or attempts to steal data. Your security team can then home in on that activity to investigate further.

Did a user email controlled unclassified information (CUI) to a commercial/private email account? Did a user remove CUI markings from a document and print it to a printer on another floor of the building they work on? Did a user upload documents marked for official use only (FOUO) to a personal cloud account? All these could be legitimate tasks, or they could indicate prohibited behavior. UAM enables you to uncover that activity and take appropriate steps.

To be most effective, organizations should deploy a strategy focused on “collection-exploration-insight” where UAM is the endpoint sensor required for policy-driven data collection. Organizations can gain insight with powerful analytics to understand and rapidly respond to risky behaviors before harmful events occur. Behavior analytics assigns holistic user risk scores based on user-centric risk models combining cyber and user indicators or entities. These configurable analytic models and scenarios are tuned without additional programming or scripting to address new and emerging insider threat use cases. Turning data into actionable intelligence to identify anomalies and then take action is critical for any insider risk program.

Strengthening classified-network safeguards

UAM on unclassified networks provides critical visibility and awareness on user activities and behavior. This enables analysis and better decision making in order to better safeguard the highly sensitive, classified networks operated by the DoD and IC.

Why? Because even networks that aren’t physically linked are connected by people. The same employees who have access to classified resources also regularly use unclassified networks.

As a result, risky behavior on operational systems can also involve high-risk activity on closed, segregated networks. An area of great concern could involve highly sensitive data spilling over to the unclassified network, left open for exploitation and exfiltration. Focusing on the user behavior also enables the organization to detect intent to harm self or others and other risky or criminal behavior.

Monitoring the activity of unclassified users gives security analysts a fuller picture of those users on classified networks, as well. Thwarting risky behavior on an unclassified network can prevent the more serious, consequential breach of a highly restricted resource.

Protecting more than just networks

Not only is UAM a key component of securing networks, it also protects people. The software can provide visibility of user behavior that might signal being compromised from a social engineering campaign. It can likewise uncover planning of potentially dangerous or illegal activity such as self-harm, harm to others, and other crimes.

Such conduct isn’t likely to be carried out on classified resources. But it could be hidden in plain sight on an unclassified network. UAM might be the last barrier standing between suspicious behavior and a dangerous or criminal event.

Agency employees should know when unclassified networks are monitored — and how UAM benefits them. That information should be communicated as part of cybersecurity awareness training. Effective training also reduces risk against unclassified networks by helping employees understand acceptable use of agency resources, recognize and avoid compromising schemes, and know when to report suspicious activity.

UAM programs should be implemented with involvement of all appropriate stakeholders. Agencies typically create a policy board with representatives from C-Suite, security, compliance, legal, risk, HR, IT and other relevant functions. To protect privacy, an effective UAM solution provides robust auditing and access controls for analysis and to prevent security analysts from viewing personal identifiable information (PII).

Security is ultimately about reducing risk, and that’s exactly the purpose of UAM. You can’t manage your agency’s risk if you don’t have a clear picture of it. You can’t protect data resources if you don’t fully understand the threats against them. UAM gives your agency the visibility and protections it needs to safeguard data and users — on both classified and unclassified government networks.

Nicole Diresta is vice president and chief strategy officer of Global Governments and Critical Infrastructure at Forcepoint.

 

 

Related Stories

    Amelia Brust/Federal News NetworkCDM

    How federal agencies can leverage low-code security automation to meet recent cybersecurity executive orders

    Read more
    (Amelia Brust/Federal News Network)

    How monitoring user activity on unclassified networks can help protect classified networks and data

    Read more
    DoD photo

    Defense cybersecurity leaders say partnership, consistency needed to uphold executive order

    Read more
    Joe Biden, Kamala Harris

    Contractors design strategies for dealing with the latest executive order on cybersecurity

    Read more