Roundtable: Former Deputy Director of NSA Talks Insider Threats

When you picture the typical venue for a cybersecurity discussion, the British Museum probably isn’t the first place that would spring to mind. However, yesterday, it played host to a press roundtable with Chris Inglis, former deputy director of the National Security Agency (NSA), and other representatives of security intelligence platform provider Securonix to explore the ever-evolving landscape of the insider threat.

So, after traversing the busy half-term crowds and a wrong turn that led me through an exhibition on ‘Egypt’s lost worlds’ I got to hear from Inglis as he drew on his experience with the NSA, the fall-out from the Snowden revelations and the use of behavior analytics to shine an intrinsic light on this much-debated topic and some of the key issues surrounding it.

“People in possession of computers and network systems today have an opportunity to cause much greater harm in a much faster period of time than they once did,” Inglis said, opening the discussion. “If the insider threat rises in the priority scheme, you can’t do it in the old-fashioned way, which is to simply vet and extend trust to people based on that – that’s got to be a precursor to establishing trust in someone in your system – but you have to follow that up with a much more time-sensitive understating of what they are doing. You can no longer simply defend perimeters or checkpoints and assume that any mischief inside will be caught at the margins and restored to good order.”

You have to have some understanding of what’s happening to the data now, in real time, he added. That means you have to have data about data. You have to have an ability to synthesize that and understand the behavior associated with that privileged entity, which drives you to not just a collection of data, but analytics that can make sense of the data.

“The goal isn’t to react well, or even to track well, it’s to anticipate; to see these things coming and step in before the disaster occurs and perhaps mitigate that by restoring that person to good order, or perhaps respectfully escorting them to the boundaries of your estate.”

So, detailed user analytics appears to be key in battling insider threat, but what I wanted to know was, when we start to collect data on the behavior of our employees, are we running the risk of crossing ethical boundaries? Do companies therefore have an obligation to be transparent about what they are doing and the type of information they are analyzing, and for what reason?

“They absolutely do,” he replied. “You can’t incur on their [users’] sense or expectation of privacy without justifying that and having a full conversation about that. That’s probably the hardest conversation, not the conversation with the potential ‘Edward Snowdens’ of the world, but with the 99.99% who aren’t Edward Snowden and don’t intend to be Edward Snowden.”

"The internal population, as much as the external population, has a right to know that they are applying their time and talent to something that is properly controlled and at the end of the day they achieve something that is deserving on trust."

You should also dedicate time and attention to figure out how far is too far, he said; let’s raise the ethical threshold so we really get at the things that are security relevant, because we are imposing on the privacy of individuals, most of whom are simply trying to make a positive difference. We need to encourage and inspire their best efforts as opposed to squeezing out their best efforts.

“In our pursuit of the 1%, or the one in a million in Snowden’s case, we can’t abuse the 99%. We have to keep both entities in mind, what can you do to protect the legitimate activities of this 99% to not undo or incur on their privacy and the sense of respect you try to develop so they do their best, inspired work.”

So do enough companies fully understand the difference between a ‘malicious insider’ who intentionally wants to cause damage and users who are a security risk simply because they don’t know any better?

“Well, not enough, clearly,” he argued. “Are they starting to get it? Yes – they are increasingly getting it.”

What’s Hot on Infosecurity Magazine?