NSA and OPM Turn to Behavioral Analytics to Combat Insider Threats

In the post-Snowden world, federal agencies know they need to defend against the real possibilities of insider threats and data breaches. Agencies are increasingly focusing on data analytics of user behavior as a way to prevent internal breaches.

As the White House, the Department of Homeland Security and the federal government at large highlight a comprehensive approach to cybersecurity during October, designated asNational Cyber Security Awareness Month, insider threats are sure to be a prominent concern.

According to a recent survey conducted by the Ponemon Institute, 55 percent of the respondents reported that they had experienced a security incident due to a malicious or negligent employee. Concerns about those breaches are animating a response within the government.

NSA Takes Insider Threats Seriously

The National Security Agency is ground zero for protecting against insider threats and has spent a considerable amount of time and money bolstering its internal defenses since the initial disclosures of classified NSA information by former contractor Edward Snowden, in 2015.

The agency faces a challenge in balancing the need for maximum security while addressing the privacy concerns of individual users, NSA Director Adm. Mike Rogers said last month, during a keynote address at the 2016 Billington Cybersecurity Summit, according to FedScoop.

“Is this an area where we have tried to improve on and focus on? Yes. Look, if you want to guarantee that you’ll never have an insider challenge? Boy, that is really problematic,” Rogers said, “It’s always about how do you find a balance between those two very important imperatives … Because if you make it one or the other you’re going to have very bad outcomes.”

Befitting an agency whose nickname is “No Such Agency,” NSA officials at the summit did not go into many details on the technologies and tools they are using to fight insider threats. Neal Ziring, technical director of the NSA’s Information Assurance Directorate, described in broad strokes the efforts the agency has undertaken, FedScoop reported. He noted that the NSA cannot stop employees from performing their jobs, and that once connected to the NSA’s internal networks, employees need to work on documents, write reports and access data.

“Insider threat behavior, and other malicious behavior, is always deviant from normal behavior,” he said. “If you have the right analytics and you actually pay attention to them, then you can have a very good chance at detecting that deviance and shutting it down before it has impact on you.”

Security officials say that agencies that use data analytics to monitor users’ behavior need to tread carefully. Steven Grossman, a vice president for insider threat behavioral analytics firm Bay Dynamics, which counts U.S. intelligence agencies among its customers, told FedScoop that agencies need to monitor for when certain users actually represent malicious threats and when certain users’ accounts have been hacked by outside sources.

“The only difference is just who is using the privileges to do what they’re doing … pure analysis, understanding what behavior is changing relative to the people they work with in order to reduce false positives and by building a profile and by having humans in the loop with business context … that’s the final determinate,” Grossman said.

OPM Sees Value in Behavioral Analytics 

More than a year after the security breaches that targeted the Office of Personnel Management (OPM), in which the personal information of 22.1 million current, former and potential federal employees was stolen, the OPM has made progress on bolstering its cybersecurity.

The government has established a new agency to handle background checks and investigations, and responsibility for protecting those records is being shifted from the OPM to the Defense Department. Although the new agency, the National Background Investigations Bureau (NBIB), is housed inside the OPM, the DOD will be in charge of the IT systems and security for the bureau.

Internally, the OPM is working to ensure that an insider breach does not result in any kind of data loss. Currently, the agency generates about 70 terabytes of log files monthly from its cybersecurity tools and wants to use analytics to sift through that, according to Clifton Triplett, the OPM's senior cyber and IT adviser.

Triplett spoke last month at the Professional Services Council’s 2016 Tech Trends conference, and, according to FedScoop, noted that the agency holds about 1 petabyte of log file dataproduced by the Department of Homeland Security's Continuous Diagnostics and Mitigation program and other unnamed cybersecurity tools.

“We spent a lot of money to get those log files, it’s worth trying to get something out of it,” Triplett said. He acknowledged that the OPM does not know which parts of its log data it needs to keep or for how long, but the OPM is researching that.

But he said that the agency’s cybersecurity experts want to use analytics to find patterns of subtle “anomalous behaviors or triggers.”

"We’re trying to understand how behavioral analysis fits overall into our cybersecurity position," Triplett added, according to FedScoop. “Most of our applications are older, they don’t have very granular security controls, so we’re going to have to catch [insider threats] generally in the way they behave, not necessarily a traditional flag.”

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.