Crafting Holistic Insider Threat Protection

The following interview with Prem Jadhwani, Chief Technology Officer of Government Acquisitions, Inc, is an excerpt from our recent guide, Securing Government: Lessons from the Cyber Frontlines. In this guide, we review five tactics government organizations are using to enhance their cybersecurity.

In addition to risking national security, insider threats are a serious vulnerability to intellectual property and classified information. No matter what the mission, every agency has high target assets that could be compromised. But how can an entire government network be secured against internal threats?

In a recent interview, Prem Jadhwani of Government Acquisitions, Inc. (GAI), a security solutions provider, asserted that agencies must first understand their current risk. Then, they should deploy a comprehensive, continuous monitoring program.

Identify Insider Threat Risks
Before tackling insider threats, Jadhwani said that agencies must first understand their critical assets, unique risk, and risk appetite. “Most of the time, people have the feeling the bad guys are going to come from outside, but they don’t realize that there may be high-risk insiders who have certain behavioral patterns that are not being recognized,” Jadhwani said.

Agencies must scrutinize the behaviors of insider threats, in order to develop a set of actionable indicators for cybersecurity teams. Jadhwani identified two patterns of potential indicators. The first are the virtual patterns that most companies already monitor to some extent. This includes digital log records that track employees’ online activity.

“Are they going over to SharePoint sites loaded with classified data that they should not be touching? Do they have a need to know? And are they downloading or printing that data? Are they sending data to their personal emails? That’s the digital trail, or virtual path, we look for,” said Jadhwani.

The other side is non-virtual–what Jadhwani calls “people-centric”–that focuses on human behavior. Potential indicators of an insider threat include expressions of frustration or compulsive behavior, a tendency to work on-site or remotely at odd hours, signs of vulnerability such as drug abuse, and unexpected wealth acquisition or foreign travel.

Both virtual and non-virtual factors have to be monitored carefully over time, but this is no easy task. “You are collecting lots of structured and unstructured data and you need a way to be able to correlate that data over a long period of time and look at certain specific behaviors which will alert you automatically. Rather than just one specific behavior, you are better served to look for a pattern of behaviors that will help you identify a potential insider threat,” said Jadhwani

Once behavioral patterns are captured and analyzed, “normal behavior” baselines should be set. Then, deviations from that norm can alert your security team to potential threats in real-time using an integrated solution approach.

Deploy Integrated Security Systems
In order to establish this monitoring and alert system, Jadhwani said agencies will need more than just technology. “A lot of customers I speak to think that with think the technology is sufficient to protect against insider threats. However, I disagree with that,” he said.

Instead, Jadhwani recommended taking a multi-faceted approach that he calls “PPTTC,” for policies, procedures, technology, training, and continuous monitoring. The idea of this comprehensive approach is not just to detect threats within your agency, but to deter them.

“From a government acquisition perspective, we are a full set solution provider,” said Jadhwani. “What that means is we start by gaining an understanding of a customer’s environment, their tools, and their policies. And then we look at technology. But remember, none of the tools can do all the work alone. It’s not about putting one tool here and one tool there. What you need to look for is a fully integrated and correlated solution architecture that spans multiple layers of security.”

Training is another important component of this approach, Jadhwani said. Mandatory training modules that already take place in most agencies help build threat awareness into organizational culture. Product-specific training is also necessary so that tools, such as the monitoring dashboard described below, can be deployed effectively.

The final piece is constant surveillance of networks. “[Continuous monitoring software] collects, indexes, and visualizes the complete structured and unstructured data streams into one single pane which allows you to set your own rules and key performance indicators on a dashboard,” Jadhwani explained. “It allows you to take real-time action before the damage is done.” And a significant value-add of GAI as a solutions provider is that they can understand the infrastructure gaps, help provide valuable market research, and build a customized monitoring dashboard to fit an agency’s specific needs.

Threats that have the potential to inflict significant damage require a security approach that is both meticulous and comprehensive. With the help of solutions providers such as Government Acquisitions, agencies can achieve this level of security and feel confident that their critical assets are protected.


Leave a Comment

Leave a comment

Leave a Reply