Why government is a breeding ground for insider threats
While distributed environments, external contractors and skills shortages are escalating security risks for agencies, data science can level the playing field.
Government agencies and the nation’s critical infrastructure -- including energy, transportation systems, communications and financial services -- depend on IT for operations and processing essential data.
The risks to IT systems are increasing, however -- notably from insiders. Following the massive data leaks by Chelsea Manning and Edward Snowden, the Obama administration established a government insider threat program in 2011 under Executive Order 13587. Yet from one presidential administration to the next, no real change has occurred.
This status quo can be attributed to three factors. First, most government IT departments are understaffed and underskilled because IT personnel typically move into higher paying private-sector jobs once they gain some experience. Second, agencies use IT temporary contractors who -- either intentionally or unintentionally -- represent a significant source of insider threats. And finally, budgets have remained flat and inflation has reduced agency buying power.
Given these challenges and restricted resources, how can agencies get a better return on their existing cybersecurity investments?
Data science represents a promising option.
The emerging field of security analytics uses machine-learning technologies to establish baseline patterns of human or machine behavior and then applies algorithms and statistical analysis to detect meaningful anomalies. These irregularities may indicate sabotage, data theft or misuse of access privileges.
Agencies can gain insights by establishing a contextual linked view and behavior baseline of users from disparate systems, including HR records, accounts, activity, events, access repositories and security alerts. This baseline is created for all users and their dynamic peer groups.
When users undertake new activities, their behavior is compared to the baseline to identify outliers. Using risk-scoring algorithms, outliers help predict abnormal behavior associated with premeditated malicious intent.
Government agencies produce massive amounts information, making it difficult to sift through the data to identify credible cyber threats. But security analytics technology can ingest data from all sources throughout large IT environments, create a unified risk score for each user and device and surface legitimate security threats.
An open behavior-based security analytics platform gives agencies the freedom to consume all the data types supporting today’s and tomorrow’s behavior models and leverage whichever big data lake may already be installed. And, perhaps most importantly, it gives IT security personnel the freedom to edit and create their own machine learning models.
It’s an automated process that relieves IT staff from having to chase the many false positives that conventional security tools generate, boosting employee productivity in resource-constrained organizations and allowing IT staff focus on more strategic initiatives.
Consider the following use cases:
A military branch applied security analytics to data from its in-field command and control applications to monitor network traffic, sensors and firewall logs. The machine-learning algorithms detected that battle routes had been accessed by a foreign nation, compromising missions for months. This is a clear example of account compromise that must be detected in real-time to prevent dire outcomes.
On the preemptive side, security analytics can identify government employees and contractors that are a flight risk. Behavior models can predict if users who are planning to leave the organization so they can be flagged as high risk to prevent them from exfiltrating data. Those individuals can be placed under a more restrictive data use policy that prevents them from using public cloud services like Dropbox or Google Drive, and data loss prevention tools can prevent them from using USB drives or sending emails with attachments.
With insiders accounting for two thirds of all compromised records, current approaches to leak prevention are clearly not working. Data science and behavior analytics, on the other hand, are transforming every segment of IT and can help federal government agencies take back the keys to the kingdom.