Separate drafts of the fiscal-year 2018 National Defense Authorization Act (NDAA) are currently making their way through the House and Senate. Haystax Technology’s Vice President of Security Analytics, Tom Read, studied both versions and shared his observations about the lack of emphasis on insider threat mitigation – in the House bill, at least – in a recent commentary published simultaneously in Defense News and Fifth Domain Cyber.
Read notes that the House authorization language discusses insider threat mainly in the context of ‘green-on-blue’ attacks by overseas military partners as well as espionage and technology exploitation operations by nation-state actors, rather than on “threats from insiders who have knowledge and access to proprietary systems that allow them to bypass security measures through legitimate means.”
The Senate version, by contrast, directly addresses these latter insider threats, directing the US Department of Defense to “orchestrate the creation of an integrated, automated, enterprise-wide insider threat detection and analysis capability.” As Read notes, “this language goes to the heart of a serious challenge at DoD — namely, the inability of the department to access and integrate data to effectively and efficiently prevent malicious and accidental insider incidents.”
There are several areas of critical importance that Haystax Technology continues to advocate for, namely the quality of data inputs, the ability to monitor non-network behavior and the need for more risk-based approaches. Read goes into detail as to why these areas are important, and recommends a holistic risk-based approach to insider-threat detection and deterrence. This is the reason Haystax Technology first builds a model of ‘whole-person’ behavior, before even a single piece of data is collected. And it’s why our Constellation Analytics Platform™ approaches user behavior analytics (UBA) holistically, like an ever-expandable team of expert analysts who are continuously on the lookout for signs of malicious, negligent and inadvertent behaviors by trusted insiders.
Eventually, changes will be made to the NDAA in conference and a final version will be voted on – and likely passed. While it remains to be seen what the final FY18 NDAA will look like when it lands on the President’s desk, Read stresses that we cannot ignore its current lack of real emphasis on insider threat program improvements, despite its growing risks. In fact, 40 percent of respondents to a recent study by the SANS Institute and Haystax reported malicious insider threats as being the most damaging current threat vector, and certainly no organization — whether in finance, healthcare, law or any other profession — is immune from the growing threat from adverse insider events. As such, Read concludes, the NDAA ought to address this important issue with specific language.