Mitigating insider threats remains a major cyber concern
Expert panelists at the Cambridge Cyber Summit briefed the audience on some of the steps that organizations should implement for mitigating insider threats.
In August, the FBI secretly arrested 51-year-old Harold Martin, who was charged with the unauthorized removal of classified material and theft of government property. The news of the former NSA contractor’s arrest didn’t break until early October, at the same time leading security, technology and defense experts were gathered at MIT’s Kresge Auditorium discussing ways to combat the burgeoning threat of cyberattacks.
Panelists during a session titled “Solve, Share, Secure: Confronting an Evolving Threat” at last month’s Cambridge Cyber Summit — hosted by The Aspen Institute, CNBC and MIT — highlighted how the arrest provides a perfect example of the growing concern over insider threats and suggested ways of mitigating insider threats.
“We have been talking a lot about defending from the outside, but in fact a company can be equally undermined by someone on the inside,” said S. Leslie Ireland, assistant secretary for intelligence and analysis at the U.S. Department of the Treasury.
The Treasury Department instituted the Insider Threat Program in the wake of WikiLeaks publications and the Edward Snowden incident for mitigating insider threats, Ireland said. The program helps to identify, anticipate and analyze such threats, she added.
“What a lot of companies are doing is looking at aberrant behavior,” said Matt Olsen, co-founder of IronNet Cybersecurity and former director of the National Counterterrorism Center. “There are technologies available to look at when a person or when a server is doing things that are anomalous … you can identify changes in those types of behaviors that are indicative of whether that’s an outsider that’s trying to get into your network to steal data or an insider trying to move data outside of your company.”
But this requires a “whole-person approach” to understanding someone’s behavior, Ireland said: It is important to see whether they are engaging in any kind of unusual activities or are going through a financial or personal crisis. Ireland stressed that it’s wrong to assume something bad is going on with an employee just because an anomalous activity was detected.
Panelists said it’s important to investigate before making a decision, including questioning whether the problem arises from system architecture rather than an insider threat.
“I think for the insider threat issue like many others, you have to ask the question, ‘Where does the vulnerability originally arise from?'” said Howard Shrobe, principal research scientist at MIT CSAIL and director at CyberSecurity@CSAIL.
Rethinking the way that systems are designed is one other way of mitigating insider threats, according to Shrobe. He said that as perimeter protection has become integral to designing systems, company insiders have increasingly been given access to privileged information. This is a bad idea, he added.
“Here in MIT [we are] trying to design new systems that fundamentally work in a different way, so they are aware of what’s legitimate and what’s not,” he said.
It is also essential to provide training to people so that they understand the platforms they are working on and are aware of their data protection responsibilities, according to Starnes Walker, founding director of University of Delaware Cybersecurity Initiative and former CTO and technical director at the U.S. Fleet Cyber Command and 10th Fleet, U.S. Navy.
When it comes to combatting cyber threats, it requires team effort that goes beyond just improving business processes: Private organizations and government organizations need to work in unison for mitigating insider threats and external threats, panelists added.
“We need a whole population of people that understand the element of cybersecurity to add richness to the security of the systems … it’s something you have to do as a partnership across industries and government and academia,” Walker said.