Insider Threats ≠ Hackers

The FBI’s insider threat program relies on HR data and digital use metrics.

LAS VEGAS -- Of the two best tools to detect insider threats in a network, only one can be supplied by a vendor, the FBI’s former chief information security officer said at the Black Hat cybersecurity conference here Wednesday.

That’s software that tracks employees’ individual digital patterns and how those change over time -- when they access data, what they look at it, what they do with it and for how long.

The second, and much more valuable tool, is information that comes from your organization’s human resources department, Patrick Reidy said, such as who’s being disciplined, who’s being fired and whose work has been going downhill.

Until recently, Reidy led a team focused on using technology to root out spies and leakers inside the FBI. That’s a very different task from catching unauthorized hackers, he said, because you’re after people who are accessing something they’re allowed to access, but doing it in a malicious way.

By combining HR information with personal use metrics, a security team has a chance to produce real intelligence rather than chasing after phantoms, he said.

If the security team went after everyone whose printing spiked on Friday afternoon, he said, they’d waste their time and employees’ time. If they only look at Friday afternoon printing spikes by people who were fired Friday morning, they might expose a vulnerability, he said.

Organizations setting up insider threat detection systems should be wary of fitting the programs too neatly to past breaches, he said. In the early days of the FBI’s system, it was based too much around lessons learned from the case of Robert Hanssen, an agent arrested in 2001 for passing secrets to the Russians, he said.

Vendors are now focused on Edward Snowden as the model leaker, Reidy said, even though the vast majority of insider threats come from people with deep subject matter knowledge rather than system administrators like Snowden.