From Awareness to Action: Strengthening Insider Risk Programs in Federal

As we usher in a new year and navigate a shift in political power, it’s a pivotal moment to address the pressing challenges federal cybersecurity teams and insider risk programs face. The complexities of today’s threat environment demand reflection and action. Drawing from a year of rich conversations with federal cybersecurity experts and insider risk practitioners, several key themes emerge, offering insights to help U.S. Government (USG) agencies meet the extraordinary challenges of this era.

In an environment where threat actors grow more sophisticated and problematic human behavior remains difficult to mitigate, protecting critical assets has never been harder or more important. 

Combatting the heightened threat

As both threat actors and the cyber defense capabilities designed to combat them become more advanced in parallel, adversaries are finding novel ways to penetrate networks. This has resulted in a natural pivot to more attacks “from the inside.” It has become more and more difficult to identify a true insider threat from an adversary with stolen credentials operating inside the network. Nevertheless, we combat these types of threats (i.e., external adversary “living off the land” or a malicious insider choosing to cause intentional harm to the organization) just the same, and with the goal of detecting, deterring, disrupting, and ultimately preventing a risk from becoming a threat.  

With heightened threats should come heightened awareness and associated defenses. And thankfully what I’ve witnessed is a peaking awareness from a community of interest that excels in their craft and desperately aims to keep our nation and its critical infrastructure safe. Now, it’s a matter of justifying, explaining, and prioritizing to our nation’s leadership what could be confused as just another threat vector, when in reality it is the most damaging, unpredictable, and easily exploited vector: human behavior. I believe we have built a fortified ecosystem of cyber defense capabilities that are making it more difficult for adversaries to externally penetrate our networks, but we must make haste to the inside as our adversaries are doing the same. 

The awareness is there. But the prioritization and investment in robust insider risk management programs still seems to be lagging. We have the ability to meet this moment. The time is now.

Key warnings on unclassified networks

Most in the community seem to agree that the USG mandate for User Activity Monitoring (UAM), Executive Order (EO) 13587, needs revision (stay tuned for our next blog detailing what you need to know about Biden’s final EO and its impact on insider risk). Issued by President Obama in the wake of WikiLeaks and other exposures, it outlines a requirement and the associated guidelines for protecting classified networks. This was a massive step forward at its inception and it should be emphatically stated that the EO has done a good job in helping to protect the government’s classified networks and the classified information therein from insider threats. 

However, as many of us in and around the public sector know, if there is no hard requirement, then there is no associated budget, and that problem space will likely go underserved until those important earmarks are established. That is the case for the government’s unclassified (UNCLAS) networks: EO 13587 in its current form does not include UNCLAS. 

The threat is no less real or important on those networks. In fact, it could be argued that the UNCLAS networks are the richest view into what’s truly happening with human behavior and undoubtedly provide key early warnings that (if identified) can keep us further and further left of boom. We need to equip the teams running insider risk management (IRM) programs with access to these early indications.

The insider risk community that I’ve been a part of over the past year seems to universally agree that UNCLAS networks are a key piece to the overall puzzle as it relates to human risk.  Extending EO 13587 to include ALL government networks is essential for national security. 

A holistic, cross-domain network coverage model

Holding all networks, classified and unclassified alike, to the same standard would also allow teams to manage them holistically. Something I’ve heard from multiple, seasoned federal agencies is that if we’re going to monitor human behavior on all networks, it would be valuable to have a full picture in a single view. This will streamline investigations, add additional context, and create management and monitoring efficiencies for analysts. Monitoring these networks separately will exacerbate holes in investigations and in critical aspects of the full user story. 

An analytics-led approach to insider risk

Identifying risky behavior across government systems is like trying to find a needle in a stack of needles—everything looks the same at first glance. You’re looking for the one needle that is a little bit off. An effective analytics-led approach will help sort through the sea of UAM data to give analysts a clear starting point, providing contextual guidance on where to dig in, which is more than half the battle. Quality analytics are essential for surfacing actionable alerts and ultimately positively identifying insider threats. 

Endpoint telemetry that combines cyber, physical, and psychosocial data sources is the foundation of an analytics-led approach, giving teams the quick insight and the critical context they need. High fidelity metadata makes this approach more cost-effective, scale better, and leads to clear efficiencies for the analyst. 

DTEX recognizes that coupling the critical components of UAM and behavioral Data Loss Prevention (DLP) with best-of-breed User & Entity Behavior Analytics (UEBA) is absolutely necessary to an IRM strategy. This technology combination provides the granularity needed to make informed decisions about when a user’s behavior is deemed worthy of an investigation. It is what rapidly helps us identify that ever-elusive needle in the stack of needles.

The community, the challenge, the commitment

It has been one of the most refreshing and rewarding professional years of my life to have found a community full of passionate experts that want to make meaningful contributions to solving the insider risk problem and keep our nation safe. The federal insider risk community is tight-knit and strong. It is filled with professionals who have made it their life’s work to help solve this critical problem for the USG. The passion and the people are there, so the time is now to take it to the next level. We can do this together, but only together.

Consider the following:

1. Work with the Hill, the NITTF, the executive branch and your own senior agency leadership to recommend revisions to the EO, justify and prioritize an expanded coverage model while asking for the resources you need to be successful.
2. Add high-fidelity behavioral analytics as an integral part of your IRM strategy.
3. Invest in and with industry partners that are willing to take the journey with you. True, genuine public / private partnership, collaboration, and industry best practices are key to effectively solving the problem.

We understand this issue is about more than just technology. It requires a whole-of-agency IRM program and a solid foundation in governance. The right technology coupled with that great, functional program is how best to protect agency data, brand, and people.

Can we prove it to you?

DTEX is committed to meeting you right where you are. We made a conscious decision to both invest in a full, federally focused team of professionals to better serve our government customers and also bring on advisors who have spent full government careers focused on combatting the adversary. The Honorable Sue Gordon and Rear Admiral (Ret.) Mike Studeman bring us a unique vantage point of just how shifty the adversary can be and the elaborate tactics, techniques, and procedures they employ. Now, more than ever before, we are dedicated to better understanding and are building for the escalating threat posed by insiders.  

We see the clear, heightened awareness from government practitioners on the ground in this problem space. There is unwavering dedication to solving for it, and all we’re saying is we’re right here with you. We are in this together and we know we can help. Let us prove it to you!