Protecting Federal Agencies from Insider Threats
Following NITTF guidelines to create a secure environment
Insider threats pose significant risks to all organizations, including federal agencies. These insiders may be careless workers who misuse assets; disgruntled employees who destroy property or disrupt services; malicious insiders who steal information for personal gain; or third parties who compromise security. This paper describes the risks posed by insiders, federal guidance for managing these risks and looks at how a modern technology approach automates the detection and prevention of insider threats according to National Insider Threat Task Force (NITTF) guidelines.
The risk of insider threats in federal agencies
Insider risks have increased steadily in the last three years. According to Verizon, 34 percent of all data breaches in 2018 were caused by insiders, up from 28 percent during 2017 and from 25 percent during 2016. The focus on insider threats grew after major data breaches in federal agencies occurred in the early 2000s, most notably the leaks by Chelsea Manning and Edward Snowden.
Incidents like these present a heightened risk for federal agencies and may result in disruption of diplomatic relationships; exposure of vulnerabilities affecting national security and other potentially grave personal risks to federal employees and the public.
Data breaches are often hard to detect. Many require an average of 197 days to identify and 69 days to contain one, according to Ponemon Institute. Verizon says 40 percent of insider-related breaches require years to detect; 30 percent require months, 15 percent weeks and 10 percent days.
Federal guidance for addressing insider threats
The National Insider Threat Task Force, under the Office of the Director of National Intelligence, prescribes the use of best practices for addressing insider threats. In Nov. 2012, the new National Insider Threat Policy published “Minimum Standards for Executive Branch Insider Threat Programs.” In Nov. 2018, the NITTF published the Insider Threat Program Maturity Framework. The Framework’s goal is to guide executive branch departments and agencies to make their insider threat programs more robust and better positioned to deter, detect, and mitigate insider threat risk by exceeding the Minimum Standards.
Leveraging technology to stop internal threats
While insider risks for departments and agencies are different from risks for business entities, the manner in which they are executed is similar. These malicious insider behaviors include the use of stolen credentials for systems access, logging into sensitive data with a privileged user’s identity and downloading or transferring sensitive data for exfiltration. An established technology approach involves efficient user activity monitoring (UAM), analytics and response prescribed by the Framework. This approach, called user and entity behavior analytics (UEBA) is typically deployed as an integrated capability of a modern security information and event management (SIEM) system.
Modern enterprise IT security solutions use UEBA to detect advanced threats that legacy solutions are unable to. UEBA solutions ingest operational and security data from many sources and use analytics such as machine learning and behavior analysis to determine what is “normal” behavior by users and entities on an enterprise network. The solution builds standard profiles of behavior across peer groups over a period of time and creates a baseline of that behavior. As anomalous activity is identified, it is assigned a risk score. The score rises with increasing amounts of anomalous behavior until it crosses a predefined threshold. When this occurs, UEBA sends an alert to security operations center analysts who use the data to remediate the threats.
The risks to federal departments and agencies from insider threats remain persistent. Leveraging technology to protect agencies according to the Insider Threat Program guidelines as prescribed by the National Insider Threat Task Force can improve detection, response and mitigation of insider threats. To learn more about how the guidelines of NITTF are addressed by Exabeam solutions we invite you to download the full paper, “A Technology Solution for Protecting Federal IT from Insider Threats.”