Officials in government, the private sector, and academia discussed their efforts to establish a defensive posture and use technology-augmented programs to deter and detect insider threats, at an event hosted by Nextgov and Equifax Tuesday.
Those officials–an IT audit director, an analyst working for the largest government contractor, and a 30-year intelligence community veteran–had varying insights, but coalesced on the idea that technological solutions can only take these preventative programs so far, and that the human element remains paramount.
They argued that tending to this delicate balance between tools and talent can mitigate the effect that potentially bad employees have on an expansive public or private enterprise.
Inside or Outside
Jefferson Gilkeson, director of IT Audit at the Interior Department, offered lessons from his audit of industrial control systems (ICS), which he said may be under greater risk from persons on the network than external actors attempting to force their way in.
“They’re really good on the external side, and they’re really poor on the internal side,” he said.
Gilkeson said that efforts to locate advanced persistent threats on an ICS network didn’t prove fruitful. “We did a lot of data analysis,” he said. “The network was isolated. They also didn’t allow remote access into the network, and that’s another way attackers get in.”
Those might be fortunate findings for those warning about ICS and critical infrastructure vulnerabilities, but Gilkeson indicated the situation is not all rosy, considering the potential of misuse from the inside.
“Why does the SCADA engineer need to by a sysadmin?” he asked. “Why does the operator need to be a sysadmin? Why does your information security officer need to be a sysadmin? Those are kind of very bad practices.”
Gilkeson said precedent and historical standard practices have dictated these things, but they don’t contribute to strong security when all of those additional variables–potential entry points into the network–are added.
“They just need to do a lot better job of limiting people that have access,” he said. “There are software tools that you can use to limit the number of accounts and users that have elevated privileges.”
A solution to manage network credentials seems like an easy addition, but what do you do about managing threats at a sprawling commercial enterprise?
“You do need a technical solution for a company like Lockheed Martin where we have 100,000 people and four analysts,” said Kimberly O’Grady, an intelligence analyst at the company’s Office of Counterintelligence and Corporate Investigations. But, she stressed, “Your technological solution is only going to get you so much.”
“Beware when someone comes to sell you an all-purpose tool,” added Rollie Flynn, who teaches about insider threats at Georgetown University’s Walsh School of Foreign Service. Prior to that, Flynn spent 30 years at the Central Intelligence Agency, and now also runs a consulting firm that provides insider threat audits. She stressed that the technology needed might already be present at most organizations.
“The first step is to do an audit, because chances are, you have already a lot of what you need, you just have to use it in a holistic way,” Flynn said.
That’s where the role of an analyst like O’Grady’s begins: taking what that technology spits out and connecting the dots. “You have to identify, ‘What information are you looking for? What are your potential risk indicators? What is the equation of information that is going to look like an investigative lead?’” O’Grady said.
The other elements? She expressed the need to convene a stakeholder group that can help pool data relevant to investigations, and establish awareness and training programs for ground-level employees and would-be whistleblowers.
“We need to make sure that we have employees understanding what our mission was, so that they could come forward to us with any of the concerns they have,” O’Grady said. The goal, through her office, is to “give them a mechanism to voice their concerns,” she said.
Who’s Got the Keys?
Flynn stressed that companies might overlook workers who don’t rep the name on the worksite’s door. “A lot of organizations don’t take as close a look at their contractors, and quite often, your contractors are the ones doing your IT,” she said. “It’s really scary. They have the keys to the kingdom.”
She expressed that her audits often find private sector companies with robust insider threat programs, but those companies simply relied on contracted companies to vet their own employees. “It’s uneven how all that’s done,” she said.
Those concerns allude to potential bad guys walking in and wreaking havoc, but Flynn and O’Grady also discussed how disenfranchisement could give rise to bad apples that weren’t always rotten.
O’Grady mentioned Lockheed Martin’s “off-the-grid” employees, who might exclusively work out-of-office. Those employees, she said, may not experience the same inclusive culture that’s present at an actual company office. Companies need to be mindful of the potential morale issue at play when an employee might not feel like a member of the team.
Flynn expressed how that delicate balance also exists on the opposite end–at Federal agencies. She’s seen government staff “embrace” contractors as valued team members and participants, and those that essentially labeled them as “other.”
Both officials expressed a belief that creating cohesion across the entire workforce remains an important tool for preventing insider threats.
“You have to think as government managers how you’re going to handle your contract staff,” Flynn said.