Federal agencies, particularly those in homeland security, are facing a perfect storm of insider risk. Insider risk is conceptually adjacent to insider threats; while threats focus on actors, risk focuses on outcomes. In addition to worrying about breaches and espionage, agencies must be attuned to any kind of negative behavior that has the potential to impact workplace productivity, safety, and culture.
Insider risk is high right now for a variety of reasons. Misinformation is rampant, politics are especially polarized, and workplace norms have been utterly upended – to name a few. In the current landscape, the best way to successfully mitigate insider risk is by utilizing solutions such as user activity monitoring (UAM), business intelligence and behavioral analytics to “collect, explore, and gain insight” into the most complex insider risk challenges. These tools can measure the pulse of an agency and its employees, helping uncover potentially dangerous behavior before anything or anyone is compromised.
The importance of quantifying risk
In a nutshell, effective UAM provides the required visibility of how employees are using the network and interacting with data in near real-time. When paired with behavioral analytics, UAM provides the context to gain insight into user behavior that might signal bad cybersecurity hygiene, compromised credentials, or illicit activity. Risky behavior often hides in plain sight on high-threat unclassified networks, which is where most federal employees spend the majority of their time.
Imagine an employee is engaging in any of the following behaviors: working odd hours, stockpiling unusually large amounts of data, attempting to access restricted information, or uploading documents marked for official use only (FOUO) to a personal cloud account. These digital indicators can be combined with physical ones, such as a poor performance review or disagreements with co-workers, to improve the effectiveness and efficiency when measuring overall insider risk.
UAM isn’t about keeping tabs on anyone’s productivity. Instead, it’s about quantifying the risk associated with anomalous behaviors so agencies know where to focus their attention and time – whether that means cooling a hot spot of data spills or disgruntled employees, or training on a particular aspect of cybersecurity hygiene.
Collection, exploration, insights
While analytics is crucial to mitigating insider risk, agencies shouldn’t put the cart before the horse. To build a successful insider risk program, agencies should deploy a strategy focused on “collection-exploration-insight.” To start, an agency should ask: What data is essential to driving agreed-upon agency outcomes? With data collection especially, quality trumps quantity. Pinpoint what data is going to be useful, whether UAM data or data from external sources.
Next, begin exploring that data using business intelligence visualization techniques, such as entity-based link analysis. Finally, take the time to explore what collection policies are most effective for driving business outcomes, and which ones are not. Do not be afraid to throw out ineffective collection policies that are just using up storage space with no real positive impact to the mission.
Insights through analytics should only come after these first two steps are complete. This is the point in your program maturity lifecycle where bringing different data sources together – UAM data, HR data, physical security data, VPN data, etc. – will produce actionable risk scores. Far too many agencies try to gain insight through analytics without truly understanding the data. Being more disciplined in the approach by laying a solid foundation of collecting and exploration will save time, resources, and money in the long run – making it easier for the insider risk program to justify its value to the organization.
Ensuring agency buy-in
Once again, UAM is not about monitoring the productivity of employees. And it’s not about collecting every kernel of data there is. Instead, the goal is to collect the right data at the right time – then to apply policies vetted by insider risk stakeholders such as HR, legal, IT, ethics, and security. While there are different ways to integrate stakeholders into the process of launching an insider risk program, bringing them in earlier rather than later is the best approach. It can be tempting to postpone their involvement in the name of efficiency, but waiting will actually slow the process even more in the long run. In addition, determining the “what, when, who” of collection policies, stakeholders should also be brought in early to discuss the program’s governance and operational policies.
When introducing the program to stakeholders, especially non-technical ones such as HR and legal, help them understand the technology through awareness training, one-on-one product overview sessions, and high-level demos. This will allow them to see the workflow (i.e. that data collection is policy-based – and that all policies will be approved by the board). Buy-in needs to come from the top down and the bottom up. Explain to employees that insider risk is not about being the productivity police. Instead, it’s about providing organizations the necessary level of visibility so they can make sound decisions based on facts. This will not only protect the organization, but will also protect each individual’s rights to ensure they’re not falsely accused.
The bottom line
Across the board, federal agencies need to mitigate growing levels of insider risk. This is particularly the case for homeland security agencies, which are seen as high-value targets due to their focus on counterterrorism, cybersecurity, emergency response management, critical infrastructure, and training. While traditional cyber tools are all about incident response (i.e. clearing the event queue quickly), UAM, in conjunction with business intelligence and behavioral analytics, can pinpoint and quantify insider risk much more efficiently and effectively, leading to greater security in the long run.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]