With cyber-attacks like Nyetya and WannaCry dominating headlines over the last several months, you’d think malware would top the list of security pro’s biggest concerns. But you’d be wrong, according to the SANS Institute’s 2017 annual data security survey. While ransomware remains a close second, insider threats are what have security experts most alarmed—particularly in the federal sector.
By now, after all, we’ve all heard of Edward Snowden and Chelsea Manning, whose exploits still make security teams shudder. Indeed, insider threats have become one of the most vexing cybersecurity issues facing federal agencies, with a potential impact on national security, agencies’ reputations and employee morale. But not all insider threats are malicious or intentional. Unlike malware or other external attacks, many insider threats originate from seemingly routine behaviors or quiet, imperceptible negligence—a shared password, an email link, an unsecured device. Meanwhile, many federal agencies lack the time, money, or resources to implement anything beyond sparse safeguards. Despite all of the above, there are steps federal IT teams can take to lessen their vulnerability to insider threat—starting with better integration (and subsequently optimization) of their existing security infrastructure.
The Integration Challenge
In reality, many agencies already possess the barebones technological components of an insider threat defense, including tools such as:
- Network security
- Vulnerability management
- Access control
- Security information and event management (SIEM)
Often, what’s lacking is product integration. There are a variety of causes for this. One of the most common is procurement.
Federal agencies usually buy security technologies over time. Between evolving product life cycles and different employees tasked with different procurements, agencies often wind up using products from multiple vendors. In fact, according to Cisco, 65% of organizations use anywhere between 6 and 50+ security products—many of which do not work together without custom coding.
The Risks of Bad (or no) Integration
Insufficient integration can seriously affect security posture, starting with a lack of visibility across the network, including user activity. Limited visibility into networks and user behavior was, in fact, one of the major challenges cited by respondents to the SANS survey. The reason is simple: Agencies can’t protect what they can’t see.
So important is visibility that the NITTF specifically prioritized it in one of its eight findings: “Ensure user activity monitoring coverage over all classified systems and networks, and identify a component to maintain an accurate inventory of all information technology assets that have user activity monitoring coverage.”
Another pitfall of inadequate integration? The need to manually analyze security data. Many federal agencies are already short-handed. That problem becomes magnified by the sheer number of security alerts to investigate, including false positives and false negatives that can lead to analyst “alert fatigue.” Consequently, agencies often find themselves reacting to breaches, instead of taking proactive measures to prevent them.
Better Integration, Better Outcomes
So, how can better integration of your security tools solve these issues? First, integration allows different security appliances to collect data from across the network to display in centralized dashboards. Not only does this improve overall visibility, it provides security teams with a more comprehensive, informed view of the data generated by individual security products. Integration can also enable task automation, allowing more efficient use of limited staff and more accurate results.
For insider threats, the benefits of improved integration include reduced time to detection (TTD) and time to respond (TTR). Lowering TTD and TTR are critical to minimizing the impact of insider attacks, whether malicious or unintentional. Better visibility across the network can lead to quicker detection. So can automating data analysis, which allows security teams to focus on the threats that matter and to filter out those that do not.
The insider threat will likely remain a significant challenge for federal agencies well into the future. Assessing your agency’s existing resources and optimizing your security products through integration can measurably improve your ability to detect and prevent insider threats.
Find out how security product integration can reduce your organization’s vulnerability to insider threats. Learn more about solutions and services from Sirius Federal. Call 1-800-391-0204 or email [email protected].