Insider threats have long been recognized as a problem by the Federal Government. The National Insider Threat Task Force (NITTF) was established by Executive Order in 2011. In part, it ordered all federal departments and agencies with access to classified information to establish insider threat detection and prevention programs “for deterring, detecting, and mitigating insider threats, including the safeguarding of classified information from exploitation, compromise, or other unauthorized disclosure.”
As insider threats continued to grow, the Federal Government increased its demands. In 2014, Directive 504 from the Committee on National Security Systems (CNSSD 504 – Protecting National Security Systems from Insider Threat) prescribed the minimum measures required for User Activity Monitoring (UAM) on all classified networks “to detect indicators of insider threat behavior,” and have the “technical capability to observe and record the actions and activities of an individual, at any time, on any device accessing U.S. Government information.”
At a minimum, this includes:
- Key stroke monitoring
- Capture of full application content (e.g., email, chat, data import, data export)
- Screen capture
- File shadowing for all lawful purposes
- Ability to set triggers/alerts based on user activity
What about Protecting User Privacy
In many jurisdictions, mostly outside of the U.S., organizations are subject to employee privacy regulations. In these countries, focused observation capabilities as described above would be disallowed as they would by design and deployment infringe on privacy regulations. Workforce Cyber Security’s approach is different from UAM however. For example, DTEX InTERCEPT’s patent protected ‘privacy-by-design’ architecture allows for proportional deployment of Focused Observation capabilities (where allowed) while protecting employees’ privacy rights. DTEX InTERCEPT is specifically designed to collect the minimum amount of data needed to build a forensic audit-trail in a privacy compliant manner—gathering only the application and user metadata necessary, and uses pseudo-anonymization that tokenizes raw data fields, including username, email, IP address, domain name, and device name. When evidence indicates a threat, select administrators can de-anonymize user identities for investigations.
Focus on Threat Behavior, not Actions
The directive recognizes an important distinction—one we agree with wholeheartedly. Looking for specific actions by specific users on specific data is a dated and ineffective method for stopping insider threats (and requires too much overhead for rules creation and curation). Instead, CNSSD 504 focuses on “threat behavior”; the things insider threats do as part of the insider threat kill chain.
Focusing on malicious behavior allows security and compliance teams to stop threats before they steal data or do harm. By understanding activities in context of Data, Machines, Applications, and People, Indicators of Intent can help SOC teams identify activities that provide “the tell” when malicious actors are performing reconnaissance, circumvention, aggregation, obfuscation—long before exfiltration.
How DTEX InTERCEPT Addresses UAM
DTEX combines privacy-first User Activity Monitoring, Insider Threat Management, User and Entity Behavior Analytics, Digital Forensics, and Endpoint DLP. It provides organizations with the ability to meet the UAM requirements of Directive 504.
Capture of Full Application Content
Identifying Indicators of Intent requires observing activities across Data, Machines, Applications, and People (DMAP). Our DMAP+ Technology™ provides a continuous audit trail of unique endpoint metadata to observe, record, and correlate the actions and activities of data, machines, applications, and people in near-real-time, including the full capture of all Session, Process, File System, and Window activities, on and off the organizational network.
Screen Capture and Key stroke Monitoring
When a user has been elevated for focused observation, DTEX provides application content monitoring (includes SSL inspection for web browser based activities), video/screen capture and key stroke capture. Capture can be based on specific device, application, user rules, or for individuals flagged as “persons of interest.” All captures can be exported for further analysis.
Malicious insiders will often attempt to disguise (obfuscate) their actions by changing file names or extensions. DTEX continuously tracks documents, even when names and locations have changed, using configurable hashing algorithms including MD5, SHA1 and SHA256. It can determine the ‘lineage’ of a file to answer who, what, when, where, and why was a file was copied, modified, obfuscated or exfiltrated. DTEX also tracks file classification meta-data as well as the usage of the Alternate Data Stream (ADS) for advanced attempts to obfuscate data.
Set Triggers/Alerts Based on User Activity
When a skilled insider wants to steal data, they often separate their activities into smaller steps over a period of time to avoid detection. Alerting on every activity (which could be benign) can result in alert fatigue. DTEX has partnered with MITRE Corporation to advance Five Eyes capability for Insider Threat and Foreign Interference detection and mitigation.
- Alert Stacking and machine learning capabilities combine behavioral rules and anomaly detection to reduce false positives and analyst overhead.
- Automated Activity Correlation allows multiple disparate events to be attributed to a defined sequence of events occurring within a given time window.
- This further improves true positive detection rates by elevating alert scores for events that occur sequentially across the full Insider Threat Kill Chain, over and above alerting rules triggered in isolation.
DTEX also provides the ability to automatically increase monitoring and alerting mechanisms for high risk user populations (e.g., new joiners, leavers or “flight-risk” detected employees and individuals flagged as ”persons of interest”) and automatic correlation of these populations with insider threat related activities.