Last week’s open Senate Intelligence
Committee hearing with leaders of the Intelligence Community included phrases
such as “profound damage”, and “costs of human lives on tomorrow’s battlefield”
to describe the impact of Edward Snowden’s insider theft. In light of the severity, it was unfortunate
that the hearing spent very little time attempting to describe
the leadership’s plan of action to prevent similar thefts in the future. But that’s really not too surprising, as the
standard approaches of the past are demonstrably weak, if not outright
enabling, and re-invigorating those might simply compound the failure modes – such
as adding yet more insiders.
We seem to be struggling to identify a set of
way-ahead recommendations that can be differentiated from the past, can be
implemented while actually decreasing
the insider population, and that provide the only truly sustainable way ahead
against insiders: deterrence. While Keyless Signature Infrastructure (KSI)
is not a silver bullet against the entire malicious insider problem, it
certainly has the aforementioned attributes – and most especially the ability
to create strong deterrent effects.
Every insider today, whether or not a
malicious thought has crossed his/her mind, knows the following things about
their environment:
1. It takes an
insider to detect and report an insider - and the other insiders frequently
known, susceptible to influence, and their behaviors are understood, monitored,
and possibly capable of being controlled.
Bradley Manning was effectively controlling the behavior of those around
him while walking out the door with discs full of stolen documents.
2. The “noise
floors” are very high. Most
organizations lack timely and consistent change monitoring, and both good and
“other” changes are reported similarly.
The time-consuming nature of filtering out good change means it doesn’t
occur in a timely fashion on even a significant subset of all the changes.
3. Two insiders
may not be better than one - separate from the fact that more insiders are the
last thing we need. In addition to weaknesses
in ensuring independence (e.g. if they’re romantically involved), there will frequently
be a superior/inferior issue at play, which will tend to reduce the possibility
of an adverse report.
4. The typical
delays between malicious activity, its detection, and follow-up action are substantial,
and known by all. Days in the most
obvious cases, but weeks to months in many others.
Meanwhile, many insiders already feel
overtasked in their day jobs, such as simply keeping the enterprise up and
running, and in basic compliance with certification and accreditation
requirements (most of which are not focused on insider threats). Watching over their peers is a chore most don’t
have the time for, even if they were inclined to do so.
Effective application of KSI will materially
change these environments for insiders, especially by injecting true deterrent
effects into the dynamic – i.e. putting human nature to work for us, rather
than continued reliance on demonstrably futile alternatives like background
checks. KSI will help ensure that many
insiders who have that one fleeting malicious thought will quickly dismiss it,
and not progress to the planning and execution stage. And those who do progress will be continually
faced with considering the almost certain consequences of their actions, and many
will turn back.
Fundamentally, a potentially malicious insider
in a KSI-infused environment will know that he/she cannot cover her tracks,
their activity will be detected and communicated quickly, and social
engineering efforts against peers will not be useful. A very
powerful attribute of KSI is the ability to easily abstract the detection/monitoring
functions from the underlying data – enabling “dashboards” of enterprise
integrity to be widely distributed, e.g. to mobile devices.
Alerts on both constructive and adverse change are
widely disseminated, and “test cases” can be executed on a regular basis to
demonstrate to all the rapid detection and reaction enabled by KSI. These tests can mimic actual events of the
past, and clearly highlight to all the “before and after” impact of introducing
KSI. When malicious activity is
provably detected and communicated before the insider leaves the building, and
that result is widely shared, the casual insider will quickly decide to consider
other ways to spend time.
In addition, the fully portable nature of
KSI-based detection and attribution reduces the cycle times that today’s insider community
takes for granted when thinking about the insider problem. The ability to rapidly extract and share
evidence-quality proof of activity – without exposing unrelated content of logs
or object stores – makes same-day forensic responses a reality. Again, very public demonstration of these
reaction times will deter those whose inclination toward malicious planning has
been advanced by the ponderous nature of our past responses.
The practical deterrence offered by KSI
brings with it the very high likelihood of actually reducing the ratio: (# of malicious attempts / size of the
enterprise). All other approaches to
the insider threat to date – even when functioning as intended (see: background
checks) – fail to provide a plausible path to reducing this ratio. As our enterprises grow into the cloud, and
become even more seamless, such a reduction is the only scalable and
sustainable way ahead against insiders – and KSI will help get us there.
Meanwhile, underlying the entire proposition
of KSI against the insider threat is this:
Use of KSI will drive down the number of insiders needed to effectively
monitor and protect an enterprise in the first place. This is the win-win that KSI brings like no
other technology available today: A
reduced insider population, with dramatically reduced interest in doing
anything malicious.
