How Agencies Can Shift From Reactive to Proactive Insider Threat Defense


Smarter tools and rules can help keep agencies on top of what's happening on their networks.

Isaac Kohen is the founder and CEO of Teramind.

When it comes to data breaches, the federal government continues to fall short of respectable data security safety. And when we say “fall short,” we mean very, very short.

According to a 2017 Thales Data Threat Report Federal Edition, 34 percent of federal government respondents surveyed experienced a data breach in the last year. The likelihood of a data breach is high, but when it comes to active prevention, many government agencies are at a standstill. Much of this can be attributed to a lack of preventative systems that can detect insider threats.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

One of the biggest challenges for securing funding for data protection in the federal government is the government itself. Like many things in government, budgets are shaped by enforced regulations and those regulations might not be in line with the latest prevention technology and programs. Innovation is key to staying ahead of cybersecurity incidents and problems, but to remain innovative cybersecurity professionals and experts need continued verbal support and monetary support from the top.

The main objective is for agencies to move from reacting to insider threats to preventing them, and these tools can help secure important data:

User Behavior Analytics

This technology falls under the category of security information and event management but is commonly referred to as user behavior analytics. This technology creates a “normal” baseline behavior profile of each employee and of the agency’s network. With a baseline profile established, administrators are able to track and be alerted of deviations in the behavior of that profile.

This technology makes use of advanced machine-learning to persistently monitor and adjust the behavioral baseline and alert administrators of anomalous activity. If a user begins to access an unauthorized space, administrators will be alerted to it immediately. Whoever is the administrator has a few options from here, such as penalizing the user or escalating the incident to higher authority based on the severity of the incident. This all happens in the background as well, preventing suspicion to employees in their day-to-day work. Over time, this technology outranks even cybersecurity education programs in its effectiveness in preventing insider data breaches.

Data Loss Prevention Systems

This technology is commonly deployed in defense agencies to protect data. The SANS Institute defines data loss prevention as: “Products that, based on central policies, identify, monitor and protect data at rest, in motion, and in use, through deep content analysis.” In practice, this means ensuring that data in your hard drives, communications and work are protected and remains in line with defined policies. In action, one feature of this software in your network is that it can prevent people from printing documents or using removable media.

Digital Forensic Systems

There are both commercial and open-source solutions that make conducting an investigation of a security incident easier. This technology is proactive in the sense that administrators are able to adjust policy, controls and configurations with precision and informed analysis to prevent the incident from happening again.

Paired with UBA technology, administrators can predict which behaviors and vulnerabilities may be in your network for better security management. Technology under this category will record and monitor every keystroke, email, file transfer, website, message and document that is made or acted upon within your network. Additionally, you are able to see a video of every session your user has on the network. These features operate passively and are undetectable to your average user.

Rules-Based Risk Analysis Systems

This technology is a more recent development that builds upon activity monitoring and helps you proactively manage risk in an informed way. With this technology, administrators can develop rules based on any observable activity. Once a rule is established, a risk level can be assigned to each rule and a corresponding response. For example, if there is a rule not to send any information over personal email accounts, and employees violate that rule, their risk scores increase. Additionally, they could receive warnings or be locked out of their accounts until further notice.

The risk score is important here as it can be aggregated to determine a department's risk score. This technology allows a snapshot of which employees and departments are placing your agency at the highest risk, allowing more effective management of risk and behavior within your organization.

Tips for Employee Awareness Programs

It is well known that education helps in organizational change efforts, such as creating a better security culture. Awareness programs should include storytelling and reinforcement. Storytelling is a powerful tool for having your staff remember what was taught. If employees hear a story that could be them, it is often enough to scare them straight. However, there may be incidents where negligence is happening and that’s when reinforcement is necessary.

Each of the technologies above could be integrated into an effective cybersecurity employee awareness program. For example, users who violate rules could be informed with warnings or scaled penalties. Enforcement and reminders help people understand that small actions have large impacts when it comes to cybersecurity.

When it comes to securing data, the federal government struggles with its first line of defense: technology and employees. Through creating a prevention mindset and utilizing behavioral monitoring software and security training, agencies can better prepare for a cyber safe future.