In a recent industry presentation, Christopher A. Williams, president of Christopher A. Williams, LLC , turned attention to the rise of alarming security breaches that have compromised highly classified federal information.
Williams called for greater agency accountability and compliance oversight, in addition to more rigorous “need to know” policies when it comes to limiting an individual's access to sensitive information based on their roles and responsibilities. He cautioned against unproven IT tools/solutions as remedies, and noted that the U.S. government and private sector must work together to halt the “massive, illegal transfer of American know-how and secrets.”
Given his commendable experience as a top security official with the Department of Defense (DoD) and the U.S. Congress, Williams' words carry weight. I strongly agree that the private sector has to remain highly involved in the “fix.” Yet, that fix will require an overhaul of institutional mindsets on the subject of safeguarding critical information and data that, after decades, have become deeply ingrained.
In short, we too often focus exclusively on implementing technologies and auditing at the endpoint. We overlook user behaviors that command tremendous influence here. To advance our capabilities, we need to get a better grasp on the “people,” as well as the technical side.
Frankly, there is resistance to this notion because it's easier to maintain the status quo when it comes to policies and procedures based on simple virus scans, configuration management, log analysis, “dirty word” searches, etc. It's difficult to go beyond this mentality and pursue something more inquisitive – something that will reveal the “how” and “why” behind the “what” that delivers valuable – and actionable – knowledge.
Context means everything. You can identify breaches and “catch” people. But without the perspective of their business role, authority, motivation, scope and impact of an incident, you're only getting part of the story. This is the surest way to transform oversight from a reactive, “put out the latest fire” posture to a proactive one that anticipates user behaviors and their capacity to pose a threat.
For example, in one case, a client sought our help during a significant reduction in force (RIF) initiative. Despite offering severance packages that specified the non-disclosure/removal of secure data, a number of just-downsized employees went back to their desks and started downloading away. Our solution swiftly detected and reported this. That single day virtually paid for the customer's licensing fee for an entire year.
So why doesn't this happen all the time? Because too many agencies and companies still insist on building security programs around a solution, instead of the other way around. Private industry and the public sector must work harder to ensure that every deployment is customized to distinct department policies, operational strategies, individual responsibilities and special circumstances.
With bring your own device (BYOD) acceptance and use of removable media these days, more information can be carried out of an office door in minutes than the sum total of what was given to our enemies in hard copy throughout U.S. history. For federal officers in charge of all classified documents and exchanges contained within their enterprises, these developments are turning up the heat.
To better manage the risk, executives and administrators must come to the realization that they simply cannot observe and monitor all actions. Instead, a rock-solid foundation of policy drives everything that follows. Users are categorized into risk areas based on job functions, then monitored accordingly. IT reacts to unusual activity transpiring among machines within the context of situational awareness: What behavior is typical day-to-day? What's extraordinary? If the extraordinary occurs, what prompted it? Did circumstances warrant the action? Or has the employee initiated action that merits greater scrutiny?
In other words, Williams and others are making a valid case in calling for a massive “lockdown” on protected information. But to truly manage risk – in today's age, the notion of eliminating it entirely is antiquated – the policies, procedures and solutions applied all integrate and evolve as moving parts of the same system. That's the only way that monitoring, anticipating and responding can keep up with the pace of the rapidly shifting technologies and behaviors that have the potential to do the most damage.
Dan Velez is director of defense programs at Raytheon Oakley Systems, which produces Raytheon SureView. This is the second contributed article of a series. The first can be found here.