Much recent cybersecurity media coverage has been focused on the threats posed by external nation state or criminal sources - the DNC hacking issues being most notable in the last few months. But recent news has also drawn attention to the devastating, and ever-present risks posed by insider cyberthreats.
The fact is, insider threats can be some of the most difficult to detect as they typically occur with people we have vetted and placed our trust in. This raises the question about whom we trust and how we monitor behaviors that ensure our trust is well founded, both now and in the future.
In particular, the final days of the Obama administration reminded us of the massive insider data breach inflicted by, then, Private Bradley Manning (now known as Chelsea Manning). Private Manning stole approximately 750,000 classified and sensitive US government documents and videos. Manning’s insider data theft utilizing a read/write DVD disk labeled “Lady Gaga” will not be remembered as one of the most sophisticated cyber espionage tradecraft displays, but its devastating effects upon US diplomatic and military operations will be felt for years, if not decades, to come.
No doubt, Manning was appropriately found to be “trustworthy” at the time he was first issued a security clearance. However, this clearance is akin to a security “dipstick”, only capable of measuring trustworthiness at the time of the security evaluation. Typically, this evaluation is repeated again some 5 to 7 years after the initial vetting. The problem is, these security “dipstick” tests, widely used by both government and business organizations, don’t account for behavioral changes in the period between the security evaluations. To ensure cybersecurity between these security milestones, another element must be introduced and continuously monitored – behaviors.
Behavioral monitoring, like the capability deployed by Red Lambda’s MetaGrid solution, can identify activities out of the norm of individual users, or even the “normal” behaviors of a larger user population(s). For example, behavioral monitoring might include, system access times, access points, privilege alterations, download volume, access frequency, …and much more. By identifying anomalies in user behavior and correlating these with other threat-induced network anomalies, organizations can flag indicators that more reliably point to cybersecurity threats.
But behavioral monitoring, even in the noble cause of network data security, falls within the shadow of current civil liberties and privacy regulations which require that organizations monitor employee behaviors across entire employee populations, rather than targeted monitoring of specific individuals. These requirements place further civil liberties challenges on organizations to ensure compliance while maintaining monitoring effectiveness. Despite these requirements, technologies, like MetaGrid, can provide adaptive and highly scalable monitoring of both network and behavior anomalies within the organization.
In the end, our focus on combating cyber threats at the code level must be combined with behavioral monitoring that addresses the vulnerabilities of insider threats. At Red Lambda, we are able to provide leading technologies that mitigate the risks of insider threats, while simultaneously identifying threat induced anomalies within the IT infrastructure.
As we continue to combat what seems like a relentless and growing assault on our nation’s information assets, effective network security measures must involve discrete tactics and systems that integrate layered security solutions, perimeter and endpoint security, along with behavioral security that includes “dipstick” security vetting in combination with continuous, real-time behavioral monitoring.