Join our panel during Black Hat 2024 – Blurred Lines: Investigating the Convergence of Internal and External Threats



Insider Risk Insights - DTEX Blog

Zero Trust Meets Insider Risk Management

Zero Trust Meets Insider Risk Management

What do Jack Teixeira, Joshua Schulte, and Korbein Schultz have in common?

All three worked for the federal government in some capacity, and all three used their insider access for nefarious purposes, got caught and were arrested. Teixeira, while with the Air National Guard, shared classified documents on social media, while Schultz, a member of the Army, planned to disclose national defense information. Schulte’s insider threat behavior was even more heinous; the former CIA officer was recently sentenced to 40 years in prison for “crimes of espionage, computer hacking, contempt of Court, making false statements to the FBI, and child pornography.

These are a few high-profile insider risk incidents that have made national news, but there are dozens of other insider threats happening within federal government, both innocent mistakes and maliciously intended, that go undetected by security, risk and HR teams. A 2023 report by DTEX, for example, found that 12% of employees took sensitive intellectual property with them when they left the company. The growing use of unsanctioned applications, or shadow IT, is exacerbating the issue, creating visibility blind spots that make it even more difficult to discover if and when organizational data is exfiltrated outside of authorized apps.

Insider risk represents a growing threat to organizations and critical infrastructure, but when government agencies are involved, an insider-created security incident can cause irreparable harm to national security interests.

Uplifting Insider Risk Management in the Federal Sector

The federal government has traditionally lagged behind private industry when it comes to cybersecurity. Many agencies still use outdated operating systems and software or legacy systems that are hard to patch or update. Congress also has dragged out legislative action on addressing cybersecurity, especially in the aftermath of high-profile insider incidents and data breaches.

However, that is shifting. One of the biggest initiatives toward addressing cybersecurity and insider risk management is the Executive Order (EO) to improve national cybersecurity. Included in this EO is a mandate to secure cloud services and enhance supply chain security. But one of the most impactful requirements in the EO is the requirement to modernize cybersecurity within the federal government. One of the mandates included in this modernization is the adoption of a Zero Trust framework, which civilian agencies must implement by the end of the Fiscal Year 2024 while the Department of Defense has until 2027.

Another area that will see improvement is collaboration for information sharing of potential risk indicators and creating integrated risk management within agencies. An insider risk management (IRM) strategy will provide a shared language around cybersecurity and risk across agencies and contractors, with decisions around risk management made that will be of benefit to all.

Importance of Zero Trust Principles in Insider Risk Management

Insider-driven security incidents often occur due to a lack of visibility into user behavior and user access. In department of defense (DoD) situations, that could mean access to secret information outside of the user’s security level. A Zero Trust architecture is designed to eliminate those visibility gaps with a ‘verify then trust’ approach. Some of the key principles of Zero Trust, according to the NIST standard, are:

  • Applying least privilege principles where users have only the access privileges they need, when they need it. This cuts down the chances of unauthorized access or lateral movement across networks and databases. It also reduces the breach radius.
  • Explicit and continuous verification, across all devices and applications.
  • Automate context and response to understand user behavior within the network, the devices and applications used, and how to best respond to an incident.

By treating all network traffic as suspicious and adopting a Zero Trust architecture, IT and security teams can better track network usage and reduce the opportunities for users to engage in risky behaviors.

How Zero Trust Can Support a Trusted Workforce Culture

Employees working for the government, especially DoD, are given access privileges and security clearances based on their job duties; however, as recent insider incidents have shown, having clearance doesn’t prevent an employee from going rogue. An employee can go 10 years before a follow up background check is conducted, and during that time, they could go through significant life events that could result in riskier behaviors.

DoD and other agencies are addressing this issue through the Trusted Workforce initiative. Trusted Workforce 2.0 is a cooperative effort between federal government agencies and their partners to establish an ongoing vetting process for the entire workforce. The goal of Trusted Workforce is to determine whether an employee is to be trusted with specific credentials and if they should be allowed access to classified information.

Trusted Workforce 2.0 complements a Zero Trust architecture because both are built on the concept of ‘verify then trust’. The continuous vetting process means that employees are meeting requirements to be granted access to sensitive data and ensures that they are given only the access and authorizations required to do their job. Security teams are alerted to potential risky behavior and can take action before an incident occurs.

The combination of Zero Trust and Trusted Workforce benefits the employees as well as the agency. Employees can be onboarded faster, rather than wait months or years for the security clearance process to be completed. They are also made an active partner in the security program. Through the continuous vetting process, they have opportunities for security awareness training and are alerted when engaging in risky behaviors. The more employees are included in security practices, the more likely they are to become a security champion.

What DoD Should Consider in Zero Trust Insider Risk Management Investments

Zero Trust and IRM doesn’t just happen. It takes time to implement. It also takes money. The DoD has requested $14.5 billion towards its cybersecurity funding, and that includes money toward building its Zero Trust initiatives. Some of the spending will go towards working with defense contractors to construct a network-centric defense model specially designed to apply Zero Trust systems. There will also be tools and technologies added to deploy Zero Trust across devices, applications and workloads, networks, data, and even users.

However, Zero Trust and IRM aren’t just about the tools and technology. According to Randy Resnick, the director of the Zero Trust Portfolio Management Office at DoD, there will be emphasis on the human side of cybersecurity and risk management. Awareness training and education, as well as listening to what employees have to say are also necessary. Zero Trust training is expected to be rolled out into existing cybersecurity awareness programs and eventually the DoD will require mandatory Zero Trust classes.

Threat landscapes are constantly shifting, but for the DoD and other government agencies dealing with national security, the greatest risks are coming from nation-states who will use any means possible to access classified information. While most employees in these agencies are targeted through social engineering and phishing attacks, others are offered incentives to gather and share sensitive data.

As Zero Trust models are implemented across DoD departments and other government agencies, insider risk management gets easier, as security and IT teams will have greater visibility into their systems and are able to limit employee access. This and improved awareness training will hopefully stop insiders from making a mistake that could put national security at risk.

DTEX is playing a critical role in enabling federal and other public sector entities to uplift insider risk capability maturity while supporting a Zero Trust architecture. Learn more about how DTEX is supporting the national security mission and driving collaboration and best-practice information-sharing across the Five Eyes.

Insider Risk Management for Federal