Tackling Insider Threats

This interview is an excerpt from GovLoop’s recent Guide to Government’s Critical Cyberthreats. This research guide explains the various cyberattacks government endures and provides steps to safeguard your information systems.

When it comes to addressing insider threats government still tends to place too much emphasis on user identity, authentication, and authorization. Tackling insider threat doesn’t stop at security clearances for each user. There is still a great need to understand if an “approved user” is misusing the data they can access. To learn more, GovLoop recently sat down with Ken Durbin, Unified Security Practice Manager at Symantec, who shared where government is falling short and how authentication and data management can address these shortcomings.

“The problem is strategies stop short on permissions and access to data,” said Durbin. “Less emphasis is placed on monitoring users after they are authorized, so they could either inadvertently or maliciously expose the organization’s data.”

Instead, agencies need to improve data classification and leverage actionable intelligence to better communicate and share information to stop insider threats. Included among Symantec’s portfolio of solutions are tools that leverage actionable intelligence and strategies focused on endpoint security, email security, and data loss prevention.


For government agencies, the first step to better authentication and insider threat prevention is knowing where all data resides so that it can be properly classified. To implement better classification, agencies need to understand where their data is stored, it’s level of sensitivity, who is accessing it and why. Durbin suggested solutions like Symantec Data Loss Prevention, which can help prevent the accidental or malicious exfiltration of sensitive data. In addition, they can help agencies:

Discover where data is stored across your endpoints, servers and storage. Identify true data owners and be alerted to unusual activity.

Monitor how data is being used when users are on and off the organization’s network.

• Protect data by notifying users about policy violations, securing exposed files and folders, and stopping outbound communications.

Manage data loss policies,workflow remediation, reporting, and administration from a web-based management console.

Stronger data classification allows your agency to better detect any unusual activity by your employees. For example, if Joe normally accesses data between 9am-5pm on weekdays, but suddenly starts accessing data at 2am on Sundays, it’s critical to have a system that can help you detect that irregular behavior before any sensitive information is compromised.


The federal government is already implementing multi-factor authentication to strengthen endpoint security. For two-piece authentication, a key chain with a code that changes regularly is used in addition to a password.

While such steps are significant, Durbin suggested that federal agencies take it to the next level: implementing a third-factor of authentication. This is multi-factor authentication that requires a biological component (something you are), like a person’s thumbprint, in addition to a user ID and a password. Solutions like Symantec’s Validation and ID Protection (VIP) incorporate this third factor into a user’s authentication process.

With third-factor authentication, your agency can easily deploy stronger authentication without the expense of deploying and maintaining dedicated on-premises authentication infrastructure. Additionally, this allows for a cloud-based strong authentication service that enables secure access to networks without impacting productivity.


To be effective, these security measures must also be deployed in concert, Durbin explained. “But instead of operating together as an intelligence community, agencies are operating in silos and not communicating with each other,” he said.

For example, tools that protect endpoint devices only have information about the endpoint. Likewise, tools that protect network gateways only have information about the network device.

The idea of actionable intelligence is to instead have security tools automatically communicate and share intelligence. With actionable intelligence, potential threats could be identified much faster. “If you could take the information gained from actionable, shared intelligence, it would make your agencies more informed and more efficient,” Durbin said.

Tools like Symantec’s Advanced Threat Protection (ATP) solution coordinate action at the endpoint, network, and email gateway so that these control points are working together for better overall security against threats, not in silos.

By harnessing actionable intelligence, tools like Symantec’s ATP can search for signs of attacks across multiple control points within your agency’s infrastructure, all with a click of a button. If you discover a suspicious file in your environment, you can easily retrieve it for further analysis. This is especially important for isolating threats that may compromise your network.

Overall, actionable intelligence provides better communication between your control points, strengthens security, and speeds up your ability to mitigate any potential threats.

It’s important to note how far government agencies have progressed in terms of the authentication and authorization processes. However, as Durbin explained, it’s just as important to ac- knowledge when current strategies are falling short. By better understanding data classification, utilizing strategies like third-factor authentication, and harnessing actionable intelligence, agencies can be better prepared to address the challenges that come with increasingly complex cyberthreats.


Leave a Comment

Leave a comment

Leave a Reply