The Insider Threat: Challenges and Solutions

This blog post is an excerpt from GovLoop and Cisco’s recent Industry Perspective, Automation is Essential for Effective Cybersecurity. To download the full report, head here.

An insider is any person with authorized access to a proprietary resource; in the government, that can include personnel, facilities, information, equipment, networks or systems. An insider can pose a threat if he or she uses their authorized access, intentionally or unwittingly, to harm the security of the United States through intellectual property theft, network sabotage, data exfiltration, espionage, or reputational harm, according to the National Insider Threat Task Force (NITTF) within the Office of the Director of National Intelligence. The NITTF has been working closely with the DoD to figure out how DoD agencies can build solid insider threat programs.

The insider threat is not an easy issue to address because tomorrow’s attack won’t look much like yesterday’s, said Matthew Galligan, Cisco Systems’ Regional Manager for the DoD Cybersecurity Team. “The challenge is to identify what normal behavior is today, not knowing what the vector of attack is going to be in the future,” Galligan said. Information security professionals must be able to identify network activities that are abnormal, and alert analysts at the Security Operations Center (SOC) so they can initiate a response.

But they can’t do it alone. Advanced cybersecurity solutions that baseline normal activity automatically and identifies suspicious traffic patterns are important because people can no longer react quickly enough to keep up with the onslaught of attacks. Large data transfers leaving the network or large data transfers within the network are indicators that something abnormal is occurring. Large data transfers leaving the network would indicate data exfiltration, or somebody stealing intellectual property or classified or sensitive material. Large data transfers within the network would suggest activities such as data hoarding, where a person with access to certain systems or servers stores the information on servers or maybe secret servers with the intention of downloading the data later — a practice employed by Edward Snowden.

Network and security administrators are using myriad solutions to combat these threats, including examining security or system logs gathered by security information and event management systems (SIEM), which collect logs and other security-related documentation for analysis from multiple locations. Some organizations apply an open source software framework like Hadoop, which provides low-cost, large-scale data storage and processing, and apply advanced, big data analytics against that data. Another approach is using NetFlow and NetFlow Analytics.

Most networks have monitoring capabilities built in. For instance, network traffic metadata such as NetFlow — an open source network protocol for collecting data developed by Cisco — is inherent in most network infrastructure devices, including routers, switches and firewalls. By analyzing flow data, a picture of network traffic flow and volume can be built. By collecting and analyzing NetFlow data, network administrators can see where network traffic is coming from and going to and how much traffic is being generated. Security analysts can use this intelligence to identify abnormal behavior in the network traffic.

The whole point is to be able to understand what is normal in a network and what’s not normal by looking at new traffic patterns and employing analytics to better understand the data, said Michael Overstreet, a Security Systems Engineering Manager for Cisco. That entails coordinating this cybersecurity knowledge gleaned from technology with existing people and process controls, driving an immediate and effective response. Action can be taken manually or automatically where the identity server or network access control server is alerted to block a certain user from the network. Or if someone is demonstrating bad behavior, then the server is alerted to disconnect that user from the network. In fact, the network is being used as a sensor.

Data flowing across the network can be pulled in through NetFlow, and since there is a baseline set for what is normal, analysts can better detect an anomaly on the network — but automation is absolutely essential for swift and effective action.

Leave a Comment

Leave a comment

Leave a Reply