Spotting insider threats on the front lines
West Point cadets test monitoring tools in the changing environment of the field
Cadets at the U.S. Military Academy at West Point are researching ways to automate the detection of and response to insider threats in the dynamic environment of frontline networks.
As part of a yearlong senior project, cadets have deployed network monitoring tools in a simulated forward operating environment and are surveying Army combat veterans to identify characteristics of normal and malicious behavior by insiders within these networks. The goal is to give students some real-world experience while adding to the understanding of systems being operated under difficult circumstances.
“They don’t purport to have the whole answer,” said Lt. Col. Mark Moss, and assistant professor in the academy’s Department of Electrical Engineering and Computer Science. But the project eventually could help automate frontline security.
Next steps for continuous network monitoring
“Our foremost goal is to educate the students,” Moss said. “But we have had quite a few concepts from senior projects adopted in the field.”
As the Defense Department implements the concept of net-centric warfare, IT networks and information systems are being pushed to the front lines, where combat troops depend on them for real-time information and communications. Military networks have security policies and controls in place, but conditions at forward operating bases are constantly changing, training and policy enforcement often are not uniform and timeliness can trump security.
“We know that at a forward base, things happen quickly and there is a lot of pressure to get things done quickly,” Moss said. This is different from a textbook environment or a managed network, and this puts a premium on the ability to detect insider threats as they occur.
Cadets have deployed the SureView endpoint security tool from Raytheon on a simulated network to monitor activity generated by a second team of cadets attempting to circumvent defenses. SureView is an appliance-based tool that uses a software agent on the client to monitor end-user activity with a policy engine to define acceptable behavior. It can send alerts to administrators and block activities that violate policy, and it also can save several hours of activity logs on the desktop to that user activities prior to and immediately after an alert is captured.
“Simulating a forward operating base is an interesting experiment,” said Steve Hawkins, Raytheon’s vice president of information security solutions.
The tool is automated so it can work in a rapidly changing environment. But it depends on policies to tell it what to respond to rather than using intelligence to spot suspicious behavior. The cadets are working with algorithms that the tool can use to identify suspect behavior rather than flood administrators with event logs when policy enforcement is inadequate.
“They are looking not only to detect the malicious insider, but also casual mistakes,” Moss said.
The current class has focused in this project on gathering information and exploring possibilities rather than producing production-ready tools and is still in the early stages. Results could be used by Raytheon to complement its own product research, and although the current academic year is nearing its end the project could be taken up by subsequent classes and continued, Moss said.
In the meantime, the current crop of senior cadets has obtained some experience working on networks that do not fall into the classroom environment.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.