Oliver Stone’s Snowden opens today to not very spectacular reviews. I’m going to see it tonight, anyway. I’ll let you know how it goes on Monday. While daily open source news feeds have been mostly focused on election-related hacks and the e-mail panic spreading across Washington, D.C., the resurgence of the Snowden discussion—the movie, amnesty, Steven Bay’s confessional, the House Intelligence Committee’s report on Snowden’s leaks—has put the insider threat on forefront of security professionals’ minds. That threat seems pretty unassailable. But it’s not, necessarily.
THE DEVIANTS
A variety of surveys explain why insider threats are so menacing. For instance, nearly 70 percent of organizations have identified successful attacks or attempts. A surprising number of IT professionals call their organizations unequipped to detect or prevent leaks, intentional or otherwise, even though they know the significant risk insider threats represent. Many organizations that do have some sort of defenses don’t believe those measures are effective. Nearly two-thirds of surveyed organizations acknowledge that employees without a need to know have access to that information. And so it goes.
To complicate matters, response times to breaches are generally slow—about half took a month or more to discover the breach. And while people like Snowden supposedly leak for moral or ethical reasons, well over half of those involved in espionage do it for the money, and a third to get a leg up on their next job. And the threat is apparently getting worse.
DETECTING DEVIANCE
According to NSA’s Director Adm. Mike Rogers last Tuesday at the 2016 Billington Cybersecurity Summit in the nation’s capital, preventing breaches from the inside is nearly impossible. However, Neal Ziring, at the same conference, is more optimistic about catching saboteurs. Ziring is Rogers’ Technical Director of NSA’s Information Assurance Directorate. Simply put, organizations just have to be more perceptive. “’Insider threat behavior, and other malicious behavior, is always deviant from normal behavior. If you have the right analytics,’” he said, “’and you actually pay attention to them, then you can have a very good chance at detecting that deviance and shutting it down before it has impact on you.’”
Identifying the deviants’ deviance is generally a matter of some sort of behavioral analytics software, machine learning software, that detects deviations and alerts managers. However, while behavioral analytics tools are important and really becoming all the rage—probably to a profound extent, at least relatively speaking—these tools alone are simply not enough.
THE HUMAN FACTOR
Somehow, the human factor always comes in. No matter how great software is, the cool reasoning of human wisdom seems to make things work better.
Network World contributor Bryan Ware agrees. Ware writes, “An insider threat program will fail if it is based solely on the outputs of rules-based or machine-learning systems monitoring network activity.” According to Ware, the more a behavioral analytics system works, the more complex the process is, and the more likely it is to tie itself up in knots. “As the volume, velocity and variety of threats has increased,” Ware writes, “the limitations of these data-driven systems have become all too apparent: by the time a threat is detected, the attack often has already occurred.”
In the first part of a two part series, Ware offers some smart solutions. Picking up on Ziring’s observation—that it’s really all about deviant behavior, that is, behavior that deviates from the norm—Ware recommends IT security professionals move beyond behavioral analytics software and review more human data. For instance, what are the routines when it comes to access, tracked by badge scans, and when are those routines disrupted? Human Resources could even help. “Even external and third-party sources—for example, bankruptcy, divorce and arrest records, as well as open-source data from social media and news outlets,” Ware says, “should be tapped for evidence that bolsters sometimes weak internal signals.”
In other words, to complement the high tech, think about some good old gum-shoe detective work to tighten the net.
