DOD trying behavioral analytics as a way to thwart insider threats

The thought of a data breach such as the one that hit the Office of Personnel Management is truly frightening to government officials and the public at large. The sensitive personal data of tens of millions of federal employees that has been lifted recently not only puts individuals at risk, but compromises certain operational practices of the U.S. military/intelligence complex. But while these incidents are disturbing, they are also to be expected.

“To grab the equivalent in the Chinese system, I would not have thought twice,” former CIA and NSA chief Gen. Michael Hayden (ret.) said recently about the OPM hacks thought to be perpetrated by China. “I would not have asked permission...This is not ‘shame on China.’ This is ‘shame on us’ for not protecting that kind of information.”

And while the U.S. works to exploit intelligence gaps and deficiencies of adversaries and protect its own data from similar attacks, one other trend that has blindsided the defense and intelligence communities can’t be overlooked—leaks from the inside.

The insider threat has posed significant challenges, from the trove of millions of documents unearthed by former contractor Edward Snowden to the documents released by former Army Pvt. Chelsea Manning. “The insider threat is not new. But what is changing is that threat landscape,” Patricia Larsen, co-director of the National Insider Threat Task Force of the Office of the Director of National Intelligence, said this week during a panel discussion in Arlington, Va., hosted by Defense One.

Larsen noted that in the not-so-distant past, these types of breaches were much harder to pull off. One had to stand at a copier, copy several pages, and meet someone somewhere. “Now, somebody sitting at the comfort of their desk can go to a website…and find their secure drop page and upload a classified document or something sensitive, still be anonymous and have that published in tomorrow’s Washington Post…That is a whole different paradigm,” she warned.

For Larsen, however, the part of the solution for mitigating potential threats also poses a risk if one is capable of getting into the system. “In the past, it was very hard to get a lot of information about you as a person in one place,” she said. “Now, it is so much easier to pull the entire 360 of an individual using technology and using all the data we’ve collected on you. That is a great, great asset for any insider threat program. It’s also a liability because that same individual can access a ton of information sitting from the comfort of their own workstation as well.” 

The Defense Department is trying a few different technological approaches to mitigating the insider threat, through various beta programs and behavioral analytics. One such effort is the creation of the DOD Insider Threat Management and Analysis Center, or DITMAC, which would “enable information sharing collaboration analysis and risk management across the Department of Defense components to address current and emerging threats to DOD personnel and missions,” said Mark Nehmer, deputy chief of implementation for DITMAC. In 2013, then-Secretary of Defense Chuck Hagel outlined the establishment of DITMAC as one of four key recommendations following the Navy Yard shooting.

Over the past year, DITMAC has worked “to really gather and fuse relative information from different data sources within the department,” said Carrie Wibben, director of Security Policy Operations Directorate at the Office of the Undersecretary of Defense.

Information Management Enterprise System Application, or IMESA, is another approach being used to vet individuals with regard to workplace violence, Wibben said. IMESA is also useful for evaluating the identity of individuals by comparing Common Access Cards with information in internal and external databases to ensure that individuals are who they say they are.

DOD also is working with behavioral analytics, Nehmer said, to compile the indicators, characteristics and behaviors associated with insider threats, including “ how they’ve written, where were they in social media, where were they in their work life, where were they in their personal life that we know of that we can find – as deep a dive as we can get on the individuals that we know have actually committed insider threat behaviors.” But despite the push of what Nehmer called this “human science,” he said he’s not sure when DOD will be able to establish verifiable metrics for identifying insider threats.

The other component to the behavioral issue is tying it to authorizing users within the network.  “Authentication goes back to identity. It says you’re credentialed to get in. But what if you steal the credentials? Well now you’re authorized, you have the authority to be there but you still shouldn’t,” Christine Heckart, CMO of Brocade, a data storage and networking solutions firm, said in an interview in June. “So, we’ve got to look beyond identity, beyond the normal sources of authentication to behavior.  The network can understand and take a benchmark on all kinds of behavioral based analytics. What is the norm? And the minute you start deviating from that norm, you can say ‘alright, there might be a problem.’” 

Heckart explained that in real time, the network can respond by either stopping traffic and calling for more analytics or shutting down operations until a human authorizes the activity. “Once we add behavioral-based analytics and tools to the identity and credentialed based system, you’ve got additional layers,” of security protection, she said.    

Expanded use of multi-factor authentication is something that many security experts and Federal CIO Tony Scott have called for, especially after recent high-profile security breaches. 

Going forward, one challenge regarding analyzing online behavior, however, is context. Computers and humans have not figured out a way to determine context of social media postings to determine the tone, be it serious or sarcastic, though, this is only one component of a multi-pronged risk assessment.