The one challenge facing every agency where IT innovation and modernization could make a huge difference is defending against the insider threat.
So it shouldn’t come as a surprise to anyone that the FBI is making IT innovation and insider threat synonymous.
Roger Stanton, the assistant director of the insider threat office for the FBI, said for the bureau it’s more than just protecting information and people. The new technology can help address the culture challenges of a force of alpha males and females.
“I have two types of employees, creators and system people. Creators are those people who are out on the edge, in the white space, driving to create a capability that does not exist yet,” said Stanton, who joined the FBI’s insider threat office about a year ago. “Then I have the system people who are between the four corners of policies and regulations, and they get things done and they do it within the systems. I have also found they drive each other crazy because the creators want to be out there on the fringe that will be the next great thing, and the system people are the ones who say, ‘You can create that iPhone, but if you can’t deliver to the customers, then our business is going to fail.’”
Speaking at the Justice Department’s cyber symposium on May 9, Stanton said having a healthy tension between the two groups is a good thing, but it also makes leading them more difficult.
To help address the people side of the insider threat challenge, Stanton said the FBI is launching two new platforms.
The first one will help the FBI do a better job of understanding the possible threats within its three investigative elements — security violations, internal misconduct and internal espionage.
“We manage those referrals and we make sure we are monitoring every referral that comes into completion so it’s my job to make sure collaboration is emphasized and maximized,” he said. “We use this software application, we call Javelin, it’s home grown, and it manages referrals. What we do to make sure the big three get a benefit from entering referrals into the system and monitoring them is we pull from our holdings so when you type in an individual’s name, it throws a bunch of information at you, whether it’s the history of polygraph exams, any incidents they have been associated with in the past and any investigative information.”
Through privileged user access, when a referral comes into the insider threat office, the investigator is the only one who has access to the case and information.
The second application is called Insider Threat Analysis Platform (InTAP), which is the FBI’s big data analytics tools that looks at potential models, triggers and the data sets it has to identify potential threats to the organization.
Stanton said analytics receive the data and decide whether it needs to be referred to an investigator.
“We are developing that now. We are at initial operating capability for that,” he said. “Until that final capability is issued, and everyone in the insider threat program knows that anyone who says they have this [issue] licked, they lose credibility with us because it’s a continual examination of your internal business processes, your culture, the applications that are unique to your organization, that is what an insider threat program is. And because they change and modify, we have to change with it.”
Stanton said the FBI doesn’t talk too often about this program as its concerned about adversaries taking advantage of its strategies.
This is why getting this look inside is the FBI — pun intended — is worthwhile. This is especially since October will be seven years since President Barack Obama signed an executive order requiring agencies implement an insider threat detection and prevention program and, for the most part, they have struggled.
Until the FBI can fully launch its InTAP application, its relying on its legacy approach where it uses bulk data derogatory records checks where it looks at different triggers and models.
“We take our 70,000 employees, contractors and detailees and through it against certain data sets that might be an indication that there could be misconduct or could be a risk posed by that insider based on the modeling and triggers we do,” he said. “The FBI takes great research to work with its intelligence community partners to push information sharing about how we are modeling or identifying insider threats, and what we think behavior analytics should be for that. It’s a huge challenge because it’s another thing that changes as cultural things change as the way we communicate changes.”
All of these efforts are overseen by an Insider Threat Risk Board, which is run by the associate deputy director of the FBI and includes all the executive assistant directors and assistant directors involved with insider threat matters, including human resources, financial management, technology and others. The board meets quarterly to review the FBI’s critical assets and what potential risks they are facing.
“Key vulnerabilities are business processes. How do we go about our day-to-day operations? What sort of vulnerabilities may be there?” he said. “One example could be how we escort visitors into the building. Each individual office had its own policy, and when we looked at them some were good and some were great. A business process across the whole FBI can be improved so those good ones could be great.”
Stanton said the FBI identifies those risks by getting together every two years with the risk board and ordering the entire organization to think about critical assets and business processes that are vulnerable to insider threats.
From that, the board will come up with a manageable risks based on the highest or most critical vulnerabilities.
“My office has a critical asset vulnerabilities assessment team and they will do a ‘red team’ approach to look at everything around that asset or business process and try to identify any gaps or vulnerabilities that are posed by an insider,” Stanton said.
Once they find the gaps or vulnerabilities, communication and training help fix any potential or real challenges.
While the FBI’s requirements for protecting against insider threats may be more rigorous than many other agencies, there is no reason why these two platforms couldn’t become shared services for other agencies , especially given it’s one of the administration’s priorities.