Insider Threats: A Big Data Problem for Big Defense

| Jonathan Berliner
Jonathan Berliner
Services Engineer, Digital Reasoning

Stranded during a historic Washington-area blizzard in February 2010, a U.S. soldier embarked on a mission that he had sworn to not fulfill: “…I joined in on an IRC (Internet Relay Chat) conversation and stated that I had information that needed to be shared with the world. I wrote that the information would help document the true costs of the wars in Iraq and Afghanistan…another individual pointed me to the link for the WLO (Wikileaks Organization) website’s online submission system.” On February 18, 2010, Wikileaks published the first of hundreds of thousands of classified documents, exposing what The Guardian called “the largest leak of official secrets in history.” The author of that IRC post, PVT Chelsea Manning, previously known as Bradley Manning, continuously leaked documents until Manning was arrested three months later, on May 29, 2010.

For the defense establishment to confront its Big Data problem is to achieve a sobering situational awareness that generous funding, strict access controls, and defense-in-depth will never be sufficient to deter the insider threat, who is not motivated by money, persists within secure compartments, and whose digital trail is not detectable by conventional technology. InfoSec teams must now operate under the assumptions that the insider threat is already moving laterally within their enterprise, and that no data is truly clandestine to the eyes of the adversary. A joint study by Carnegie Mellon University and the U.S. Secret Service on government insider threats noted that 60 percent of actors “were aware of the technical security measures” and “(57 percent) used technology to delete or modify records of the incidents.” The Defense Security Service characterizes the data emphasis of the espionage insider threat: “Out of the 11 most recent cases, 90 percent used computers while conducting espionage and 2/3 used the Internet to initiate contact,” and we’re still losing the battle. In essence, security is more of a deterrence than a barrier for entry.

The U.S. Department of Defense (DoD) recognizes the gravity of its Big Data problem and has responded with big dollars. Alex Rossino at Deltek projects that Defense spending on Big Data services and software spending will increase annually by 9.6 percent and 8.6 percent, respectively from FY2016 to FY2019, with a $25 million increase sought for Big Data research and development in FY2016. Even more dramatically, the Defense Advanced Research Projects Agency (DARPA) increased its Big Data investment by 69 percent from FY2014 to FY2016.

The insider threat has also become part of the fabric of DoD. Responding to the September 2013 shooting in the Washington Navy Yard, the Defense Security Service established the DoD Insider Threat Management Analysis Center (DITMAC). Jared Serbu of Federal News Radio illustrated the DITMAC-Big Data relationship when quoting Carrie Wibben, director for security and policy oversight at the Office of the Undersecretary of Defense for Intelligence: “It really is intended to be the central hub for the department’s insider threat programs…They are focused on establishing a lot of the enterprise capabilities — the things that we don’t want all 43 of our components doing on their own or duplicating. That means behavioral analysis, predictive analytics, risk rating tools and insider threat systems for centralized reporting.”

The Big Data solution to the insider threat is best achievable with lots of data and smarts, specifically, cognitive computing and machine learning. By reading a comprehensive corpus of both structured and unstructured communications of all media, a model of communication behavior can be created, which considers the entirety of each scenario. Next, resolving the links between entities within the data and matching it with key indicators uncovers crucial relationships, sentiments, and motivations in the threat scenario. Last, reasoning with the model’s results tailors the solution to users’ needs, whether it is a low-latency monitoring solution or strategic analysis solution.

The insider threat is persistent in the defense establishment and will always be an existential part of any conflict, whether in support or defiance of one’s mission. The threat can not be abated by firewalls and technical measures. However, the threat can be mitigated by analyzing Big Data and the most common thread of insider threats—human communications. Such unstructured data is the next and largest data frontier, but it yields the most promising results in defense of our data, technological edge, and foreign relations from insider threats.

The Author is Jonathan Berliner

Jonathan Berliner is a services engineer at Digital Reasoning, which delivers cognitive computing solutions to government agencies, financial institutions, and health care providers. 

Learn more about The Cipher Brief's Network here.

CLICK TO ADD YOUR POINT OF VIEW

Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *