Years after the data breaches initiated by government insiders Chelsea Manning and Edward Snowden, federal agencies have taken numerous steps to enhance their cybersecurity, including the use of data loss prevention tools, multifactor authentication, anomaly detection and social mapping. Agencies are also analyzing data on user behavior as a way to prevent internal breaches.
On one hand, agencies want to keep attackers out of federal information systems. On the other, they also must protect against users who already have access to sensitive federal data and may maliciously or unwittingly divulge it.
Sina Beaghley, a senior international/defense policy analyst with RAND, tells Federal News Network that post-Snowden, agencies have invested in tools to continuously monitor users who have already received security clearances, to measure their level of security risk by correlating government data with data collected outside of government.
“Continuous evaluation is getting all this data from these sorts of sources that are available, that collect information about individuals and on a regular basis, kind of having this picture of the individual and seeing these red flags that come up not from just what the government can see on its own computer system,” Beaghley tells Federal News Network.
Security Solutions to Combat Insider Threats
Evolving cybersecurity threats demand that agencies develop new levels of expertise and deploy new security solutions to safeguard their systems and data. This requires the use of flexible, sophisticated solutions that can be tailored to the mission-specific needs of agencies and departments. In most cases, a customized approach that draws upon a set of curated technologies is more effective than a one-size-fits-all solution.
As agencies turn their attention to combatting the insider threat, they depend on a set of powerful technologies:
- Network access control solutions control the devices and users that may connect to agency networks. NAC solutions can confirm that a device is authorized to connect to the network and verify the device’s current security posture before allowing it to gain access to other networked systems and resources. This approach prevents insiders with physical access to agency facilities from connecting unauthorized or unsecured devices to the network.
- Security assessment tools automatically scan agency systems and networks looking for vulnerable devices, web applications and other technology components that might present an entry point for attackers seeking to gain access to agency operations. This approach limits the ability of a malicious insider to escalate privileges and gain administrative rights by waging an internal attack against the agency.
- Email security solutions scan inbound and outbound email for signs of malicious activity, such as malware and phishing attacks. The use of email security solutions combats the insider threat by reducing the likelihood that an internal user will unintentionally fall victim to an attack seeking to gain access to their credentials.
- Endpoint security products protect all systems on the network from malicious software and monitor their security status on a continuous basis. These solutions prevent insiders from accidentally or intentionally infecting systems with malware or taking other actions that undermine their security controls.
Each of these solutions plays an important role in an agency’s cybersecurity strategy. Cybersecurity professionals consider each of them to be a critical component of an agency’s defense-in-depth approach to cybersecurity.
Security Management Infrastructure Boosts Federal Cybersecurity
CDW•G has developed its own proprietary solution for federal agencies: the Security Management Infrastructure. The SMI helps agencies combat insider threats and other serious cybersecurity risks by providing them with an integrated stack of security technologies designed to work together to meet specific security needs. CDW•G’s SMI seeks to achieve continuous monitoring of an agency’s security environment, allowing prompt detection and response to cybersecurity risks.
The foundation of CDW•G’s SMI stack is a resilient computing solution that can be deployed either on-premises or in a virtual cloud. This computing and storage solution supports a virtualized platform upon which the other SMI components reside. Agencies may then select from a menu of providers for each of the operational security components of the SMI. CDW•G partners with top cybersecurity solution providers to offer a flexible set of tools capable of meeting the needs of any federal government network.
The security information and event management (SIEM) package acts as the nerve center of the SMI, receiving information from other SMI components, correlating those reports and providing real-time reporting on the security status of the agency. For example, CDW•G partners with Splunk to provide agencies with data correlation capabilities as well as access to behavior analysis tools that identify suspicious insider activity requiring further investigation by cybersecurity teams. Splunk provides agency cybersecurity teams with a centralized dashboard that monitors different security threats in real time.
The SIEM tool integrates with virus detection, change management, application management and other security components. The tool is tailored to meet agency requirements for performance and budget, while incorporating existing solutions that the agency already has in place. Several CDW•G core partners are integrated with the SMI to provide the following capabilities:
- Firewalls monitor inbound and outbound connection requests for compliance with security policies, blocking activities that do not meet security standards.
- Intrusion prevention systems perform deep inspection of network content for signs of malicious activity, blocking suspicious content before it reaches the endpoint.
- Data loss prevention monitors systems and networks for the exfiltration of sensitive information, blocking attempts to remove agency information in a manner that is inconsistent with security policies.
- Application and change management controls spot unauthorized modifications to system configurations or the installation of unauthorized software that might undermine the agency’s security posture.
The SIEM tool ingests information from these other SMI components and uses it to perform continuous monitoring of key cybersecurity program assets. This includes system, network and application monitoring for suspicious activity.
It also includes the monitoring of data and user activity by incorporating information received from Active Directory, identity and access management platforms, and network authentication information. Advanced SMI capabilities allow agencies to build employee behavioral baselines and then use those baselines to detect deviations that might indicate insider threat activity.
Finally, the SMI provides advanced log management and analytics capabilities that allow both routine reporting and ad hoc searching to facilitate cybersecurity activities.