Insider Threats in the Federal Agency: Endpoint Security and Human Analytics

Manning, Snowden, Wikileaks… Recent headlines have made the dangers of insider threats for federal agencies even more of a flashing red light than before. The risk of intentional data breaches is a critical problem, but certainly not the only one. The latest report from the Ponemon Institute, the 2013 Cost of Cyber Crime Study: United States, found that more than one third of all data security breaches at government agencies are caused accidentally by internal employees. Intentional or not, both are problematic.

Human error as insider threat
A study by the Privacy Rights Clearinghouse noted not long ago that government agencies have experienced a steady rise in data breaches caused by employees over the last four years. In addition, employee negligence caused over 150 breaches and the loss of more than 92.5 million records since January 2009.

Information-security and data-privacy policies and processes are a major focus inside government agencies, yet these facts seem to indicate that greater rigor and additional employee training on information-governance and data-privacy best practices are in order for most large organizations, whether government agencies or corporations.

Human psychology as attack vector
Most government agencies are truly excellent at understanding the psychology of disgruntled workers, including those who are seeking financial gain and anticipating potential actions/reactions. They may watch to see whether someone who received an official reprimand--through his or her manager or Human Resources--begins acting differently. They notice when someone else was promoted above him or when he begins visiting the websites of organizations competitive with or antagonistic to his own. These agencies know that, say, a software developer won’t normally display this behavior, and will usually stay tightly focused on his or her own project-related sphere of reference.

They are aware that it’s worth noting when someone with a mid-level income has a different car, and went from driving a Mercedes to driving a Yugo, or brags about the reverse. This person may suddenly have purchased a much larger boat or a house out of his or her income range. Yet these organizations have many staffers to manage and there are always more critical tasks than hours in a day, making monitoring of anomalous digital behavior across an agency's thousands of endpoints beyond the reach of most information security teams.

Proactive threat intelligence
The answer to this is, of course, automation of key aspects of threat monitoring. EnCase® Analytics does this by aggregating all of the massive amounts of data on processes and files that is constantly roiling on endpoints such as servers and workstations. Once EnCase Analytics has aggregated and analyzed that information, it can show you the anomalies from the most recent baseline of normal activity across your network in a visual dashboard. At that point, your security analysts can make judgment calls on what may or may not be occurring given the state of IT and InfoSec processes that day, week, or month. They can decide, is this anomalous behavior? Is it normal for that worker to offload 33,000 documents to a thumb drive? Is it normal to upload files to Dropbox, or to email one single file to a competitor or personal account? Should a certain user account have processes running in several domains across numerous machines?

In the past, the timeline from saying, “Hmmm… that’s funny” to having the actionable intelligence needed could be weeks. With EnCase®Cybersecurity, you can grab a snapshot for analysis of the anomaly, feed that input into EnCase Analytics and send those files out to another directory where your analyst can look at them more closely with EnCase® Forensic or EnCase® Enterprise.

It would be impossible for humans to watch the terabytes of data on endpoints for anomalies. EnCase Analytics does this for your team, allowing your experts to focus on doing more of what they do best: human analysis. 

No comments :

Post a Comment