NSA: Behavioral analytics software is key to spotting insider threats
As the story of NSA whistleblower Edward Snowden hits movie theaters across the U.S., the country’s biggest spy agency is diligently working to improve its capabilities to spot and stop future insider threats before they ever materialize.
Balancing the need for security in a hyper clandestine environment with individual privacy concerns, however, is a challenging endeavor for the NSA, explained Director Adm. Michael Rogers during a Tuesday keynote address at the 2016 Billington Cybersecurity Summit.
“Is this an area where we have tried to improve on and focus on? Yes. Look, if you want to guarantee that you’ll never have an insider challenge? Boy, that is really problematic,” Rogers said, “It’s always about how do you find a balance between those two very important imperatives … Because if you make it one or the other you’re going to have very bad outcomes.”
The issue of insider threats poses a significant challenge not only to the federal government, but also to the private sector, a panel of cybersecurity experts and intelligence officials said Tuesday. A June 2015 research study found that 62 percent of security professionals reported that insider threats had become more frequent over the last 12 months.
“Data breaches usually take place over a relatively long period of time spanning weeks to months and even years. An insider may acquire small amounts of sensitive information over a long period of time,” a separate research study conducted by security firm Imperva reads, “in some cases, breaches are noticed only after damaging events have taken place.”
At the NSA, Snowden’s public disclosure of secretive programs has left a lasting lesson.
“So, the NSA cares very deeply about the issue of insider threat,” NSA Information Assurance Directorate, or IAD, Technical Director Neal Ziring said with a smile to a chorus of laughs, “and I have written several long blog entries on this that none of you can see. You know, internally.”
Ziring, who also spoke at the Billington conference, spoke broadly on how the agency is countering insider threats.
“You can’t stop people from doing their job. If they are inside your network then they got work to do; they’re pulling documents, they’re writing reports, they’re doing a lot of stuff,” said Ziring, “Insider threat behavior, and other malicious behavior, is always deviant from normal behavior. If you have the right analytics and you actually pay attention to them, then you can have a very good chance at detecting that deviance and shutting it down before it has impact on you.”
The need for access to sensitive information and other systems by a revolving cast of employees, customers and supply chain partners inherently underlines the larger insider threat problem, said Eric Green, security strategist for Cyber adAPT.
“Measuring scope of what people have access to is key to managing an impact [in an insider threat situation],” said Steven Grossman, a vice president for insider threat behavioral analytics firm Bay Dynamics.
There’s a very fine line between insider threats and compromised accounts, Grossman, whose company counts the U.S. intel community as customers, explained.
“The only difference is just who is using the privileges to do what they’re doing … pure analysis, understanding what behavior is changing relative to the people they work with in order to reduce false positives and by building a profile and by having humans in the loop with business context … that’s the final determinate.”
According to the SANS Institute, nearly a third of all organizations still have no capability to prevent or deter an insider incident or attack, and only 9 percent of them rank their insider prevention methods as “very effective.”