Thales Blog

The Government Perspective On Insider Threats

May 19, 2014

Robert Rodriguez Robert Rodriguez | More About This Author >

The insider threat isn’t new, and has been with us as long as recorded history.  For reasons known only to themselves, our most trusted friends and employees can sometimes turn on expected institutional morals, ethics, purpose and mission, stealing for financial gain or immoral principle.  In today’s information driven society, it’s no surprise that the target for these insiders has shifted to data.  Today’s highest profile case, Edward Snowden, a former NSA employee is a prime example of this for the government sector.

A few years ago, my past employer, the United States Secret Service, produced in partnership with Carnegie Mellon Software Engineering Institute's CERT a Public Private Partnership study on insider sabotage related to computer systems operating in the critical infrastructure sectors.

Not too surprisingly, the findings of the earlier report complement many concerns that were shown in Vormetric’s recent 2014 Insider Threat Report.  There were also some newer changes, more on that shortly.

In the earlier study, a majority of the insiders who committed the attacks were former employers who had SysAdmin or privileged access and were motivated in part by a desire to seek revenge.  Vormetric went back to their raw survey data used to create the 2014 Insider Threat Report for me to check on government specific results, and found that government organizations still seem to feel that this is a critical problem.  Only 7% feel safe from the abuse of privileged user access rights and 40% feel at risk from privileged technical users.

Also a number of critical behaviors were observed during the earlier study – 80% of insiders committing theft exhibited unusual activities prior to the event, 62% of them planning the incident in advance and most carrying out their attack remotely.  In the Vormetric survey data, organizations repeatedly noted that part of their insecurity comes from insufficient monitoring of data access patterns, and networks – these map closely to the behaviors associated with the earlier study.  Part of this is that the tools needed for detecting threatening access pattern anomalies are less common than typical perimeter firewalls or end-point protections – access to data and network traffic must be logged, standard access patterns for accounts and applications “blueprinted”, stored, and mapped against current behavior.  This takes sophisticated applications – SIEMs and Big Data for Security implementations for the most part – as well as extended data collection.

Government responses from the Insider Threat survey found that many didn’t have the tools needed for this – Reporting that the top reason why Insider Threats were harder to detect included the lack of real-time network monitoring (50%), and also identified that only 40% constantly monitor access to sensitive information As a result, only 11% felt secure from Insider Threat risks.

Some notable changes have occurred, however.  Advanced attacks and technologies are opening new avenues of insider threat concerns. Organizations of all types now recognize that Insider Threats can also have an outside element.  Advanced Persistent Threats (APTs) and similar attacks that seek to compromise accounts (especially privileged user accounts) are recognized as part of the problem.  Of government respondents, only 4% felt safe from the use of compromised credentials as a result of a cyber-attack.  Cloud, big data and mobile endpoints are now also top concerns as they create new opportunities for insider attacks.

At SINET (, we are seeing a wave of companies who are working to address this difficult and complex set of problems. Our goal is to leave no stone unturned when it comes to the advancement of innovation, by highlighting new offerings that truly address and successfully impact this challenge. The key to our model is building communities of interest and trust that help to increase awareness of innovative solution providers and their capabilities.  Our primary method for this is our forums, in particular the SINET Showcase, where our steering committee of 60 (SMEs) will select this year's SINET 16 Innovators to present in Washington DC on December 4, 2014.

Promoting education and increasing awareness of insider threats to the general public as well as to cyber security experts is another important element in combating the problem.  Education and awareness is also important for the professionals who are responsible for the protection of our nation's sixteen critical infrastructures and government command & control systems.  The Vormetric Insider Threat Report is a great example of thought leadership that meets the needs of both.

Those of us working on creating the solutions and relationships to safeguard national, corporate and personal private data, have a higher duty than those building a better lawnmower or cupcake maker – we’re entrusted with creating the solutions that protect and preserve national, economic and personal well being and safety around the globe.  And that includes keeping ahead of the evolving and changing insider threat by continuing to innovate.