Government insider threat and security clearance reform efforts continue to move forward. Just this week the Senate Intelligence Committee passed the Intelligence Authorization Act, which includes several initiatives to advance the Trusted Workforce 2.0 framework. At the heart of the reform? A changing definition of who is a trusted worker and how the government can continuously vet personnel versus a ‘one-and-done’ security clearance application and adjudication. Previous cases, from Edward Snowden to Harold Martin, make it clear that when looking for the next threat – one needs to look on the inside.
As the government looks to innovate, there is a growing list of industry partners with solutions government agencies can put to the test.
“Our specialty in our organization is vetting out what’s unusual behavior for the insider threat perspective, someone that’s going to steal the Snowden-type information,” said Dan Conrad, Federal CTO at One Identity, an identity and access management company serving both the federal government and commercial clients. Conrad recently discussed insider threats, trusted users, and how the government is looking to data and identity to keep its systems safe.
“Our solutions look at, ‘how does the administrator administer on a day-to-day basis? What are their normal behaviors? What are their hours?’ Then start to build a picture of what normal looks like for that person and people of that same type, whether they’re in the same group, in the same office, in the same location, the same type of access to data, the same types of data they should be accessing,” said Conrad. He notes that within 30 days he can build a baseline of ‘normal’ behavior, and then begin to show slight variations from that.
“What I’m seeing is a push towards realizing that data ahead of time, and maybe more data points that would affect an ongoing clearance validation, as opposed to once every five years for your Top Secret or once every 10 years for your Secret,” said Conrad. He notes that the push to continuous vetting isn’t just a matter of shifting timetables – it’s about shifting mindsets. Once organizations realize it’s okay to document issues, they begin to document them more regularly, and patterns that develop over time will be easier to spot – rather than missed between regularly scheduled periodic reinvestigations.
Why is continuous vetting needed?
The security clearance process has always swung between two pendulums – the need for a quality workforce, and the need to push a greater quantity of professionals through the vetting process. There are currently several hurdles preventing the government from reaching success on either spectrum. The Navy Yard Shooting and Edward Snowden’s breach of NSA data both occurred in 2013. That set the stage for a serious audit of the government’s quality control concerning background investigation processing. What the government realized is that in both cases, there were likely patterns of behavior that could have been flagged – had additional vetting procedures been in place.
“If that risk score elevates to something you think is malicious, you can do something like freeze the session, which is nice because in a Snowden scenario – as he starts pulling data and accessing systems he’s not usually accessing outside of his normal, day to day work, you don’t have to look at event driven data after the fact and say, ‘Guess what he did yesterday?’ We could actually freeze that session and pass that off to somebody for approval, or even terminate the session, which is a preventive measure,” said Conrad.
Addressing the Rogue Administrators
While many current continuous vetting and security clearance reform efforts are focused on the totality of the cleared workforce, One Identity is currently focused on a key demographic – systems administrators.
“Administrators are a rare breed,” said Conrad, who noted his personal experience working as a systems administrator for more than 20 years. “They like their privileges. They like to operate without auditing, as we all do, because again, they’re just people and whether they hold a clearance or not, they like to be trusted.”
Conrad notes that there is a real need to discuss the topic of systems auditing and accountability with staff across the entire organization – including the highest level administrators, with the most privileges.
“In the tech space, we call this a politics and religion issue,” said Conrad. “So we need to socialize this and talk to them about why auditing is a good thing if you’re behaving well. You shouldn’t really have to worry about it.”
A part of the issue can be the perceived change in abilities and access, notes Conrad. Having the right automation engines in place ensures auditing and accountability for administrators without changing their ability to get the work done, or have the accesses they need, when they need it. And when it comes to any expectation of privacy, the reality is that if you’re on a government or a corporate owned machine – there is no such thing as privacy.
“There is really not an expectation of privacy when you’re exfiltrating data off of your systems or accessing things you know you’re not supposed to do,” said Conrad. “We build automation engines in here that will watch that data.”
Watch, protect, and prevent. It’s the next wave of predictive analytics, and with the right privilege and behavior biometrics in place, it is designed to prevent the next insider at the point of access.