Monday, February 3, 2014

It’s Time to Drive Out Malicious Insiders



Last week’s open Senate Intelligence Committee hearing with leaders of the Intelligence Community included phrases such as “profound damage”, and “costs of human lives on tomorrow’s battlefield” to describe the impact of Edward Snowden’s insider theft.   In light of the severity, it was unfortunate that the hearing spent very little time attempting to describe the leadership’s plan of action to prevent similar thefts in the future.  But that’s really not too surprising, as the standard approaches of the past are demonstrably weak, if not outright enabling, and re-invigorating those might simply compound the failure modes – such as adding yet more insiders.  

We seem to be struggling to identify a set of way-ahead recommendations that can be differentiated from the past, can be implemented while actually decreasing the insider population, and that provide the only truly sustainable way ahead against insiders: deterrence.   While Keyless Signature Infrastructure (KSI) is not a silver bullet against the entire malicious insider problem, it certainly has the aforementioned attributes – and most especially the ability to create strong deterrent effects.

Every insider today, whether or not a malicious thought has crossed his/her mind, knows the following things about their environment:

1.      It takes an insider to detect and report an insider - and the other insiders frequently known, susceptible to influence, and their behaviors are understood, monitored, and possibly capable of being controlled.  Bradley Manning was effectively controlling the behavior of those around him while walking out the door with discs full of stolen documents.

2.      The “noise floors” are very high.  Most organizations lack timely and consistent change monitoring, and both good and “other” changes are reported similarly.  The time-consuming nature of filtering out good change means it doesn’t occur in a timely fashion on even a significant subset of all the changes.

3.      Two insiders may not be better than one - separate from the fact that more insiders are the last thing we need.  In addition to weaknesses in ensuring independence (e.g. if they’re romantically involved), there will frequently be a superior/inferior issue at play, which will tend to reduce the possibility of an adverse report.

4.      The typical delays between malicious activity, its detection, and follow-up action are substantial, and known by all.  Days in the most obvious cases, but weeks to months in many others.

Meanwhile, many insiders already feel overtasked in their day jobs, such as simply keeping the enterprise up and running, and in basic compliance with certification and accreditation requirements (most of which are not focused on insider threats).  Watching over their peers is a chore most don’t have the time for, even if they were inclined to do so.

Effective application of KSI will materially change these environments for insiders, especially by injecting true deterrent effects into the dynamic – i.e. putting human nature to work for us, rather than continued reliance on demonstrably futile alternatives like background checks.  KSI will help ensure that many insiders who have that one fleeting malicious thought will quickly dismiss it, and not progress to the planning and execution stage.  And those who do progress will be continually faced with considering the almost certain consequences of their actions, and many will turn back.

Fundamentally, a potentially malicious insider in a KSI-infused environment will know that he/she cannot cover her tracks, their activity will be detected and communicated quickly, and social engineering efforts against peers will not be useful.   A very powerful attribute of KSI is the ability to easily abstract the detection/monitoring functions from the underlying data – enabling “dashboards” of enterprise integrity to be widely distributed, e.g. to mobile devices.    

Alerts on both constructive and adverse change are widely disseminated, and “test cases” can be executed on a regular basis to demonstrate to all the rapid detection and reaction enabled by KSI.  These tests can mimic actual events of the past, and clearly highlight to all the “before and after” impact of introducing KSI.   When malicious activity is provably detected and communicated before the insider leaves the building, and that result is widely shared, the casual insider will quickly decide to consider other ways to spend time.

In addition, the fully portable nature of KSI-based detection and attribution reduces  the cycle times that today’s insider community takes for granted when thinking about the insider problem.  The ability to rapidly extract and share evidence-quality proof of activity – without exposing unrelated content of logs or object stores – makes same-day forensic responses a reality.  Again, very public demonstration of these reaction times will deter those whose inclination toward malicious planning has been advanced by the ponderous nature of our past responses.

The practical deterrence offered by KSI brings with it the very high likelihood of actually reducing the ratio: (# of malicious attempts / size of the enterprise).  All other approaches to the insider threat to date – even when functioning as intended (see: background checks) – fail to provide a plausible path to reducing this ratio.  As our enterprises grow into the cloud, and become even more seamless, such a reduction is the only scalable and sustainable way ahead against insiders – and KSI will help get us there.  

Meanwhile, underlying the entire proposition of KSI against the insider threat is this:  Use of KSI will drive down the number of insiders needed to effectively monitor and protect an enterprise in the first place.  This is the win-win that KSI brings like no other technology available today:  A reduced insider population, with dramatically reduced interest in doing anything malicious.


No comments:

Post a Comment