The Defense Information Systems Agency is concerned about insider threats to the Defense Department’s networks and is on the prowl to do something about it.
The Pentagon’s unified IT services provider is trying to protect what is known as the Joint Service Provider, or JSP, which combines IT service for the DOD’s Washington, D.C.-area offices.
The JSP was established under DISA in May 2015, and it merged the Department of the Army Information Technology Agency and Washington Headquarters Services’ Enterprise Information Technology Services Directorate. The goal was to standardize IT infrastructure, enable an end-to-end network and security posture, and improve operational coordination across departments and geographies, as FCW reported.
The JSP is still being established. Maj. Gen. Sarah Zabel, DISA’s vice director said in November that this year is “a transition year,” but next year, fiscal year 2018, all Pentagon IT organizations will be under DISA.
According to FedScoop, the House Armed Services Committee’s Subcommittee for Emerging Threats and Capabilities proposal has said that the JSP’s setup lacked planning for insider threats.
Focus on Insider Cybersecurity Threats
The JSP is seeking information about potential sources for a commercial off-the-shelf (COTS) system (including software, hardware, support, training and travel) “to monitor and log anomalous user behavior accessing network and computer systems managed by the JSP,” according to a DISA announcement.
Such a cybersecurity solution should proactively identify and support investigations of user violations “to allow government network administrators and security personnel to proactively manage insider threat incidents.”
DISA will need to monitor tens of thousands of devices. Approximately 80,000 end-user devices will be configured across multiple networks supporting the Pentagon and National Capital Region in a phased implementation approach, according to DISA, although some implementations may occur simultaneously.
“The solution should contain privacy protection to ensure JSP customers can detect events and individuals that put the enterprise at risk, while providing protection for everyone else,” DISA states. “It should contain investigative tools to enable targeting, review, and investigation of events that happened before, during, and after a violation occurs to facilitate root cause analysis of the problem.”
Requirements for the Insider Threat Program
DISA’s announcement lays out dozens of requirements for the new technology. The insider threat endpoint monitoring solution “shall not adversely affect the end user experience,” for example. Data shall be available for analysis and processing in near real‐time, and the solution will need to “apply software logic while collecting data to identify activity of interest or concern most commonly referred to as alerts, policies, algorithms or triggers.”
Additionally, the system will need to have alert thresholds that can be tailored and categorized based on importance and the severity of the activity. Similarly, the system will need to let its managers “create alerts based on a configurable number and type of event occurring within a configurable time frame.” Data in the system “must be protected from unauthorized access, modification, destruction, and support investigative practices with an inherent capability to ensure chain of custody.” The systems should be able to retain data for a minimum of five years “to support detection of behavioral patterns and relationships.”
All endpoints monitored in the system “shall have the capability to be persistent and immune from user or normal privileged user shutdown or alteration.”
The solution will need to have existing approval to operate on DOD networks (including NIPRNet, SIPRNet and JWICs). It must also be interoperable with existing COTS/government-off-the-shelf information assurance tools such as HBSS, Splunk and ArcSight.
The program will need to monitor user login activities, the movement of data on or between networks, and will need to monitor, log and record all user application activity. Those activities include (but are not limited to) keystrokes, chat programs, email, web browsing and social media use. The program will also need to monitor, log and record all file activity, including but not limited to file access, modification and deletion.