Stalking the insider threat

Agencies stalk the insider threat

With cyberspace now recognized as a military domain alongside land, sea, air and space, nations are gearing up to wage war and defend themselves with equal demonstrations of power and technology against enemies in the cyber domain.   

With cyberwar comes the threat of new forms of espionage, as well as sabotage conducted within both the information systems and control systems that form the interface between the physical and cyber worlds. Security, both physical and cyber, traditionally has been outward facing. But espionage and sabotage often are the domains of the trusted insider, the agent operating from within.

Recent years have produced front-page examples of both types of activity. Edward Snowden, working as a contractor within the National Security Agency, used his position to gather and export sensitive data from the agency. Before that, the Stuxnet worm worked quietly within the control systems of an Iranian industrial facility to physically damage equipment. In 2012, a cyberattack on the Saudi Aramco oil company erased data on corporate computers.

This insider threat, coupled with the blurring of the network perimeter by ubiquitous Internet access, requires a new type of defense.

“That barrier is gone,” said Ken Ammon, chief strategy officer for the access security company Xceedium. “Identity is the new perimeter.”

For both government and private sector organizations, the tools for protecting information and control systems must have the visibility to see, identify, track and understand the behavior of those inside its networks.

IT and data systems

The growing insider threat has been recognized in recent years in a series of presidential executive orders. EO 13467, signed in 2008 by President George W. Bush, created a unified security clearance structure for workers and contractors with access to classified information and sensitive facilities.

EO 13549, signed by President Obama in 2010, safeguards classified information shared by the federal government with state, local and tribal partners as well as with the private sector.

This recognition has helped put the government in the lead in the battle against insiders, said Michael Crouse, director of insider threat strategies for Raytheon. “They are starting to put budget against this threat,” he said. “If you don’t have a budget, nothing gets done.”

The insider threat includes not only malicious behavior but also bad judgment. “Sometimes people do make honest mistakes,” Crouse said, and organizations must distinguish between the malicious and the accidental in their incident response. Being able to see precursor behavior to an incident helps in making this distinction and also can identify behavior that can predict an attack.

Raytheon’s SureView is a host-based endpoint monitoring tool that helps with this task. The product has been around for about 10 years, and in the last few years customers have begun asking for more features with ability to distinguish user behavior as well as device configuration, Crouse said.

Because user visibility generates large amounts of data, automation is necessary to help with analysis. Role-based access policies and established profiles of normal behavior for each role allow automated analysis tools to flag behavior that falls outside the established norm.

Identity management is a precursor for any effective access policy, and in this area government has taken the lead with its civilian Personal Identity Verification cards and its military counterpart, the DOD Common Access Card. These smart ID cards enable strong multifactor authentication that can provide more clarity of user activity.

Pitfalls of privilege

But even with effective identity management, privileged users present a serious insider threat, with their broad trusted access and permissions.

Xceedium helps to limit this threat by limiting trust. Its Xsuite solution controls and monitors privileged access on a zero-trust basis using the enterprise’s legacy authentication platform. It releases securely stored credentials as needed for each task being performed and monitors activity to provide an audit trail that is tied to the user.

Another technique for protecting against the trusted insider is network segmentation. Segmenting the network limits the ability of a rogue person or software to travel vertically or horizontally through the network, limiting the damage in the event of a breach.

“The government is going in that direction,” said Matt Dean, vice president of product strategy at FireMon. In reacting to any breach, smarter and faster decisions are needed and that require automation, Dean said.  “We’ve got to get humans out of the equation. They can’t react fast enough.”

At the same time,  most observers say software and automation can only take agencies so far in protecting against  insiders. “At some point you do need to have a person involved,” Crouse said.

Automation and the use of Security Information and Event Management software can also  stretch limited human resources. But no one software tool can do it all, and data produced by these tools has to be used in conjunction with human knowledge to create meaningful information, experts say.

Drawing the line between automation and human analysis can be a, “huge problem,” said Armond Caglar, senior threat specialist for TSC Advantage, an enterprise security consultancy.

“At the end of the day there has to be somebody on the back end who knows what to look for,” Caglar said. “This has to be somebody’s full time job, and it’s going to be a cost center.”

Physical control systems

Industrial control – or supervisory control and data acquisition (SCADA) – systems present a special threat because they can open the door to the manipulation or destruction of physical assets, including critical infrastructure. They typically are built for reliability, needing to run 24/365 and often are built to run in isolation and without security.

In an increasingly networked world, however,  isolation is becoming difficult if not impossible to ensure, and the absence of security can open large holes in systems that run everything from chemical plants and power grids to military aircraft and naval weapons systems.

With the death of isolation, “we are seeing a trend toward a more holistic view of security,” said David Barnett, vice president of products and markets for RTI, which provides data communications systems. “With devices increasingly connected to other systems, a lot more intelligence has to be put at the edge of the network. Everything that connects to the network is now a point of exposure.”

This new connectivity effectively multiplies the number of insiders in SCADA systems, which in turn multiplies the insider threat. “There is now an order of magnitude more people who have access to that data,” Barnett said.

Moreover security is a special challenge in control systems because security usually involves a trade-off with performance. “Our control systems have to work very quickly and have to have very high reliability with no downtime,” Barnett said.

This means security updates on SCADA systems are difficult. “Every change is a threat,” said Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. “Change is a huge problem on the industrial network.”

One solution, done with digital certificates, is frequent authentication of people and machines on the system. Data also can be authenticated with digital signatures and further protected with encryption when necessary. But because computing overhead in strong encryption can impede performance, this should be limited to data that needs to remain private.

Waterfall Security Solutions emphasizes hardware-based security for control systems. A two-box gateway that physically separates sending and receiving functions on the network can protect it from outsiders without degrading performance.

Ginter admits that this is, “not an absolute protection against insiders.” Detailed monitoring and auditing of systems are necessary to increase the chances that an insider attack will be detected, he said.

And although chances of detection can be improved, the threat cannot be completely eliminated, especially in the case of a well-funded, determined adversary with someone on the inside. “If you have all the information, it is always possible to craft an attack that will get around the software defense,” Ginter warned.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected