The painstakingly meticulous vetting process to become an employee at the National Security Agency includes deep background checks, an in-depth financial probe and a polygraph test, among other measures that can last up to nine months before the agency builds up enough trust in an individual to extend an employment offer. That was before government contractor Edward Snowden was hired as a system administrator.
Mechanisms were in place designed to trigger an alert if an agency employee accessed unauthorized systems or if external intelligence uncovered leaked information, but the measures weren't enough to identify Snowden, who knew where the tripwires were. He knew "where the red line was drawn," said John "Chris" Inglis, the former deputy director of the NSA, who spoke during a session at the 2014 Symantec Vision Conference Wednesday.
Today the agency no longer adheres to the trust-but-verify model of vetting and granting broad system privileges to foster employee productivity. Using security analytics to monitor user behavior in context with other system data and threat intelligence can help identify rogue insiders, Inglis said. Businesses need to know how insiders are using their privileges in real time, no matter how trusted they are, he said.
"If we compared Mr. Snowden to other system admins, we would have seen anomalies that stood out," Inglis said.
Businesses need to consider the extent of the consequences if sensitive intellectual property and other data are leaked or exposed in some way, Inglis said. The process begins with identifying and tagging the most sensitive data so it can be scrupulously protected, he said. At the NSA, processes are in place to explicitly grant user privileges to sensitive assets and those privileges are tracked and assessed in as close to real time as possible, said Inglis, now a consultant at Los Angeles-based security data analysis platform maker Securonix.
"We needed to make sense of the data we already had," Inglis said, adding that monitoring user behavior also addresses external threats. "The holy grail of an outsider is to become a trusted insider; to use user privileges to exfiltrate something out of your systems."
Solution providers say they are increasingly being asked about how to better identify and monitor systems to spot suspicious employee behavior that could signal trouble. Products have long been available to restrict employee behavior, but many firms don't want to go to that extent, said Mark P. Williamson, chief technology officer at Gaithersburg, Md.-based security consultancy and reseller Conquest Security. Network and application monitoring tools are increasingly becoming the tools of choice and, when combined with analytics, they can often spot suspicious activity that needs investigating, Williamson said. Responding and investigating are key to the process, he said.
"A lot of organizations are looking to increase their visibility," Williamson said. "Once they see what's happening on the network, they often find people leaking out information or sometimes running rogue sites internally."
A vast majority of internal issues aren't malicious at all, said Dennis Norris, an IT veteran and director of product development at Chicago-based security solutions provider Conventus. Norris said most companies will uncover simple mistakes and security lapses introduced when employees are trying to do their work more efficiently. Norris called the insider issue a longstanding one and especially problematic in industries where simple mistakes that expose personally identifiable information result in publicly reportable security incidents.
"We see a lot of clients who may have policies in place, but they haven't effectively communicated them or they don't have the technology in place to monitor and enforce them," Norris said.
Some companies are having success monitoring employees by using data from existing security systems. Securonix co-founder and CTO Tanuj Gulati highlighted a large multinational bank that used data from its data loss prevention platform and other systems to uncover the flight risk of users. The bank also monitored applications looking for attempts to gain unauthorized access and focused on privilege account monitoring.
Abnormalities don't necessarily stand out from all the noise in the data provided by the systems, Gulati said.
"It is difficult for anyone to look at a single event to figure out who is the person behind it or is it normal or not normal for a user to perform that function," he said.
By overlaying data from various systems, including external threat feeds, network traffic monitoring and intrusion prevention systems, the company was able to weed through the noise and uncover connections that signaled suspicious activity that needed further investigation. Ultimately, there was a reduction in caseload for security analysts and incident responders didn't have to chase after false alerts, Gulati said.
At the NSA, the focus needs to be on analytics in real time, Inglis said. The agency wants to know how an employee is using his or her privileges. Today, systems collect data from various sources, analytics are applied and a team assesses the information and provides issues to an incident response team to investigate, he said.
"It's about raising verification up and pushing the trust down," Inglis said. "The goal shouldn't only be to make networks defensible, but also to actively defend them and insiders, in my view, are a huge piece of that."
PUBLISHED MAY 8, 2014