Last week saw yet another reminder of why it is so important to have a comprehensive insider threat strategy in federal organizations. Last Wednesday, a counterterrorism analyst from the US Defense Intelligence Agency was arrested on charges that he leaked top secret and classified information to two reporters. Ultimately, this leak resulted in the reports writing a total of eight stories based on this top secret information.
Ever since Edward Snowden’s infamous data theft, no organization — public sector nor private — needs to be convinced of the dangers of insider threats. Insiders, such as employees and contractors, pose an inherent security risk to government agencies. Surely, the US Defense Intelligence Agency was just as aware of this, and were likely taking precautions against insider threats.
Why did those measures fail?
This story is another excellent example of why it is critical to have not just any User Activity Monitoring solution, but a modern UAM solution that captures the most relevant insights, especially in the greater context of each individual user’s behavior. Because human behavior is less straightforward than machine behavior, this piece — context — is critical.
One particular line of the above article (emphasis ours) highlights this need:
An indictment alleges that Frese accessed classified intelligence reports, some which were not connected to his job duties, in spring 2018…
With the right approach to user monitoring, this could have been the red flag that stopped the culprit before he successfully leaked documents not just once, but multiple times.
At Dtex, we have been fighting, detecting, and investigating insider threats for years. Over the course of hundreds of investigations, we have learned that one thing that holds consistently true: the key to detecting insider threats before they do damage is understanding each individual user’s behavior in relation to their history, their role, and the organization.
This story is a prime example. Dtex would have alerted based on this particular user’s greater context: he was accessing files that were outside of his job duties, which meant that he was accessing unusual file/network locations. A tool that looks at the bigger picture would have detected that this behavior had changed when he was conducting this data theft.
The importance of this approach holds true in respect to many other insider threat incidents, even those that take place in other countries. Last week also saw the tragic news of a stabbing attack by a radicalized insider in a French intelligence division. While it is clear that this particular incident involved the failings of several security measures — cybersecurity and otherwise — there was also a data theft element that could have been detected long before the attack. Authorities discovered several USB drives at his desk that contained a large amount of exfiltrated confidential data. By looking at this user’s behavior in context, a modern UAM solution could have alerted on this uptick in abnormal data access and transfer.
Incidents like these serve as a reminder that federal organizations need to be evolving and iteration their approach to user monitoring. Monitoring alone, in the most basic sense of the term, is not enough. An effective UAM approach needs to provide insightful data, with anomaly detection, context, and a full audit trail.