Agencies stalk the insider threat

 

Connecting state and local government leaders

Security, both physical and cyber, traditionally has been outward facing; but in the era of cyberwarfare, new tools are under development against a threat no one can afford to ignore.

With cyberspace now recognized as a military domain alongside land, sea, air and space, nations are gearing up to wage war and defend themselves with equal demonstrations of power and technology against enemies in the cyber domain.   

With cyberwar comes the threat of new forms of espionage, as well as sabotage conducted within both the information systems and control systems that form the interface between the physical and cyber worlds. Security, both physical and cyber, traditionally has been outward facing. But espionage and sabotage often are the domains of the trusted insider, the agent operating from within.

Recent years have produced front-page examples of both types of activity. Edward Snowden, working as a contractor within the National Security Agency, used his position to gather and export sensitive data from the agency. Before that, the Stuxnet worm worked quietly within the control systems of an Iranian industrial facility to physically damage equipment. In 2012, a cyberattack on the Saudi Aramco oil company erased data on corporate computers.

This insider threat, coupled with the blurring of the network perimeter by ubiquitous Internet access, requires a new type of defense.

“That barrier is gone,” said Ken Ammon, chief strategy officer for the access security company Xceedium. “Identity is the new perimeter.”

For both government and private sector organizations, the tools for protecting information and control systems must have the visibility to see, identify, track and understand the behavior of those inside its networks.

IT and data systems

The growing insider threat has been recognized in recent years in a series of presidential executive orders. EO 13467, signed in 2008 by President George W. Bush, created a unified security clearance structure for workers and contractors with access to classified information and sensitive facilities.

EO 13549, signed by President Obama in 2010, safeguards classified information shared by the federal government with state, local and tribal partners as well as with the private sector.

This recognition has helped put the government in the lead in the battle against insiders, said Michael Crouse, director of insider threat strategies for Raytheon. “They are starting to put budget against this threat,” he said. “If you don’t have a budget, nothing gets done.”

The insider threat includes not only malicious behavior but also bad judgment. “Sometimes people do make honest mistakes,” Crouse said, and organizations must distinguish between the malicious and the accidental in their incident response. Being able to see precursor behavior to an incident helps in making this distinction and also can identify behavior that can predict an attack.

Raytheon’s SureView is a host-based endpoint monitoring tool that helps with this task. The product has been around for about 10 years, and in the last few years customers have begun asking for more features with ability to distinguish user behavior as well as device configuration, Crouse said.

Because user visibility generates large amounts of data, automation is necessary to help with analysis. Role-based access policies and established profiles of normal behavior for each role allow automated analysis tools to flag behavior that falls outside the established norm.

Identity management is a precursor for any effective access policy, and in this area government has taken the lead with its civilian Personal Identity Verification cards and its military counterpart, the DOD Common Access Card. These smart ID cards enable strong multifactor authentication that can provide more clarity of user activity.

Pitfalls of privilege

But even with effective identity management, privileged users present a serious insider threat, with their broad trusted access and permissions.

Xceedium helps to limit this threat by limiting trust. Its Xsuite solution controls and monitors privileged access on a zero-trust basis using the enterprise’s legacy authentication platform. It releases securely stored credentials as needed for each task being performed and monitors activity to provide an audit trail that is tied to the user.

Another technique for protecting against the trusted insider is network segmentation. Segmenting the network limits the ability of a rogue person or software to travel vertically or horizontally through the network, limiting the damage in the event of a breach.

“The government is going in that direction,” said Matt Dean, vice president of product strategy at FireMon. In reacting to any breach, smarter and faster decisions are needed and that require automation, Dean said.  “We’ve got to get humans out of the equation. They can’t react fast enough.”

At the same time,  most observers say software and automation can only take agencies so far in protecting against  insiders. “At some point you do need to have a person involved,” Crouse said.

Automation and the use of Security Information and Event Management software can also  stretch limited human resources. But no one software tool can do it all, and data produced by these tools has to be used in conjunction with human knowledge to create meaningful information, experts say.

Drawing the line between automation and human analysis can be a, “huge problem,” said Armond Caglar, senior threat specialist for TSC Advantage, an enterprise security consultancy.

“At the end of the day there has to be somebody on the back end who knows what to look for,” Caglar said. “This has to be somebody’s full time job, and it’s going to be a cost center.”

Physical control systems

Industrial control – or supervisory control and data acquisition (SCADA) – systems present a special threat because they can open the door to the manipulation or destruction of physical assets, including critical infrastructure. They typically are built for reliability, needing to run 24/365 and often are built to run in isolation and without security.

In an increasingly networked world, however,  isolation is becoming difficult if not impossible to ensure, and the absence of security can open large holes in systems that run everything from chemical plants and power grids to military aircraft and naval weapons systems.

With the death of isolation, “we are seeing a trend toward a more holistic view of security,” said David Barnett, vice president of products and markets for RTI, which provides data communications systems. “With devices increasingly connected to other systems, a lot more intelligence has to be put at the edge of the network. Everything that connects to the network is now a point of exposure.”

This new connectivity effectively multiplies the number of insiders in SCADA systems, which in turn multiplies the insider threat. “There is now an order of magnitude more people who have access to that data,” Barnett said.

Moreover security is a special challenge in control systems because security usually involves a trade-off with performance. “Our control systems have to work very quickly and have to have very high reliability with no downtime,” Barnett said.

This means security updates on SCADA systems are difficult. “Every change is a threat,” said Andrew Ginter, vice president of industrial security at Waterfall Security Solutions. “Change is a huge problem on the industrial network.”

One solution, done with digital certificates, is frequent authentication of people and machines on the system. Data also can be authenticated with digital signatures and further protected with encryption when necessary. But because computing overhead in strong encryption can impede performance, this should be limited to data that needs to remain private.

Waterfall Security Solutions emphasizes hardware-based security for control systems. A two-box gateway that physically separates sending and receiving functions on the network can protect it from outsiders without degrading performance.

Ginter admits that this is, “not an absolute protection against insiders.” Detailed monitoring and auditing of systems are necessary to increase the chances that an insider attack will be detected, he said.

And although chances of detection can be improved, the threat cannot be completely eliminated, especially in the case of a well-funded, determined adversary with someone on the inside. “If you have all the information, it is always possible to craft an attack that will get around the software defense,” Ginter warned.

NEXT STORY: Mobile assimilation picks up speed

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.