The Federal Bureau of Investigation has been burned by insider security issues before, but is betting some crowdsourcing, a controlled environment and organizational trust can thwart threats.
Arlette Hart, chief information security officer at the FBI, outlined the agency's approach to insider security at the Structure Security conference in San Francisco. Hart's talk revolved more around process and culture rather than technology.
The FBI set up its internal security operation after Robert Hansen spied for the Soviet Union from 1979 to 2001. "Robert Hansen was why my organization was stood up," said Hart. "No organization is without an insider threat."
More: Automation, AI among key takeaways for security execs, ecosystem | TechRepublic: Help wanted: How automation can help with the security skills gap | How machine learning and AI will 'save the entire security industry' | What business leaders need to know about the state of cybersecurity
In addition, the approach to insider threats was further refined when Leandro Aragoncillo, a former FBI intelligence analyst, was charged with espionage in 2007 for passing information to the Philippines.
With that said here are a few lessons from Hart on defending the insider threat.
- Use a crowdsourcing approach. The FBI has systems so employees can report potential insider threats, said Hart. Employees who report threats from the inside can't do it anonymously. "We don't have anonymous reporting. You have to sign your name to an account," said Hart. Why? An anonymous approach increases the rate of false positives. "If you do it anonymously you're not accountable for the information," said Hart.
- Insider investigations need to be held tightly with a focus on protecting information. Hart said if a potential investigation was leaked it could ruin a person's life as well as threaten the organization. "(Deterring insider threats) is a critical capability and has to be handled carefully," said Hart.
- Control the environment. The FBI doesn't have a bring your own device policy and employees agree to monitoring and strict controls.
- Deterring insider threats is about acting quickly not preventing something before it happens. "Your goal is to catch them as soon as you can before anything adversely happens," she said. However, an organization can look more closely at how data is moving around at risk employees. For instance, an employee proposed for dismissal may be watched for what data that person has access to as well as data movement.