By Allison Lee
We shouldn’t expect a car to run if we haven’t filled the gas tank. Nor should we expect to win millions of dollars if we don’t buy a lottery ticket. Likewise, in the case of Chelsea (formerly Bradley) Manning, we shouldn’t have expected the U.S. government’s monitoring system for cleared personnel to flag her before she funneled a huge trove of sensitive documents to WikiLeaks when it appears there were no systematic monitoring and response protocols in place to begin with.
But Manning’s activities were detectable in advance, if only the right people, policies, procedures and technologies had been in place.
The case exposed three particularly glaring deficiencies:
- Inability to collect human-observed behavior and transform it into quantifiable data.
- Inherent biases that led to inconsistent decision-making and responses.
- Unwillingness to employ AI-based analytics to help overcome those biases.
In Haystax’s view all three can be rectified, thus reducing the risk of another highly damaging breach. Here are some recommendations.
Learn Context from Available Data
Until Manning filled a compact disk with thousands of classified documents, she didn’t do anything suspicious or malicious on her work computer. But the long list of known adverse events in her adult life leads to an obvious question: How she was able to obtain a clearance, deploy overseas and continue to have access to classified information? The answers are, first, that most of these events happened outside the computer network and, second, that conventional user and entity behavior analytics (UEBA) tools don’t incorporate that kind of event information in the first place.
The Haystax Insider Threat Mitigation Suite does. It can ingest a diverse array of network and non-network data, and it provides built-in assessment forms to capture more subjective information. These two features can provide broader context around a cluster of relatively minor incidents that, when analyzed together, indicate a much more severe case.
For example, the assessments can be used by managers and coworkers to report concerning behavior like chronic lateness, refusal to acknowledge job performance problems, handling criticism poorly and social isolation.
Similarly, the data Haystax can ingest and analyze in our model-based software includes not just network monitoring feeds but also personnel files, travel and expense records, printer and badge data and much more. This is in contrast to the limited data sets available to network-only monitoring systems.
A timeline of Manning’s life events for which data is available is displayed in the table below. The information that Haystax assessments and data ingestors can capture for analysis is in orange; data from user activity monitoring (UAM) and other network-centric tools is in blue; the green boxes depict data captured in SF-86 and similar personnel documents that the Haystax system also can analyze; and the gray boxes are for the handful of events that cannot reasonably be captured from any data source.
In Part 2 of this post, we will list more recommendations and describe how the Haystax system could have been used to flag Manning’s adverse behavior much earlier.
# # #
Allison Lee is a Data Analyst at Haystax, a Fishtech Group business unit.